TREASURY DIRECTIVE 25-08

DATE: December 22, 2009

SUBJECT: Safeguarding Against and Responding to the Breach of Personally Identifiable Information

  1. PURPOSE. This directive establishes the Department of the Treasurys (Departments) Personally Identifiable Information (PII) protection and Breach response and notification policy and plan. This directive also authorizes the issuance of a handbook or other guidance to implement this policy.
  2. SCOPE. This directive applies to all bureaus, offices, and organizations in the Department of the Treasury, including the offices of Inspectors General within the Department. The provisions of this directive shall not be construed to interfere with or impede the authorities or independence of the Departments inspectors general.
  3. POLICY. It is the policy of the Department to retain the trust of the American public by safeguarding PII in all forms. The Department is committed to implementing PII protection in the development and execution of Departmental programs and policies as outlined in the Responsibilities section.
  4. BACKGROUND. Breaches of PII can lead to significant financial losses and emotional burdens to affected individuals, as well as the inappropriate disclosure of records of the Department. The best protection against a Breach is to prevent its occurrence through policies that train individuals to protect PII, by implementing procedural safeguards to prevent misuse of or unauthorized access to PII, and by imposing accountability for failures to properly safeguard PII.
  5. DEFINITIONS.
    1. Breach means the suspected or actual loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for other than authorized purposes have access or potential access to PII whether in physical or electronic form.
    2. Breach Risk Assessment means the process by which a bureau estimates the severity of a Breach. The Breach Risk Assessment must include the following steps:
      1. 1) Evaluate the nature of the data elements subject to Breach;
      2. 2) Assess the individuals who are likely to be affected by the Breach;
      3. 3) Determine the likelihood that the Breached PII is accessible to and usable by those with unauthorized access to it;
      4. 4) Estimate the risk of harm resulting from the Breach; and
      5. 5) Determine the capability of the bureau or office to mitigate the harm resulting from the Breach independently.
    3. Breach Notification means a written statement issued in coordination with the Department that informs outside agencies, individuals, or entities of a Breach. A Breach Notification should contain the following elements:
      1. 1) A brief description of the nature of the Breach, including the date(s) that it occurred and was discovered;
      2. 2) A description of the types of PII involved in the Breach;
      3. 3) A statement of whether the PII was encrypted or protected by other means, when determined that such information would be beneficial and would not compromise the security of the system;
      4. 4) A description of the steps individuals should take to protect themselves from potential harm, if any;
      5. 5) A description of what the Department is doing to investigate the Breach, mitigate losses, and to protect against further Breaches; and
      6. 6) A statement identifying the appropriate Department personnel whom the affected individuals may contact for more information.
    4. Breach Notification Plan means a formal proposal by a bureau to a Bureau Head to issue a Breach Notification arising from a specific Breach. The Breach Notification Plan shall consist of the following items:
      1. 1) A description of the need based on the risk assessment for a Breach Notification;
      2. 2) Identification of the Notification Source;
      3. 3) A description of the proposed Notification Process;
      4. 4) Identification of the proposed timing for issuing the Breach Notification;
      5. 5) Identification of the planned recipients of the Breach Notification; and
      6. 6) A proposed form of Breach Notification.
    5. Bureau Heads means all Treasury bureau heads, including the Inspectors General within the Department, and the Deputy Assistant Secretary for Privacy and Treasury Records (on behalf of the Departmental Offices).
    6. Notification Process means the method or methods used to transmit the Breach Notification. These methods should be commensurate with the number of people affected and the urgency with which they need to receive notice. Examples of appropriate Notification Processes may include telephone, first-class mail, email, newspapers, or other public media outlets.
    7. Notification Source means the bureau or office issuing the official Breach Notification.
    8. Personally Identifiable Information (PII) means information which can be used to distinguish or trace an individuals identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mothers maiden name, etc.
    9. The Personally Identifiable Information Risk Management Group (PIIRMG) comprises principals in various Department disciplines and competencies. The PIIRMG oversees the Departments compliance with applicable privacy laws and regulations, reviews and evaluates the Departments PII protection policies, tracks relevant trends and identifies best practices, and assists the bureaus in addressing certain extraordinary Breaches.
  6. RESPONSIBILITIES.
    1. The Assistant Secretary for Management and Chief Financial Officer has been designated as the Treasury Departments Chief Privacy and Civil Liberties Officer pursuant to Treasury Order 102-25 and shall:
      1. 1) Chair the PIIRMG;
      2. 2) Notify the Secretary and Deputy Secretary of the occurrence of a Breach, as necessary; and
      3. 3) Serve as focal point with the Office of Management and Budget and Congress on all matters pertaining to the Breach and coordinate mitigation actions with the respective Inspectors General Offices as appropriate.
