BreachExchange mailing list archives
DoD Issues Guidance on Privacy Breach Notices
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 25 Sep 2015 11:52:30 -0600
http://www.fedweek.com/federal-managers-daily-report/dod-issues-guidance-on-privacy-breach-notices/ The Pentagon has issued guidance to DoD components on considerations for making public announcements regarding breaches of private information, an issue that has been much in the mind of the federal workforce in recent months following disclosure of two major cyber hacks of personally identifiable information, or PII, held by the Office of Personnel Management. A memo from the DoD senior official for privacy, Michael L. Rhodes, says the department “must continue its efforts to promote a culture to continuously ‘think privacy’ and act swiftly to develop and implement effective breach mitigation plans, when necessary. One challenge is that no two breaches of PII involve the exact same circumstances, personnel, systems or information. A case-by-case analysis combined with the use of best judgment is required for effective breach management.” Specifically, it says that the determination of whether to notify individuals of a breach should be based on an assessment of the likelihood that the individual will be harmed and the impact. Harm includes not just risk such as identity theft or financial loss, it adds, but also embarrassment, inconvenience, emotional distress and loss of self-esteem. “Components should remain cognizant of the effect that unnecessary notification may have on the public,” it adds. “Notification when there is little or no risk of harm might create unnecessary concern and confusion. Additionally, overzealous notifications … could render all such notifications less effective because consumers could become numb to them and fail to act when risks are truly significant.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- DoD Issues Guidance on Privacy Breach Notices Audrey McNeil (Sep 28)