OMB Memo M-17-12 — Preparing for & Responding to PII Data Breaches

OMB Memorandum M-17-12 ("Preparing for and Responding to a Breach of Personally Identifiable Information," January 3, 2017) is the government-wide playbook for how federal agencies must handle a breach of personally identifiable information (PII) — from the moment a breach is discovered through investigation, notification, remediation, and post-incident review. Issued in the final weeks of the Obama administration following a period of major federal data breaches (most prominently the 2015 OPM breach, which exposed 21.5 million background investigation records), M-17-12 replaced earlier guidance and established a comprehensive, consistent framework that all executive branch agencies must follow.

The memo addresses a gap that the OPM breach exposed with painful clarity: the federal government had no consistent, government-wide protocol for responding to PII breaches. Different agencies had different notification timelines, different thresholds for offering credit monitoring, different protocols for notifying Congress and the public, and different approaches to determining breach scope. M-17-12 creates a single authoritative answer to those questions — one that remains binding on federal agencies regardless of which administration is in office, since it implements statutory obligations under the Privacy Act (5 U.S.C. § 552a), FISMA (44 U.S.C. § 3554), and OMB's general management authority.

Legal Authority

• 5 U.S.C. § 552a — Privacy Act; requires agencies to safeguard personal information in federal systems of records; agencies that maintain records must notify individuals affected by breaches; the substantive privacy protection statute that breach response implements
• 44 U.S.C. § 3554 — FISMA; requires agencies to implement security programs including incident response capabilities; OMB oversight of agency incident response under FISMA authority
• OMB Memorandum M-17-12 (January 3, 2017) — Establishes uniform government-wide PII breach response requirements: breach reporting timelines (1 hour to US-CERT, 72 hours for agency senior officials), notification thresholds, credit monitoring standards, breach response team requirements, and post-incident review obligations

Key Mechanics

M-17-12 establishes a tiered response framework triggered by breach discovery. Agencies must report suspected PII breaches to US-CERT within 1 hour of discovery; within 72 hours, agency senior officials (CIO, Privacy Officer, General Counsel, IG) must receive a breach report. The agency must assess whether the breach triggers notification to affected individuals based on three factors: the likelihood the information was accessed by unauthorized parties, the sensitivity of the information (financial, health, Social Security numbers, biometric data), and whether notification would serve the affected individuals or pose additional security risks. For breaches meeting notification thresholds, agencies must notify affected individuals within a reasonable timeframe (typically 10 business days after breach characterization); notification must include what happened, what information was involved, what the agency is doing, and what individuals can do to protect themselves. Credit monitoring must be offered for breaches involving Social Security numbers, account numbers, or other financial information where there is a risk of fraud — minimum 18 months of free credit monitoring. Agencies with 100,000+ affected individuals must also notify Congress within 10 days. A Breach Response Team at each agency (chaired by the Privacy Officer or designee) coordinates investigation, notification, and remediation. Post-incident review must occur within 120 days to identify root causes and preventive measures.

Overview

Defining PII and Breach

PII is defined broadly in M-17-12 as information that can be used to distinguish or trace an individual's identity — either alone or when combined with other information. This includes obvious identifiers (Social Security Numbers, financial account numbers, biometric data) as well as information that may be PII in context (name + employer + medical condition; IP address + browsing history). M-17-12 adopts a context-sensitive definition: whether information is PII depends on whether it can be linked to a specific individual in the particular context, not whether the information is labeled PII.

A breach is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of PII — regardless of whether a specific harm results. The breach is the unauthorized exposure, not the downstream identity theft. This means agencies cannot wait to confirm that harm occurred before invoking breach response procedures; the trigger is the unauthorized exposure itself.

The Breach Response Process

M-17-12 organizes breach response into four phases, each with specific requirements:

Phase 1: Discovery and Reporting

Agencies must report confirmed or suspected PII breaches to the US-CERT (now CISA) within one hour of discovery. This is not a one-hour deadline to confirm that a breach occurred — it is a one-hour deadline to report the suspected breach while investigation is ongoing. The one-hour reporting requirement ensures that CISA has situational awareness of potential incidents early enough to coordinate cross-agency response if the breach affects multiple agencies or systems.

Within 24 hours of discovery, agencies must report the breach to the agency's Senior Agency Official for Privacy (SAOP) and initiate a formal breach response. For breaches involving national security systems or classified information, additional reporting to national security stakeholders is required.

Phase 2: Assessment

Within 72 hours of discovery (for confirmed breaches), agencies must complete an initial breach assessment covering:

• Scope: How many individuals are affected? What types of PII were exposed?
• Sensitivity: What is the sensitivity of the PII? (SSNs and financial data are highest sensitivity; name and email address alone are lower)
• Likely impact: What harms could result from the exposure — identity theft, financial fraud, embarrassment, safety risks?
• Cause: How did the breach occur? Was it malicious (hack, insider threat) or accidental (lost device, misconfigured storage)?
• Containment: Is the breach ongoing or contained? Have compromised systems been isolated?

The assessment determines what response actions are proportionate — particularly whether notification to affected individuals is required and what remediation services (credit monitoring, identity restoration) are appropriate.

Phase 3: Notification

M-17-12 establishes a default notification threshold: agencies should notify affected individuals when a breach creates a reasonable risk of harm. The assessment must specifically analyze whether the breached data is sufficient to enable identity theft, financial fraud, or other harms; if the risk of harm is low (e.g., a list of government employee names and work email addresses), notification may not be required. If the risk is high (SSNs, financial accounts, medical data), notification is presumptively required.

