The Government: Both a Problem and a Solution on Security Breaches

The Government: Both a Problem and a Solution on Security Breaches

As private entities in virtually all industries have faced private data security breach challenges, we also are seeing the parallel rise of security breaches involving government entities. These recent breaches ' led by the enormous publicity surrounding the Veterans' Administration loss/theft of a laptop containing the personal information of more than 26 million veterans ' have focused attention on the government as both the collector of enormous amounts of personal information and the source of many security problems. With this new attention, the government needs to redouble its efforts to improve overall security and focus leadership attention on developing best practices that can both protect against government breaches and provide useful information to private sector entities facing the same challenges.

The Government's Track Record

Part of the attention focused on the government's security problems has been driven by recent studies ' primarily an ongoing series from the Government Accountability Office ('GAO') ' describing significant weaknesses in information security controls at a variety of federal agencies. In one report, 'Information Security: Department of Health and Human Services Needs to Fully Implement its Program,' GAO-06-267 (Feb. 24, 2006), available at www.gao.gov/new.items/d06267.pdf, the GAO indicated that medical and financial information maintained by the Department of Health and Human Services ('HHS') is vulnerable to various attacks because of 'significant weaknesses in electronic access controls and other information system controls' within HHS. HHS is the primary enforcement agency for the various HIPAA rules, including the privacy and security rules. This was followed by a more recent report, issued in August 2006, finding significant shortfalls in how the Centers for Medicare and Medicaid Services ('CMS') ' both the Medicare agency and the specific arm of HHS tasked with HIPAA Security Rule enforcement ' protects sensitive information of Medicare patients. See 'Information Security: The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network, GAO-06-750 (August 2006), available at www.gao.gov/new.items/d06750.
pdf. The GAO summary highlights the array of weaknesses:

Although CMS had many key information security controls in place ' which had been designed to safeguard the communication network ' some were missing, and existing ones had not always been effectively implemented. Significant weaknesses in electronic access and other system controls threatened the confidentiality and availability of sensitive CMS financial and medical information when it was transmitted across the network. CMS did not always ensure that its contractor effectively implemented electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive computing resources and devices used to support the communication network. GAO discovered numerous vulnerabilities in several areas: user identification and authentication, user authorization, system boundary protection, cryptography, and auditing and monitoring of security-related events. There were also weaknesses in controls that had been designed to ensure that secure configurations would be implemented on network devices and that incompatible duties would be sufficiently segregated. A key reason for these weaknesses is that CMS did not always ensure that its security policies and standards were implemented effectively. As a result, sensitive, personally identifiable medical data traversing the network is vulnerable to unauthorized disclosure and these weaknesses could lead to disruptions in CMS services.

Another GAO report, issued April 3, found that the Securities and Exchange Commission ('SEC') 'has not effectively implemented information security controls to properly protect the confidentiality, integrity and availability of its financial and sensitive information and information systems.' See 'Information Security: Securities and Exchange Commission Needs to Continue to Improve Its Program,' GAO-06-408 (March 31, 2006), available at www.gao.gov/new.items/d06408.pdf. (The SEC has enforcement authority over certain entities under the Gramm-Leach-Bliley Act).

Yet another GAO report, this time addressing the Internal Revenue
Service ('IRS'), found that while the IRS had made some progress on certain information security weaknesses that had been identified by the GAO earlier, many recommendations had not been implemented, and the GAO 'identified new information security control weaknesses that threaten the confidentiality, integrity, and availability of IRS's financial information systems and the information they process,' including a failure to implement effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events. See 'Information Security: Continued Progress Needed to Strengthen Controls at the Internal Revenue Service,' GAO-06-328 (March 23, 2006), available at www.gao.gov/new.items/d06328.pdf. Therefore, according to the GAO, '[c]ollectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption. A key reason for IRS's weaknesses in information security controls is that it has not yet fully implemented an information security program ensuring that effective controls are established and maintained. Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.'

