M-17-12: Preparing for and Responding to a Breach of Personally Identifiable Information

This Office of Management and Budget memorandum, released in January 2017, sets forth the policy for federal agencies to prepare for and respond to a breach of personally identifiable information. It includes a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach, as well as guidance on whether and how to provide notification and services to those individuals. This memorandum is intended to promote consistency in the way agencies prepare for and respond to a breach by requiring common standards and processes. While promoting consistency, this Memorandum also provides agencies with the flexibility to tailor their response to a breach based upon the specific facts and circumstances of each breach and the analysis of the risk of harm to potentially affected individuals.