BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

DoD Issues Guidance on Privacy Breach Notices

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 25 Sep 2015 11:52:30 -0600
http://www.fedweek.com/federal-managers-daily-report/dod-issues-guidance-on-privacy-breach-notices/

The Pentagon has issued guidance to DoD components on considerations for
making public announcements regarding breaches of private information, an
issue that has been much in the mind of the federal workforce in recent
months following disclosure of two major cyber hacks of personally
identifiable information, or PII, held by the Office of Personnel
Management.

A memo from the DoD senior official for privacy, Michael L. Rhodes, says
the department “must continue its efforts to promote a culture to
continuously ‘think privacy’ and act swiftly to develop and implement
effective breach mitigation plans, when necessary. One challenge is that no
two breaches of PII involve the exact same circumstances, personnel,
systems or information. A case-by-case analysis combined with the use of
best judgment is required for effective breach management.”

Specifically, it says that the determination of whether to notify
individuals of a breach should be based on an assessment of the likelihood
that the individual will be harmed and the impact. Harm includes not just
risk such as identity theft or financial loss, it adds, but also
embarrassment, inconvenience, emotional distress and loss of self-esteem.

“Components should remain cognizant of the effect that unnecessary
notification may have on the public,” it adds. “Notification when there is
little or no risk of harm might create unnecessary concern and confusion.
Additionally, overzealous notifications … could render all such
notifications less effective because consumers could become numb to them
and fail to act when risks are truly significant.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: