In a series of federal initiatives to thwart online identity theft, government offices face a late September deadline to comply with a new White House directive creating agency-specific notification policies of breaches in order to safeguard personal information.

Issued on May 22 by the U.S. Office of Management and Budget (OMB), the directive stems from “Combating Identity Theft: A Strategic Plan,” a report submitted to the President by the U.S. Identity Theft Task Force on April 23. Conveyed via a memo by Clay Johnson III, the OMB’s deputy director for management, the federal directive gives agencies 120 days to define their notification policies.

About half of all federal agencies had already complied with the directive by the first week in June, Karen Evans, OMB administrator for electronic government and information technology, said during the 19th Annual Information Security Conference at the United Nations headquarters in New York. The event was sponsored by the United Nations Global Alliance for Information and Communications Technologies and Development (GAID) and AIT Global Inc. Posted on the OMB’s Web site and distributed widely among government agencies, memo M-07-16 states that new notification requirements cover all federal information and information systems.

“Breaches subject to notification requirements include both electronic systems and as paper documents. In short, agencies are required to report on the security of information systems in any format (e.g., paper, electronic, etc.),” Johnson says.

The U.S. Identity Theft Task Force report stems from an earlier executive order directing the task force to create a comprehensive plan that recommends actions to be taken by both public and private sector organizations to reduce instances of identity theft.

To help agencies define their new policies, the OMB defines the term “breach” as a “loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access or any similar term referring to situations where people other than authorized users and for any other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.”

But the OMB also suggests that agencies use a “best judgment” standard to construct individual policies that make sense for them. “For example, an office Rolodex contains personally identifiable information. In this context, the information probably would not be considered sensitive; however, the same information in a database of patients at a clinic that treats contagious diseases probably would be considered sensitive information,” Johnson says.

To comply with the OMB’s directive, agencies must first review existing requirements for privacy and security. Agency policies must cover breach notification, incident reporting and define the responsibilities of the individuals authorized to access personally identifiable information.

The OMB provides agencies with documents explaining how to meet the new specifications. In one new measure, the agencies are also given 120 days to establish plans for eliminating the unnecessary collection of Social Security numbers over the course of the next 18 months.

Another requirement states that all data on mobile computers and devices must be encrypted with the use of National Institute of Standards and Technology (NIST)-certified cryptographic modules, unless the data has been designated in writing as “not sensitive” by a senior-level agency official. Agencies must also provide employees with initial and “at least annual” refresher training on privacy and security requirements before giving them access to agency information and information systems. As of June, 13 of 26 federal agencies had already complied with the OMB’s directive.

Agencies are also moving ahead with other efforts designed to combat identity theft. In congressional testimony in May, the Federal Trade Commission (FTC) told the Ohio Privacy and Public Records Access Study Committee that public agencies can “play a key role in reducing the incidence and impact of identity theft.” At least ten federal agencies have posted resources for the public on their Web sites about identity theft. These include the FTC, U.S. Department of Justice, Department of the Treasury, Department of Health and Human Services, Federal Reserve System, Securities and Exchange Commission, Social Security Administration, Comptroller of the Currency, U.S. Secret Service and the U.S. Postal Inspection Service.