With the growing threat of cyberattacks, we thought it would be worthwhile to discuss a late 2016 change in reporting requirements for federal agencies that have suffered a data breach. The Office of Management and Budget’s (OMB) Memorandum 17-05, issued November 4, 2016, significantly redefined what constitutes a “major” cybersecurity incident that would require federal agencies to notify Congress under the Federal Information Security Modernization Act of 2014 (FISMA). Agencies are required to notify appropriate Congressional Committees of a “Major Incident” no later than seven days after the date on which the agency determines that it has a “reasonable basis” to conclude that a “Major Incident” has occurred.

Previously, OMB Memorandum 16-03, issued on October 30, 2015, defined a “Major Incident” as one which:

1) Involves information that is classified or otherwise protected under certain categories; and

2) Is not recoverable or not reasonably recoverable within a specified amount of time or is recoverable only with supplemental resources;

3) Has a high or medium functional impact to the mission of an agency; or

4) Involves exfiltration, modification, deletion or unauthorized access to either:

a) 10,000 or more records or users; or

b) any record of special importance.

The 2015 Guidelines enumerated a number of “factors” which would contribute to the determination of whether a breach would constitute a “Major Incident”. However, this only led to confusion and uncertainty as to when an incident should properly be classified as “Major.”

In an apparent attempt to reduce the level of uncertainty, the 2016 Guidelines now define a “Major Incident” as:

Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

OMB did not provide guidance as to how an agency should determine whether an incident is likely to “result in demonstrable harm.” However, the new Guidelines encourage agencies to reference the Department of Homeland Security’s United States Computer Emergency Readiness Team’s (DHS US-CERT) National Cybersecurity Incident Scoring System (NCISS), and other U.S. government publications, which use the following factors:

  • Functional Impact;
  • Observed Activity;
  • Location of Observed Activity on the network;
  • Actor Characterization;
  • Information Impact: the type of information lost, compromised, or corrupted;
  • Recoverability;
  • Cross-Sector Dependency; and
  • Potential Impact.

The new Guidelines also provide that an incident will be considered “Major” when there is the “unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII . . ..” While there is some uncertainty, the 100,000 threshold is apparently to be considered in conjunction with the “demonstrable harm” analysis, rather than as a stand-alone test, to determine if an incident is “Major.”

There are a few interesting takeaways from the 2016 Guidelines. First, it is interesting that OMB concluded that it was necessary to revise the 2015 guidelines, as Memorandum 16-03 had been only released a year earlier. Second, the new Guidelines increased the threshold for affected user records from 10,000 to 100,000. OMB likely recognized that some breaches could affect thousands of records, and the smaller threshold might have triggered reporting to Congress for incidents that truly were not “Major”. Finally, in an effort to clarify the standards for a “Major Incident”, the new Guidelines rely on an undefined term – “demonstrable harm” – and a list of factors just like the earlier Guidelines. That provides some indication that there is no clear and easy way to determine whether a data breach is a “Major”. Hopefully, these changes will help provide some clarity for federal agencies and their employees in the long run, but we are left to wait and see if that will be the case.