Consequently, in recent months, the GAO has criticized the information security practices of highly visible federal agencies with high-profiles stores of medical and financial data about tens of millions of individuals. The GAO also issued a report identifying the overall status of government agency information security programs ' see 'Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements,' GAO-06-527T (March 16, 2006), available at www.gao.gov/new.items/d06527t.pdf.

Moreover, aside from the failures of individual agencies, the GAO also has reported that agencies lack effective guidelines on their use of individual information that is derived and obtained from various commercial sources, including many of the data brokers that have been the subject of highly publicized security breaches. See 'Personal Information: Agency and Reseller Adherence to Key Privacy Principles,' GAO-06-421 (April 4, 2006), available at www.gao.gov/new.items/d06421.pdf. This includes the privacy practices of the Department of Justice, Department of Homeland Security, the State Department, and the Social Security Administration.

What Has Happened with Personal Information in the Agencies?

These 'policy and procedure' failures are not just abstract. While security breach incidents obviously are happening across many industries, government sectors have certainly not been absent from these incidents. The publicized events involving government agencies also demonstrate the enormous range of agencies ' at state, local, and national levels ' that maintain information about individuals, often in volumes, the sensitivity of which is not readily apparent.

For example, in recent months, there have been numerous security breaches involving public universities, and lesser-publicized incidents involving, for example, stolen laptops from the Department of Justice, the New York Department of Motor Vehicles, the Cali-fornia Department of Health Services, and the Colorado Health Department. There also have been personal information thefts from the Georgia Department of Motor Vehicles (attributed to a 'dishonest insider'), a significant hacking incident from the Air Force (involving information concerning more than 33,000 individuals), the State of Rhode Island Web site, the Department of Agriculture (where the department inadvertently exposed Social Security and Tax Identification numbers in responding to a FOIA request), and the California Department of Corrections (where prison inmates gained access to files containing employees' Social Security Numbers, birth dates, and pension account information.) (For more information on these breaches and a comprehensive list of security breaches over the past year, please see the Privacy Rights Clearinghouse compilation at www.privacyrights.org/ar/ChronDataBreaches.htm.).

In fact, these 'visible' breaches appear to be only the tip of the iceberg. On Oct. 13, 2006, the House Government Reform Committee released a staff report (available at http://reform.house.gov/UploadedFiles/Agency%20Breach%20Summary%20Final%20(3).pdf) detailing the enormous number of security breach incidents from federal agencies since January 2003. The report draws a couple of key conclusions about the government's overall security issues.

• The security and breach problems exist across all government agencies.

According to the report, 'all 19 Departments and agencies reported at least one loss of personally identifiable information since January 2003.' This includes the Department of Defense, the Department of Homeland Security and the Federal Trade Commission.

• The government does not always know what has been lost.

The report indicates that, in many circumstances, government agencies do not know what information has been lost or how many individuals could be affected by a specific security breach.

• Physical security is important.

As with many of the most visible security breaches in the private sector, the cause of security breaches typically is not a computer hacker (although obviously, there have been situations where a hacker has been involved). Instead, the Committee staff found that the most typical breaches ' the 'vast majority' ' involved physical thefts of data (stolen laptops, etc), and unauthorized use of data by employees. For example, recent reports have indicated that the Department of Commerce lost 1138 laptops since 2001. The Department of Justice found 400 laptops missing from the offices of the Federal Bureau of Prisons, the Drug Enforcement Administration, the Federal Bureau of Investigation, and the United States Marshals Service. The IRS lost as many as 2300 laptops between 1999 and 2002.

• Government Contractors are a problem.

Again, as with the private sector, the government is finding that many of the security breaches involve government contractors.

What Is the Government Doing About Its Security Problems?

The government's response to these security issues has encompassed a variety of points. First, there is a significant legislative push to hold the government accountable, to some degree, for its security problems. Many of the recently enacted state security breach notification statutes obligate state government entities to provide notice of security breaches. There has, of course, been no enforcement history related to government breaches, or potential failures to give notice.