Notification content must include:

• What happened (factual description of the breach, in plain language)
• What types of information were involved
• What the agency is doing about it
• What affected individuals can do to protect themselves
• How to contact the agency for more information

Notification timing: For breaches requiring notification, agencies must send notifications within 10 days of confirming the breach scope and determining that notification is warranted (law enforcement can delay notification for ongoing investigations, but not indefinitely).

Remediation services: For high-sensitivity breaches (especially those involving SSNs), agencies must offer affected individuals credit monitoring services for a minimum of 18 months at no cost. For breaches of the most sensitive categories (complete financial account information, health information, SSN + date of birth + mother's maiden name sufficient for identity theft), agencies should also offer identity theft insurance and restoration services. The OPM breach triggered a 3-year credit monitoring offer given its exceptional severity.

Phase 4: Post-Incident Review

Within 90 days of containing a significant breach, agencies must complete a formal post-incident review assessing:

• What control failures allowed the breach to occur
• Whether existing policies and procedures were followed or whether there are gaps
• What corrective actions are underway
• Whether the incident should be escalated for administrative or legal action

For breaches affecting more than 100,000 individuals, the post-incident review must be reported to OMB and may be shared with Congress.

Senior Agency Official for Privacy (SAOP) Role

M-17-12 makes the agency's SAOP the central coordinator for breach response. The SAOP:

• Must be notified within 24 hours of any confirmed PII breach
• Leads the breach response team, which typically includes the CISO, general counsel, communications, and program office representatives
• Signs off on notification content before it is sent to affected individuals
• Prepares the post-incident review
• Maintains the agency's breach log and reports annually to OMB on breach statistics and response activities

Key Requirements

• Report to CISA (US-CERT) within 1 hour of discovering a suspected PII breach — while investigation is ongoing
• Complete initial breach assessment within 72 hours — scope, sensitivity, likely harm, containment status
• Notify affected individuals within 10 days of confirming notification is warranted; plain-language notice required
• Offer 18 months of credit monitoring for high-sensitivity breaches (SSNs, financial accounts, medical data) at no cost to affected individuals
• Notify SAOP within 24 hours; SAOP leads breach response team
• Complete post-incident review within 90 days of containment; report to OMB for breaches over 100,000 individuals
• No notification required where harm risk is determined to be low, but assessment must be documented

How It Affects You

If you work at a federal agency: M-17-12 is your incident response playbook for PII breaches. Train your team on the 1-hour CISA reporting requirement — it catches people by surprise because it fires before breach confirmation. Establish your breach response team roster (SAOP, CISO, general counsel, communications, relevant program office) and run tabletop exercises at least annually. Prepare notification templates for common breach scenarios (lost laptop, phishing-compromised account, exposed storage bucket) so you're not drafting from scratch in a crisis. Budget for credit monitoring services as a recurring line item — a breach affecting hundreds of thousands of individuals will cost millions in notification and credit monitoring, and you need contracting vehicles in place before the breach.

If you are a citizen whose federal PII was breached: M-17-12 entitles you to plain-language notification within 10 days of the breach being confirmed and notification being warranted. For high-sensitivity breaches, you are entitled to free credit monitoring for at least 18 months. If a federal agency breached your data and has not notified you, the agency's SAOP (Senior Agency Official for Privacy) and the agency's Inspector General are the appropriate contacts. You can also file a Privacy Act complaint with the agency. Note that unlike state data breach laws (which typically require notification within 72 hours regardless of harm risk), M-17-12 allows agencies to forgo notification if they determine the harm risk is low — so notification is not guaranteed for every federal PII exposure.

If you are a researcher or journalist: M-17-12 breach logs are maintained by agencies but are not fully public. Annual FISMA reports include aggregate breach statistics (number of incidents, types of PII involved). For major breaches affecting large numbers of individuals, agencies are required to notify Congress and OMB, creating a paper trail. Individual breach notification letters (when issued) can be obtained via FOIA. The post-incident review for breaches affecting 100,000+ individuals is reportable to OMB; requesting these reviews provides detailed information about the breach, its cause, and the agency's corrective actions.

Relationship to Broader Policy

• Privacy Act: The Privacy Act (5 U.S.C. § 552a) is the statutory foundation; M-17-12 operationalizes the Act's implicit breach response obligations
• FISMA: FISMA's security incident reporting requirements overlap with M-17-12's breach reporting requirements; agencies typically use the same incident reporting infrastructure for both
• OMB Circular A-130, Appendix II: A-130 establishes the SAOP role and privacy program requirements that M-17-12 relies on for breach coordination
• HIPAA: For HHS and agencies with health programs, HIPAA breach notification requirements (45 C.F.R. §§ 164.400–414) apply alongside M-17-12; the HIPAA standard (notification within 60 days of discovery for covered entities) is more permissive than M-17-12 in some respects

Recent Developments

• 2015 — OPM breach exposed 21.5 million background investigation records and 4.2 million personnel records; triggered major reviews of federal PII protection
• January 2017 — M-17-12 issued, replacing M-07-16 with a comprehensive breach response framework
• Ongoing — Annual FISMA reports consistently show federal PII breach incidents in the thousands per year, the vast majority affecting small numbers of individuals (lost laptops, phishing emails); large-scale breaches are rarer but more visible
• 2025 — DOGE-related access to federal systems containing sensitive personal data (Social Security records, tax records, HHS databases) raised M-17-12 questions: at what point does unauthorized or improperly authorized access to PII constitute a breach requiring notification? Agency IGs and privacy advocates argued that M-17-12 compliance reviews were warranted