    2. The Deputy Assistant Secretary for Privacy and Treasury Records (DASPTR) shall be responsible for the following, in addition to having the responsibilities of a Bureau Head with respect to the Departmental Offices, as set forth below in section 6(d):
      1. 1) Provide the day-to-day operational support for the PIIRMG;
      2. 2) Prepare correspondence, reports, schedules, plans, and procedures as necessary for the PIIRMG to oversee and coordinate Breach mitigation and privacy protection activities within the Department;
      3. 3) Provide critical review and analysis of issues and problems impacting mitigation of Breaches and privacy protection activities within Treasury; and
      4. 4) Notify the PIIRMG of any Breach discussed below in section 6(d)(3).
    3. Bureau Heads shall take the following steps to prevent Breaches and to minimize their impact:
      1. 1) Conduct periodic reviews of their PII holdings to ensure that these holdings are accurate, relevant, timely and complete, and reduce their holdings of PII to the minimum necessary to effectively administer Department programs.
      2. 2) Limit access to PII to employees who have a business need for doing so.
      3. 3) Periodically review and update policies, guidance, and procedures that address the manner in which occurrences of Breaches of PII can be prevented and their effects minimized.
      4. 4) Provide annual privacy training to employees who have access to PII. Such training shall instruct such individuals of their responsibility to appropriately safeguard PII and the disciplinary and legal consequences of not doing so.
      5. 5) For all Departmental systems of records that contain PII, establish a routine use for such records, pursuant to the Privacy Act of 1974, as amended, by which the Department may disclose such records when necessary in order to respond effectively to a Breach.
    4. Bureau Heads shall take the following steps in the event of a Breach:
      1. 1) Report confirmed or suspected Breaches in paper and electronic formats pursuant to Treasury Directive 85‑01, Department of the Treasury Information Technology (IT) Security Program, and Treasury Directive Publication 85-01, Appendix G, Incident Response Guidelines and Procedures. Bureau Heads are responsible for reporting a reach within one hour of discovery to the Department of the Treasury Computer Security Incident Response Center (TCSIRC) and the appropriate Treasury Inspectors General.
      2. 2) Instruct the affected bureau to conduct a Breach Risk Assessment and prepare a Breach Notification Plan in the event that the Breach Risk Assessment indicates a risk of significant harm arising from a Breach.
      3. 3) Notify the PIIRMG (through the Deputy Assistant Secretary for Privacy and Treasury Records) prior to issuing a Breach Notification in the event that the Bureau Head or designee determines that a Breach has ramifications beyond the affected bureau or cannot be adequately addressed by the affected bureau alone. The PIIRMG shall work with the Bureau Head to design and implement an appropriate response to the Breach.
      4. 4) Implement the Breach Notification Plan if the Bureau Head or designee determines that:
        1. a) There is no need to obtain the prior approval of the PIIRMG or such approval has been obtained;
        2. b) The risk of harm arising from a Breach is significant;
        3. c) Issuance of a Breach Notification would be prudent; and
        4. d) The proposed Notification Process and form of Notification are appropriate and likely to be effective under the circumstances.
  7. AUTHORITIES.
    1. Privacy Act of 1974, as amended, 5 USC 552a.
    2. Federal Information Security Management Act of 2002, 44 USC 3531 et. seq.
    3. E-Government Act of 2002, Section 208.
    4. Consolidated Appropriations Act of 2005, Pub L. 108-447, Section 522.
    5. Executive Order (EO) 13402, Strengthening Federal Efforts to Protect Against Identity Theft, as amended, November 3, 2006.
    6. Department of the Treasury Regulations, 31 CFR Part 1, Subpart C.
    7. Department of the Treasury Regulations, 31 CFR Part 0, Employee Rules of Conduct.
    8. OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.
    9. OMB Memorandum M-06-19, Reporting Incidents Involving PII, July 12, 2006.
    10. OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification, September 20, 2007.
    11. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007.
    12. Treasury Order (TO) 102-25, Delegation of Authority Concerning Privacy and Civil Liberties.
    13. Treasury Directive (TD) 25-04, The Privacy Act of 1974, As Amended.
  8. REFERENCES.
    1. The Presidents Identity Theft Task Force Memorandum, Identity Theft Related Data Security Breach Notification Guidance, September 12, 2006.
    2. The Presidents Identity Theft Task Force Strategic Plan, Combating Identity Theft, April 2007.
    3. Government Accountability Office Report 07-657, Privacy: Lessons Learned about Data Breach Notification, April 2007.
    4. TD 25-06, "The Treasury Data Integrity Board."
    5. TD 85-01, Department of the Treasury Information Technology (IT) Security Program.
    6. Treasury Directive Publication (TD P) 85-01, Treasury Information Technology Security Program, Volume I.
    7. Appendix G, Treasury Incident Response Guidelines and Procedures of TD P 85-01, Volume I.
    8. TD P 15-71, Security Manual.
    9. TD P 25-04, "Privacy Act Handbook."
    10. National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide.
    11. Treasury Personally Identifiable Information Risk Management Group Charter.
    12. Department of the Treasurys data breach routine use published on October 3, 2007, at 72 FR56434.
  9. OFFICE OF PRIMARY INTEREST. Office of the Assistant Secretary for Management and Chief Financial Officer, Office of the Deputy Assistant Secretary for Privacy and Treasury Records, and Office of the Deputy Assistant Secretary for Information Systems and Chief Information Officer.

 

/S/
Dan Tangherlini
Assistant Secretary for Management
and Chief Financial Officer