Second, in addition to the continuing debate about federal security breach legislation, there also is a specific notice statute that has been introduced, the Veterans Identity and Credit Security Act of 2006 (H.R. 5835, sponsored by Congressman Steve Buyer of Indiana, which would obligate the Office of Management and Budget to develop appropriate policies for government agencies related to security breach notification. (This legislation recently was amended to cover all government agencies, through a 'link' between this proposal and a similar proposal from Congressman Tom Davis of Virginia, H.R. 6163).

On a broader level, the Office of Management and Budget ('OMB') has prepared and released various governmentwide security policies that are intended to be implemented rapidly across the federal government. In June, the OMB issued a memorandum (available at www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf) relating to 'Protection of Sensitive Agency Information,' which detailed required security procedures for government agencies. In addition to incorporating the 'Checklist' from the National Institute for Standards and Technology, the memo focused on four specific security requirements, all of which were to be implemented in 45 days. These steps were:

1) Encrypt all data on mobile com-puters/devices that carry agency data unless the data is specifically designated as 'non-sensitive';

2) Allow remote access only with two-factor authentication, where one factor is provided by a device separate from the computer itself;

3) Use a 'time-out' function for remote access and mobile devices re-quiring authentication after 30 minutes of inactivity; and

4) Log all computer-readable data extracts from databases holding sensitive information and verify each extract that includes sensitive data has been erased within 90 days (or that its ongoing use is still required).

Subsequently, OMB also issued guidance relating to the reporting of security incidents. The OMB memorandum requires 'agencies to report all incidents involving personally identifiable information to [the federal incident response center] within one hour of discovering the incident.' [emphasis in original]. OMB also has suggested establishment of 'a core management group responsible for responding to the loss of personal information.'

Government Identity Theft Efforts

Following the issuance of these security procedures, the government also has begun to address directly the issue of potential identity theft stemming from breaches involving personal information held by the government. For the last several months, a high-level federal government task force ' called the President's Identity Theft Task Force ('Task Force') ' has been reviewing issues related to how the federal government can best combat identity theft involving security breaches at government agencies. Co-chaired by the attorney general and the chairman of the Federal Trade Commission, the Task Force recently issued an 'interim' set of recommendations related to an overall national strategy to combat identity theft. While this initial set of recommendations focused on information obtained, used, and disclosed by the federal government, these interim recommendations contain some useful insights for any company worried about identity theft risks and consumer notification issues. (The group's final recommendations are expected this month.) The recommendation document is available at www.ftc.gov/os/2006/09/060916interimrecommend.pdf.

Basic Recommendations

The interim report came forward with the following seven recommendations:

1) OMB should issue specific guidelines to all federal agencies related to the factors that should guide both a decision as to when to notify individuals of a government security breach and when services such as credit monitoring should be offered;

2) OMB and the Department of Homeland Security should issue best practices for data security and privacy programs, and should develop a list of the top 'mistakes to avoid' in protecting private information;

3) The federal government, through the Office of Personnel Management, should review how it uses and collects Social Security Numbers, with an eye toward reducing the collection, use, and disclosure of this information;

4) Agencies should publish a new 'routine use' allowing disclosure of information to individuals in the event of a security breach (a 'routine use' is needed under the Privacy Act that otherwise restricts how the government uses and discloses information);

5) The Task Force should hold hear-ings focused on developing and promoting improved means of authenticating the identities of individuals;

6) The federal restitution statutes should be amended to allow identity theft victims to recover amounts for time lost trying to remediate the harms of identity theft; and

7) The FTC and the Task Force should develop a 'universal police report' related to identity theft crimes, to facilitate data collection and aggregated information.

Guidance for Dealing with ID Theft

While the following guidance focuses on how the government should act in connection with security breaches involving personal information, there clearly is useful information contained within this report related to how private companies should be acting relative to the sensitive information they manage.

1) Factors for notification

Private companies continue to struggle with how to address the multitude of state laws requiring consumer notification in connection with some security breaches. These laws, with all their consistencies, inconsistencies, and ambiguities, are creating complex challenges for companies in all industries. The Task Force report identifies specific factors that should be considered when evaluating whether notice should be provided. While these factors are not tied directly to the various state laws, they should be a component of what companies review in their notification investigations.

