The Office of Management and Budget (OMB) issued a memo (PDF) to the Federal Government in attempts to safeguard against the breach of personally identifiable information requiring Federal Agencies to review their use of Social Security numbers. They have 120 days to come up with a plan to eliminate unnecessarily collecting them and participate in government-wide efforts to find alternate ways of identifying you.
Literally billions of records of personal information are collected by the government for a wide variety of reasons (Medicare, taxes, loans…the list goes on and on). The memo reminded agencies that they have a legal obligation under the Privacy Act of 1974 and the 2004 Federal Information Security Management Act (PDF) to protect personal data.
As well as setting a deadline for the agencies, the OMB is directing agencies to develop and implement notification policies suitable to potential risks caused by breaches of personal information and to take steps to protect federal infomation on laptops and other mobile devices.
“Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public,” Clay Johnson, Deputy Director for Management wrote in the memo. “This is a responsibility shared by officials accountable for administering operational and privacy and security programs, legal counsel, Agencies’ Inspectors General and other law enforcement, and public and legislative affairs.”
The memo recognizes that preventing breaches from happening in the first place is better than responding to breaches when they occur. Several important principles are recommended including the fact that the Federal government shouldn’t collect or maintain personally identifiable information when it isn’t necessary. Consequently, agencies are required to reduce the volume of personally identifiable information to the necessary minimum, and includes establishing and implementing plans to eliminate the use of Social Security numbers.
Another important principle of the memo is job-specific training. The risk-based approach to security requires Federal employees receive training regarding their respective responsibilities relative to safeguarding personally identifiable information and the consequences and accountability for violation of these responsibilities.
The memo suggests that consequences should be commensurate with level of responsibility and type of personally identifiable information involved. It also reminds supervisors that they’re responsible for supervising their employees and making sure they’re trained to safeguard personally identifiable information and recommends that agencies develop and implement policies accordingly.
The quote below is from a Washington Post article:
“The OMB needs to do a much better job of enforcing the Privacy Act across the federal government than it has done so far. People are tired of reading about security breaches and being told to sign up for credit monitoring services. If the federal government can’t protect the information, then it shouldn’t collect it,” said Marc Rotenberg, executive director at the Electronic Privacy Information Center. I agree.