The U.S. Equal Employment Opportunity Commission

BREACH NOTIFICATION POLICY

Safeguarding personally identifiable information (PII)¹ in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public. Following the guidance outlined in the Office of Management and Budget (OMB) Memorandum M-07-16, the U.S. Equal Employment Opportunity Commission (EEOC) has developed this Breach Notification Policy to minimize risk and ensure prompt and appropriate action is taken should such a breach occur. For purposes of this Policy, the term “breach” includes the loss of control, compromise, unauthorized disclosure, or unauthorized access or potential access to personally identifiable information, whether in physical (paper) or electronic form.

I. BACKGROUND - SAFEGUARDING AGAINST THE BREACH OF PII

It is the responsibility of all EEOC systems users to help ensure the security and integrity of the information contained in the Commission’s automated and manual records systems. The Office of Management and Budget (OMB) Circular A-130, the Privacy Act of 1974, and the Federal Information Security Management Act of 2002 all define such information, as well as the technology used to maintain it, as a vital Government asset. Those who control or use this information are responsible for its care, custody and protection. All EEOC system users, whether EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems, are expected to be aware of certain legal rules and policies which must be followed for the purpose of safeguarding such information. EEOC Order 240.005, Attachment A, Information Security Responsibilities for EEOC System Users, outlines these critical responsibilities.

In response to OMB Memorandum M-06-16, EEOC developed Policy for Personally Identifiable Data Extracts Removed from EEOC Premises. This policy outlines protective measures that must be followed if extracts containing PII are removed from the EEOC premises.

In addition, EEOC has implemented strong technical controls to ensure the security and confidentiality of records and to protect against threats to their security and integrity. This includes system categorization against Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems; implementation of security controls as referenced in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems; certification and accreditation of information systems; user acknowledgement of system Rules of Behavior; and conduct of annual security awareness training which includes an overview of privacy and security responsibilities.

To further reduce risk, EEOC has been very proactive in eliminating the use and storage of social security numbers in our automated information systems. To better protect the privacy of individuals seeking services from the EEOC, in October 2006, the agency removed the social security numbers (SSN) of individuals who file charges of employment discrimination from our automated information systems. This removal included SSN data maintained within our Integrated Mission System, EEOC Assessment System, and legacy Charge Data System. EEOC has inventoried all automated information systems containing PII, and the only SSN data that continues to be maintained relates to EEOC personnel. Efforts to decrease storage and output of non-essential employee PII are underway.

II. REVIEW OF COMPLIANCE

Annually, the EEOC Office of Information Technology and the Office of Legal Counsel will review the current holdings of all personally identifiable information and ensure, to the maximum extent practicable, such holdings are accurate, relevant, timely and complete and reduce them to the minimum necessary for the proper performance of the agency function. This review will occur no later than July 31 of each year, for incorporation into the annual report under the Federal Information Security Management Act.

III. BREACH INCIDENT HANDLING AND REPORTING REQUIREMENTS

When faced with a security incident, EEOC must be able to respond in a manner protecting both its own information and helping to protect the information of others who might be affected by the incident. EEOC’s Incident Response Plan outlines roles and responsibilities, threats, prevention and responses, procedures, recovery, and reporting requirements. This Breach Notification Policy augments EEOC’s Incident Response Plan with respect to breach or suspected loss of PII.

A. INCIDENT NOTIFICATION

Per OMB M-06-19, EEOC must report all incidents involving PII (in either electronic or physical form) to the United States Computer Readiness Team (US-CERT). This reporting must be done within one hour of discovering the incident.

EEOC staff/contractors should immediately notify management of any incident regarding the loss or suspected breach of PII. Management should immediately notify the EEOC Chief Information Officer (CIO) and the Senior Agency Official for Privacy (SAOP) (EEOC Legal Counsel) regarding the PII breach, including as much detailed information as possible. A full incident report should promptly follow the notification.
The EEOC CIO or SAOP will confirm the details of the incident and report the incident to US-CERT within one hour.

B. PII INCIDENT RESPONSE CORE MANAGEMENT GROUP

The CIO or SAOP will immediately notify the EEOC PII Incident Response Core Management Group of the incident. The Core Mgmt Group is comprised of the Chief Operating Officer, CIO, SAOP, Inspector General (IG), Deputy General Counsel, Chief Financial Officer, Director of the Office of Communications and Legislative Affairs, and the senior Program Manager of the program experiencing the breach. Other management officials may be included in the notification, as deemed necessary.

The Core Management Group will engage in a risk analysis to determine whether the incident poses problems related to identity theft or areas of potential harm. The September 20, 2006 OMB Memorandum entitled, Identity Theft Related Data Security Breach Notification Guidance² and OMB M-07-16 will be used to assist in this determination.

If it is determined that the incident could pose issues related to identify theft or other possible areas of harm, the Core Management Group will review possible actions and implement a response action plan, to include coverage, implementation and notification.

If the breach involves government-authorized credit cards, steps will immediately be taken to notify the issuing bank. If the breach involves individual’s bank account numbers to be used for direct deposit of credit card reimbursements, government employee salary, or any benefit payment, EEOC will notify the bank and other entity that handles that particular transaction immediately.
If the breach includes social security numbers or other highly sensitive information, the Core Management Group will determine whether credit-monitoring services will be offered to the affected parties at government expense. If credit-monitoring services are required, they will be immediately acquired off the GSA Blanket Purchase Agreement for credit monitoring services.
The Core Management Group will consult with technical and program managers, as appropriate, to determine if immediate follow-up actions are necessary to reduce any residual or follow-up risk related to the incident.
If the breach may be related to other breaches or other criminal activity, the EEOC IG will coordinate with appropriate federal law enforcement agencies to enable the government to look for potential links and to effectively investigate and punish criminal activity that may result from, or be connected to, the breach.

C. NOTICE TO THOSE AFFECTED

After identifying the level of risk and bearing in mind the steps taken to limit that risk, the Core Management Group will make a determination regarding notice to parties put at risk by the breach. This determination of notice will be made following OMB’s Identity Theft Related Data Security Breach Notification Guidance and OMB M-07-16, Attachment 3, External Breach Notification³.

If the decision was made to offer credit-monitoring services, the Core Management Group will identify the appropriate agency official who should make contact with the affected parties. When appropriate, contact will be made both verbally (telephone call) and in writing (follow-up letter). The Core Management Group will forward boilerplate Identity Theft Notification letter(s) to the appropriate agency official for completion and processing. The boilerplate letter will describe the incident that occurred, a description of the types of personal information that were involved in the breach, a brief description of the steps the agency is taking to investigate the breach and limit the risk, steps that the individual can take to protect themselves and reduce risk of identity theft, and information on how to obtain the government provided credit-monitoring services.
If the decision is made to notify affected parties but not offer credit monitoring services, the Core Management Group will identify the appropriate agency official who should make contact with the affected parties and forward boilerplate Identity Theft Notification letter(s) to this individual for completion and processing. The boilerplate letter will conform to the format identified above, without the offer of credit-monitoring services.
Determinations and follow-up actions regarding notification will be made in a timely manner, so that those affected may take protective steps as quickly as possible, but without compounding harm from the initial incident through premature announcement based on incomplete facts.
If it is determined that public notification of the breach is warranted, the Core Management Group will post information about the breach and notification in a clearly identifiable location on the home page of EEOC’s external website. The posting will include a link to Frequently Asked Questions and other talking points to assist the public’s understanding of the breach and notification process.
As necessary, the Core Management Group will identify resources to handle any follow-up inquiries. If the breach involves a very large number of affected individuals, the Core Management Group may consider acquiring services through GSA “USA Services” to quickly put in place a 1-800-FedInfo call center staffed by trained personnel. EEOC may delay any required public announcement of the incident to allow time for implementation of appropriate follow-up resources.

D. ADDITIONAL ACTIONS

The EEOC Core Management Group will develop an incident/breach risk matrix to be used by the Agency for its analysis. This matrix will provide a qualitative method of determining incident/breach levels, and appropriate notification standards. Once developed and approved, this matrix will be included as an attachment to this Breach Notification Policy.

Footnotes

¹ Per OMB M-07-16, the term "personally identifiable information" refers to information which can be used to distinguish or trace and individual's identity, such as their name, social security numbers, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

² http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf

³ http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf

This page was last modified on September 25, 2007.

Return to Home Page