These factors include:

• Evaluating whether the information involved poses a risk of identity theft;
• How easy or difficult would it be for an unauthorized person to access the information in light of the manner in which the information was protected;
• The means by which the loss oc-curred, including whether the loss resulted from criminal activity;
• The ability of the agency to mitigate the identity theft; and
• Evidence that the compromised in-formation is actually being used to commit identity theft.

On the whole, given the factors identified above and the 'negatives' described below, notice is appropriate when, 'weighing all the facts available, the risks to consumers caused by the security breach warrant notice when notice would facilitate appropriate remedial action that is likely to be justified, given the risk.' While these factors may not legally be helpful for private companies (given the specific details of some state laws), these factors will be helpful in evaluating the 'should' element of the notification dilemma, and may provide additional support for a decision on notification.

2) The importance of pre-breach planning

The interim report focuses on the importance of planning before a breach happens, including identification of a core breach team. The report identifies, from its 'experience,' the typical members of such a team: the agency CIO, chief legal officer, chief privacy officer, a senior management official, and an Inspector General representative. Private companies should emulate this approach and ensure that a core team is involved for the immediate 'triage' needed for a significant security breach.

3) Reducing risk after exposure

The report also identifies specific mitigation steps that can be taken to reduce actual risk from identity theft, as well as harm if identity theft occurs. These involve contacting relevant financial institutions, encouraging individuals to monitor account statements and credit reports, identifying fraud alert and credit freeze possibilities (as well as potential harms from these steps), as well as a variety of practical steps. These steps are important, and focus attention on the mitigation component of a security breach process.

4) Some potential negatives from notice

The report also serves to highlight some of the potential negatives that may occur from consumer notification. According to the report, agencies should 'bear in mind that notice and the response it can generate from individuals is not 'costless,' a consideration that can be especially important where the risk of identity theft is low.' The report identifies the following costs:

• Financial expense and inconvenience from canceling credit cards, closing bank accounts, placing fraud alerts on credit files, and obtaining new identity documents; and
• Frequent public notices of security breaches may be 'counterproductive, running the risk of injuring the public and, by making it more difficult to distinguish between serious and minor threats, causing citizens to ignore all notices, even of incidents that truly warrant heightened vigilance.'

5) Contents of the notice

The federal recommendations also identify specific contents for a 'clear, concise and easy-to-understand' no-tice. This notice should include:

• A brief description of what happened;
• To the extent possible, a description of the types of personal information involved in the breach;
• A brief description of what the agency is doing to investigate the breach, to mitigate the losses, and to prevent against any further breaches;
• Contact procedures for any questions or to learn more information; and
• Steps that individuals should take to protect themselves from the risk of identity theft.

6) Being prepared after the notice

The federal guidance also focuses on being prepared for consumer inquiries following a notice. While many of the factors in this assessment focus on theoretical and sophisticated issues, this is a practical question: If a company or agency sends a notice, it must be ready to respond to new inquiries, whether by telephone or otherwise. This takes planning and resources.

Conclusion

The government remains a source of substantial security breach potential, as well as a source of creative and useful information for the private sector (and government agencies) for addressing some of the practical concerns related to security breaches. We will see over the next few months whether these efforts to re-energize the government's security efforts are successful. In any event, given the wide range of personal information held by government agencies at the state and local level as well as by the federal government, and the poor track record in protecting this information, there remains significant room for concern and improvement regarding the government's information security practices.

Kirk J. Nahra is a partner with Wiley Rein & Fielding LLP, in Washington, DC, where he specializes in health care, privacy, information security, and insurance fraud litigation and counseling for the health care and property/casualty insurance industries and others in the financial services industry and elsewhere facing compliance obligations in these areas. He is chair of the firm's Privacy Practice and co-chair of its Health Care Practice. He recently was named as the co-chair of the newly formed Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community. He can be reached at 202-719-7335 or [email protected].

