New Federal Guidance on Data Breaches, also Instructive for the Private Sector

In today’s information-driven economy, it is not just corporations that are under attack from hackers. Since federal agencies also collect, use, process, store, maintain, disseminate, disclose, and dispose of unprecedented volumes of personally identifiable information (“PII”), they also are under vigorous attack. One of the biggest cyberattacks in history happened to a federal agency. In 2015, at least 26 million personnel records of current and former employees were stolen from the federal government’s Office of Personnel Management (the federal government’s employee management division). It appears no federal agency is immune, even those you would least expect to be vulnerable. In 2016, at least 30,000 personnel records were stolen from the FBI and the Department of Homeland Security.

Increasingly, federal electronic systems are being targeted by hackers who sell or trade stolen PII on criminal exchanges or use it for other malicious purposes. Between 2013 and 2015, there was a 27 percent increase in the number of attempted breaches. A variety of PII is stolen, ranging from common types such as names, addresses, dates of birth, and places of employment, to potentially classified types such as identity documents, precise location information, medical history, and biometric information (including fingerprints). Such illegally obtained PII can be used to seek employment, travel across international borders, obtain prescription drugs, receive medical treatment, claim benefits, file false tax returns, and aid in other criminal activities.

To thwart cyberattacks, the federal government’s Office of Management and Budget (“OMB”) on January 3, 2017 issued new guidance on how federal agencies must prepare for and respond to PII data breaches. This guidance, titled Memorandum for Heads of Executive Departments and Agencies (M-17-12), supersedes three guidance memos issued in 2006 and 2007, well before successful cyberattacks became weekly fodder for news outlets. The OMB’s guidance also comes on the heels of a December 2016 statement by the President on enhancing national cybersecurity for the government, the private sector, and the nation as a whole.

The new guidance for breach response takes a risk-based approach to “assessing and mitigating the risk of harm to individuals potentially affected by a breach.” It discusses when notification (and an offer of support services) to those individuals is required or necessary. In general, the new guidance aims to give federal agencies consistency in their responses while at the same time allowing for flexibility based on the context of a particular breach. The memo also outlines some requirements for contracts, including the contracting language that should be included to ensure that federal agencies can respond properly to a breach when a contractor collects or maintains PII on behalf of an agency. Federal agencies have 180 days to implement the changes reflected in the new breach guidance.

For more information about how the new guidance can be incorporated into existing data breach response plans or how contractors can comply with the new guidance please contact Matt Sorensen and Romaine Marshall.


Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.