The U.S. administration may be turning over this month, but the Office of Management and Budget is churning out policies even while the boxes are being stuffed with Bubble Wrap. OMB released both a guidance on how government agencies must prepare for and respond to data breaches, as well as how to comply with the Privacy Act in these modern times.

The breach guidance, issued just under the wire before the Trump administration officially moves into town January 20 and OMB Senior Policy Advisor Marc Groman, CIPP/US, a political appointee, leaves office, is the product of a year's work and rescinds the breach guidance initially issued in 2007 following the breach at the Department of Veterans Affairs. 

Groman told The Privacy Advisor the guidance is especially important for federal agencies because the threat landscape has changed rapidly and significantly since the last guidance was issued a decade ago, as has the kind of personally identifiable information agencies collect. That changes both the breach risk and the appropriate response. 

"The types of identity theft and the ways a malicious actor can exploit stolen or compromised PII has evolved." — Marc Groman, U.S. Office of Management and Budget

"The types of identity theft and the ways a malicious actor can exploit stolen or compromised PII has evolved," Groman said. "So a lot of what we did is to update the memo to make sure it's accurate and current and helps agencies be able to implement it and respond efficiently and effectively." 

The framework for breach response, officially called M-17-12, takes a risk-based approach on "assessing and mitigating the risk of harm to individuals potentially affected by a breach" and then delivers on whether notification to those individuals is required or necessary. It aims to give agencies consistency in their responses. But, Groman notes, it's flexible. And that's key 

"Our hope is that the level of detail in the framework will provide for more consistent responses for agencies," he said, "but it's important to highlight every breach is different and very context-specific, and therefore the memo must allow for flexibility." 

Federal agencies have 180 days to implement the changes reflected in the new breach guidance. 

OMB also issued guidance on how agencies implement certain aspects of the Privacy Act of 1974. Known as Circular A-108, which was last issued in 2000, Groman said the updated guidance reflects current technology and the evolution of how agencies are implementing certain aspects of the Privacy Act. 

It addresses how agencies review, report and publish system of records notices; outlines how they do Privacy Act compliance reviews; and promotes "agency collaboration through interagency review of government-wide systems of records notices."

Again, Groman said, the idea is consistency and efficiency. 

"Both of these documents at their core are about good governance and having more effective and efficient government." — Marc Groman, OMB

"Both of these documents at their core are about good governance and having more effective and efficient government, able to provide better and faster services to the American people," Groman said. "They're both about trust and transparency." 

Asked whether he's worried a new administration might put a dent on progress made, Groman said the election had no impact on the documents in their drafting or timing and comprise "truly nonpartisan values. I don't have any concerns about these particular documents," he said. 

Photo credit: HarshLight via photopin cc