The Government: Both a Problem and a Solution on Security Breaches

As private entities in virtually all industries have faced private data security breach challenges, we also are seeing the parallel rise of security breaches involving government entities. These recent breaches ' led by the enormous publicity surrounding the Veterans' Administration loss/theft of a laptop containing the personal information of more than 26 million veterans ' have focused attention on the government as both the collector of enormous amounts of personal information and the source of many security problems. With this new attention, the government needs to redouble its efforts to improve overall security and focus leadership attention on developing best practices that can both protect against government breaches and provide useful information to private sector entities facing the same challenges.

The Government's Track Record

Part of the attention focused on the government's security problems has been driven by recent studies ' primarily an ongoing series from the Government Accountability Office ('GAO') ' describing significant weaknesses in information security controls at a variety of federal agencies. In one report, 'Information Security: Department of Health and Human Services Needs to Fully Implement its Program,' GAO-06-267 (Feb. 24, 2006), available at www.gao.gov/new.items/d06267.pdf, the GAO indicated that medical and financial information maintained by the Department of Health and Human Services ('HHS') is vulnerable to various attacks because of 'significant weaknesses in electronic access controls and other information system controls' within HHS. HHS is the primary enforcement agency for the various HIPAA rules, including the privacy and security rules. This was followed by a more recent report, issued in August 2006, finding significant shortfalls in how the Centers for Medicare and Medicaid Services ('CMS') ' both the Medicare agency and the specific arm of HHS tasked with HIPAA Security Rule enforcement ' protects sensitive information of Medicare patients. See 'Information Security: The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network, GAO-06-750 (August 2006), available at www.gao.gov/new.items/d06750.
pdf. The GAO summary highlights the array of weaknesses:

Although CMS had many key information security controls in place ' which had been designed to safeguard the communication network ' some were missing, and existing ones had not always been effectively implemented. Significant weaknesses in electronic access and other system controls threatened the confidentiality and availability of sensitive CMS financial and medical information when it was transmitted across the network. CMS did not always ensure that its contractor effectively implemented electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive computing resources and devices used to support the communication network. GAO discovered numerous vulnerabilities in several areas: user identification and authentication, user authorization, system boundary protection, cryptography, and auditing and monitoring of security-related events. There were also weaknesses in controls that had been designed to ensure that secure configurations would be implemented on network devices and that incompatible duties would be sufficiently segregated. A key reason for these weaknesses is that CMS did not always ensure that its security policies and standards were implemented effectively. As a result, sensitive, personally identifiable medical data traversing the network is vulnerable to unauthorized disclosure and these weaknesses could lead to disruptions in CMS services.

Another GAO report, issued April 3, found that the Securities and Exchange Commission ('SEC') 'has not effectively implemented information security controls to properly protect the confidentiality, integrity and availability of its financial and sensitive information and information systems.' See 'Information Security: Securities and Exchange Commission Needs to Continue to Improve Its Program,' GAO-06-408 (March 31, 2006), available at www.gao.gov/new.items/d06408.pdf. (The SEC has enforcement authority over certain entities under the Gramm-Leach-Bliley Act).

Yet another GAO report, this time addressing the Internal Revenue
Service ('IRS'), found that while the IRS had made some progress on certain information security weaknesses that had been identified by the GAO earlier, many recommendations had not been implemented, and the GAO 'identified new information security control weaknesses that threaten the confidentiality, integrity, and availability of IRS's financial information systems and the information they process,' including a failure to implement effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events. See 'Information Security: Continued Progress Needed to Strengthen Controls at the Internal Revenue Service,' GAO-06-328 (March 23, 2006), available at www.gao.gov/new.items/d06328.pdf. Therefore, according to the GAO, '[c]ollectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption. A key reason for IRS's weaknesses in information security controls is that it has not yet fully implemented an information security program ensuring that effective controls are established and maintained. Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.'

