The Homeland Security Department is finalizing best practices that agencies, state and local governments and other organizations involved in a cyber breach can use to notify victims.
The guidance lends suggestions on the decision-making process for notifying impacted individuals, preparing and delivering notices, concerns about “over-notifying” and additional support for victims.
The DHS Data Privacy and Integrity Advisory Committee drafted the document after former DHS Chief Privacy Officer Karen Neuman asked the committee in September 2015 to develop written best practices for notifying data breach victims.
“We can get to work on our important work so that unfortunately that I’m afraid, the next time this will happen, we’ll be ready for it and we can respond quickly and appropriately,” Jonathan Cantor, acting chief privacy officer for DHS, said during the department’s meeting last month.
When deciding whether and how to notify impacted individuals of a cyber breach, the DHS committee first suggests conducting a risk analysis.
The organization should think about the nature of the data that was compromised and its sensitivity. Breaches where Social Security or medical information was stolen, for example,
“The analysis leading to a decision about notification must be conducted rapidly, since both legal requirements and the interests of those affected necessitate prompt notification, the final draft said. “It is important to seek a balance between the need for speed and the need for accurate information in the notice.”
To achieve that balance, the organization should think about whether the details of the breach are already public and if details of the scope of the attack are known.
“An overly broad notification may unnecessarily alarm people who, upon further investigation, may be found not to have been affected,” the final draft document said. “But it may not be possible to achieve perfect knowledge and a long delay in notifying can result in greater harm to more people.”
Preparing and delivering notices
The DHS committee suggests that organizations create template notification letter that it can modify depending on the scenario. Organizations should send notification letters through the first-class mail, which is more likely to reach the intended recipient, the committee said.
The letters or emails themselves shouldn’t look like junk mail or like correspondence from an unfamiliar source. They should be written in plain language with few acronyms and little jargon.
Organizations should also make sure that notifications don’t include too much information and only the details that a victim might need to have a basic understanding of what happened,” The DHS Data Privacy and Integrity Committee said.
“When more than one entity was involved in the breach, such as a breach that occurred at a third-party vendor, the source of the notice (the name on the letterhead) should be the entity that is most directly known to the recipients,” the DHS draft said. “The signature on the notice should be of a fairly high-level person in the notifying entity to indicate the seriousness with which the incident is regarded.”
It is possible to notify breach victims too often, as the Federal Trade Commission has discovered.
As more states have enacted their own cyber breach notification laws, FTC has noticed that recipients tend to ignore multiple notices, some with important information.
“Individuals affected by a data breach are in the best position to determine the importance of a given incident and its potential for harm to them,” the final draft said. “To reduce the likelihood that individuals would become desensitized to notices, the language and format of the notice should make it easier for recipients to understand what the notice is, make an assessment of their own risk and take appropriate action.”
But no matter how much thought and detail an organization or agency puts into the notification process, victims will likely have more questions.
The committee recommends setting up a call center with staff who are trained to specific questions in multiple languages. Agencies should also have a plan to answer unexpected or non-routine calls, the DHS committee said.
Organizations might consider setting up a website as more information becomes available, the draft said.
These best practices do not invalidate Federal Information Security Management Act (FISMA) requirements or the directive that the Office of Management and Budget released early last year, the committee said.
The committee’s guidelines come more than a year after OPM received harsh criticism for its method of notifying the cyber breach victims of two separate breaches, which impacted a total of 21.5 million people.
Notifications to the 4.2 million people impacted by the first breach left victims confused and Congress skeptical. OPM quickly signed a contract to notify and provide credit monitoring services shortly after it announced the first breach. Victims received notification emails from an unfamiliar address, which prompted them to click on an unfamiliar URL. Critics at the time said the notification procedures stood contrary to most cyber hygiene practices many federal employees learn from their agencies, such as not clicking on links from an unfamiliar source.
Congress also took issue with OPM’s first contract and called the timing and circumstances of the procurement into question. The agency’s own inspector general later said OPM’s contract didn’t meet federal rules.
OPM took a much slower, more deliberate approach in informing victims of the second breach. A few months after the agency disclosed the second hack, it began sending written notifications on OPM letterhead to breach victims, which also described how they could sign up for free credit monitoring and identity protection services.