agency becomes aware of the breach
48
. This response and possible notification cannot be
delayed while the legal responsibility for the breach is determined. However, existing agency
breach response and notification policies, plans, and resources require evaluation and
modification to adequately address the new relationship between Federal agencies and CSPs.
Federal agencies need to ensure that they can expand their breach policies and plans as
required to ensure compliance with existing requirements for response. These policies must
specify which parties are responsible for the cost and containment or mitigation of harm and
for notifying affected individuals where required, as well as provide for instruction and
requirements on terminating storage and deleting data upon expiration of the agreement, or
agreement term and extension options
49
. Finally, any change to a breach policy is dependent on
the agency privacy office being fully informed of the contractual and other responsibilities of
the CSP and Federal agency in the event of incidents or breaches.
In order for a Federal agency to adequately respond to an incident or breach, the following are
key factors to consider in a cloud computing contract:
Ensure that an agency’s breach policies and plans adequately address the new
relationship between the Federal agency and CSP, including the assignment of specific
roles and tasks between the agency and the CSP, even before determination of ultimate
responsibility in the case of a data breach;
Establish clear contractual duties and liability of the CSP for timely breach reporting,
mitigation (i.e., administrative, technical, or physical measures to contain or remedy the
breach), and costs, if any, of providing notice, credit monitoring, or other appropriate
relief to affected individuals as appropriate under the circumstances;
Address when the termination of services, and assertion of the Government’s rights of
ownership, custody, transfer (return) or deletion of any data stored in a CSP
environment will be invoked by the agency as a remedy for a breach; and
Ensure that there are appropriate audit rights to permit compliance reviews under
applicable laws to allow the Federal agency to meet its duty as the data owner.
E-Discovery
50
Federal agencies will always be involved in litigation, whether it is employment litigation,
contract disputes, policy defense, statute enforcement, or other legal actions. Federal agency
data will always be a necessary component of litigation. Even now, IT resources are called upon
to assist in responding to necessary litigation requests. Given the inevitability of agency
litigation and the great potential costs and benefits of moving data to a CSP environment,
48
See OMB Memorandum 06-19, Reporting Incidents Involving Personally Identifiable Information and
Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006),
http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-19.pdf; OMB Memorandum 07-16,
Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007),
http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf; and NIST Special
Publication 800-61, Computer Security Incident Handling Guide (Jan. 2004),
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf.
49
When applicable this could include funding for identity protection/credit monitoring services. See id.
50
The agency’s e-discovery counsel or office will be a valuable resource in assisting in this analysis.