Consequently, in recent months, the GAO has criticized the information security practices of highly visible federal agencies with high-profiles stores of medical and financial data about tens of millions of individuals. The GAO also issued a report identifying the overall status of government agency information security programs ' see 'Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements,' GAO-06-527T (March 16, 2006), available at www.gao.gov/new.items/d06527t.pdf.

Moreover, aside from the failures of individual agencies, the GAO also has reported that agencies lack effective guidelines on their use of individual information that is derived and obtained from various commercial sources, including many of the data brokers that have been the subject of highly publicized security breaches. See 'Personal Information: Agency and Reseller Adherence to Key Privacy Principles,' GAO-06-421 (April 4, 2006), available at www.gao.gov/new.items/d06421.pdf. This includes the privacy practices of the Department of Justice, Department of Homeland Security, the State Department, and the Social Security Administration.

What Has Happened with Personal Information in the Agencies?

These 'policy and procedure' failures are not just abstract. While security breach incidents obviously are happening across many industries, government sectors have certainly not been absent from these incidents. The publicized events involving government agencies also demonstrate the enormous range of agencies ' at state, local, and national levels ' that maintain information about individuals, often in volumes, the sensitivity of which is not readily apparent.

For example, in recent months, there have been numerous security breaches involving public universities, and lesser-publicized incidents involving, for example, stolen laptops from the Department of Justice, the New York Department of Motor Vehicles, the Cali-fornia Department of Health Services, and the Colorado Health Department. There also have been personal information thefts from the Georgia Department of Motor Vehicles (attributed to a 'dishonest insider'), a significant hacking incident from the Air Force (involving information concerning more than 33,000 individuals), the State of Rhode Island Web site, the Department of Agriculture (where the department inadvertently exposed Social Security and Tax Identification numbers in responding to a FOIA request), and the California Department of Corrections (where prison inmates gained access to files containing employees' Social Security Numbers, birth dates, and pension account information.) (For more information on these breaches and a comprehensive list of security breaches over the past year, please see the Privacy Rights Clearinghouse compilation at www.privacyrights.org/ar/ChronDataBreaches.htm.).

In fact, these 'visible' breaches appear to be only the tip of the iceberg. On Oct. 13, 2006, the House Government Reform Committee released a staff report (available at http://reform.house.gov/UploadedFiles/Agency%20Breach%20Summary%20Final%20(3).pdf) detailing the enormous number of security breach incidents from federal agencies since January 2003. The report draws a couple of key conclusions about the government's overall security issues.

• The security and breach problems exist across all government agencies.

According to the report, 'all 19 Departments and agencies reported at least one loss of personally identifiable information since January 2003.' This includes the Department of Defense, the Department of Homeland Security and the Federal Trade Commission.

• The government does not always know what has been lost.

The report indicates that, in many circumstances, government agencies do not know what information has been lost or how many individuals could be affected by a specific security breach.

• Physical security is important.

As with many of the most visible security breaches in the private sector, the cause of security breaches typically is not a computer hacker (although obviously, there have been situations where a hacker has been involved). Instead, the Committee staff found that the most typical breaches ' the 'vast majority' ' involved physical thefts of data (stolen laptops, etc), and unauthorized use of data by employees. For example, recent reports have indicated that the Department of Commerce lost 1138 laptops since 2001. The Department of Justice found 400 laptops missing from the offices of the Federal Bureau of Prisons, the Drug Enforcement Administration, the Federal Bureau of Investigation, and the United States Marshals Service. The IRS lost as many as 2300 laptops between 1999 and 2002.

• Government Contractors are a problem.

Again, as with the private sector, the government is finding that many of the security breaches involve government contractors.

What Is the Government Doing About Its Security Problems?

The government's response to these security issues has encompassed a variety of points. First, there is a significant legislative push to hold the government accountable, to some degree, for its security problems. Many of the recently enacted state security breach notification statutes obligate state government entities to provide notice of security breaches. There has, of course, been no enforcement history related to government breaches, or potential failures to give notice.

Second, in addition to the continuing debate about federal security breach legislation, there also is a specific notice statute that has been introduced, the Veterans Identity and Credit Security Act of 2006 (H.R. 5835, sponsored by Congressman Steve Buyer of Indiana, which would obligate the Office of Management and Budget to develop appropriate policies for government agencies related to security breach notification. (This legislation recently was amended to cover all government agencies, through a 'link' between this proposal and a similar proposal from Congressman Tom Davis of Virginia, H.R. 6163).

On a broader level, the Office of Management and Budget ('OMB') has prepared and released various governmentwide security policies that are intended to be implemented rapidly across the federal government. In June, the OMB issued a memorandum (available at www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf) relating to 'Protection of Sensitive Agency Information,' which detailed required security procedures for government agencies. In addition to incorporating the 'Checklist' from the National Institute for Standards and Technology, the memo focused on four specific security requirements, all of which were to be implemented in 45 days. These steps were:

1) Encrypt all data on mobile com-puters/devices that carry agency data unless the data is specifically designated as 'non-sensitive';

2) Allow remote access only with two-factor authentication, where one factor is provided by a device separate from the computer itself;

3) Use a 'time-out' function for remote access and mobile devices re-quiring authentication after 30 minutes of inactivity; and

4) Log all computer-readable data extracts from databases holding sensitive information and verify each extract that includes sensitive data has been erased within 90 days (or that its ongoing use is still required).

Subsequently, OMB also issued guidance relating to the reporting of security incidents. The OMB memorandum requires 'agencies to report all incidents involving personally identifiable information to [the federal incident response center] within one hour of discovering the incident.' [emphasis in original]. OMB also has suggested establishment of 'a core management group responsible for responding to the loss of personal information.'

Government Identity Theft Efforts

Following the issuance of these security procedures, the government also has begun to address directly the issue of potential identity theft stemming from breaches involving personal information held by the government. For the last several months, a high-level federal government task force ' called the President's Identity Theft Task Force ('Task Force') ' has been reviewing issues related to how the federal government can best combat identity theft involving security breaches at government agencies. Co-chaired by the attorney general and the chairman of the Federal Trade Commission, the Task Force recently issued an 'interim' set of recommendations related to an overall national strategy to combat identity theft. While this initial set of recommendations focused on information obtained, used, and disclosed by the federal government, these interim recommendations contain some useful insights for any company worried about identity theft risks and consumer notification issues. (The group's final recommendations are expected this month.) The recommendation document is available at www.ftc.gov/os/2006/09/060916interimrecommend.pdf.

Basic Recommendations

The interim report came forward with the following seven recommendations:

1) OMB should issue specific guidelines to all federal agencies related to the factors that should guide both a decision as to when to notify individuals of a government security breach and when services such as credit monitoring should be offered;

2) OMB and the Department of Homeland Security should issue best practices for data security and privacy programs, and should develop a list of the top 'mistakes to avoid' in protecting private information;

3) The federal government, through the Office of Personnel Management, should review how it uses and collects Social Security Numbers, with an eye toward reducing the collection, use, and disclosure of this information;

4) Agencies should publish a new 'routine use' allowing disclosure of information to individuals in the event of a security breach (a 'routine use' is needed under the Privacy Act that otherwise restricts how the government uses and discloses information);

5) The Task Force should hold hear-ings focused on developing and promoting improved means of authenticating the identities of individuals;

6) The federal restitution statutes should be amended to allow identity theft victims to recover amounts for time lost trying to remediate the harms of identity theft; and

7) The FTC and the Task Force should develop a 'universal police report' related to identity theft crimes, to facilitate data collection and aggregated information.

Guidance for Dealing with ID Theft

While the following guidance focuses on how the government should act in connection with security breaches involving personal information, there clearly is useful information contained within this report related to how private companies should be acting relative to the sensitive information they manage.

1) Factors for notification

Private companies continue to struggle with how to address the multitude of state laws requiring consumer notification in connection with some security breaches. These laws, with all their consistencies, inconsistencies, and ambiguities, are creating complex challenges for companies in all industries. The Task Force report identifies specific factors that should be considered when evaluating whether notice should be provided. While these factors are not tied directly to the various state laws, they should be a component of what companies review in their notification investigations.

These factors include:

• Evaluating whether the information involved poses a risk of identity theft;
• How easy or difficult would it be for an unauthorized person to access the information in light of the manner in which the information was protected;
• The means by which the loss oc-curred, including whether the loss resulted from criminal activity;
• The ability of the agency to mitigate the identity theft; and
• Evidence that the compromised in-formation is actually being used to commit identity theft.

On the whole, given the factors identified above and the 'negatives' described below, notice is appropriate when, 'weighing all the facts available, the risks to consumers caused by the security breach warrant notice when notice would facilitate appropriate remedial action that is likely to be justified, given the risk.' While these factors may not legally be helpful for private companies (given the specific details of some state laws), these factors will be helpful in evaluating the 'should' element of the notification dilemma, and may provide additional support for a decision on notification.

2) The importance of pre-breach planning

The interim report focuses on the importance of planning before a breach happens, including identification of a core breach team. The report identifies, from its 'experience,' the typical members of such a team: the agency CIO, chief legal officer, chief privacy officer, a senior management official, and an Inspector General representative. Private companies should emulate this approach and ensure that a core team is involved for the immediate 'triage' needed for a significant security breach.

3) Reducing risk after exposure

The report also identifies specific mitigation steps that can be taken to reduce actual risk from identity theft, as well as harm if identity theft occurs. These involve contacting relevant financial institutions, encouraging individuals to monitor account statements and credit reports, identifying fraud alert and credit freeze possibilities (as well as potential harms from these steps), as well as a variety of practical steps. These steps are important, and focus attention on the mitigation component of a security breach process.

4) Some potential negatives from notice

The report also serves to highlight some of the potential negatives that may occur from consumer notification. According to the report, agencies should 'bear in mind that notice and the response it can generate from individuals is not 'costless,' a consideration that can be especially important where the risk of identity theft is low.' The report identifies the following costs:

• Financial expense and inconvenience from canceling credit cards, closing bank accounts, placing fraud alerts on credit files, and obtaining new identity documents; and
• Frequent public notices of security breaches may be 'counterproductive, running the risk of injuring the public and, by making it more difficult to distinguish between serious and minor threats, causing citizens to ignore all notices, even of incidents that truly warrant heightened vigilance.'

5) Contents of the notice

The federal recommendations also identify specific contents for a 'clear, concise and easy-to-understand' no-tice. This notice should include:

• A brief description of what happened;
• To the extent possible, a description of the types of personal information involved in the breach;
• A brief description of what the agency is doing to investigate the breach, to mitigate the losses, and to prevent against any further breaches;
• Contact procedures for any questions or to learn more information; and
• Steps that individuals should take to protect themselves from the risk of identity theft.

6) Being prepared after the notice

The federal guidance also focuses on being prepared for consumer inquiries following a notice. While many of the factors in this assessment focus on theoretical and sophisticated issues, this is a practical question: If a company or agency sends a notice, it must be ready to respond to new inquiries, whether by telephone or otherwise. This takes planning and resources.

Conclusion

The government remains a source of substantial security breach potential, as well as a source of creative and useful information for the private sector (and government agencies) for addressing some of the practical concerns related to security breaches. We will see over the next few months whether these efforts to re-energize the government's security efforts are successful. In any event, given the wide range of personal information held by government agencies at the state and local level as well as by the federal government, and the poor track record in protecting this information, there remains significant room for concern and improvement regarding the government's information security practices.

Kirk J. Nahra is a partner with Wiley Rein & Fielding LLP, in Washington, DC, where he specializes in health care, privacy, information security, and insurance fraud litigation and counseling for the health care and property/casualty insurance industries and others in the financial services industry and elsewhere facing compliance obligations in these areas. He is chair of the firm's Privacy Practice and co-chair of its Health Care Practice. He recently was named as the co-chair of the newly formed Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community. He can be reached at 202-719-7335 or [email protected].