Nuclear Regulatory Commission--Availability of Appropriations for Credit Monitoring Services
B-310865: Apr 14, 2008
Additional Materials:
- Full Report:
Contact:
(202) 512-8156
jonessa@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
If the Nuclear Regulatory Commission were to mistakenly disclose to the public personally identifiable information of an employee or private citizen, its appropriation is available to pay for credit monitoring services as long as the Commission determines that it is necessary under the particular circumstances. In making such a determination, the Commission should be guided by the risk-based, tailored approach outlined by the Office of Management and Budget. Such an expenditure would be consistent with statutory breach notification and mitigation requirements and, notwithstanding any collateral personal benefit to an employee or individual, would be a necessary expense of the agency.
B-310865, Nuclear Regulatory Commission--Availability of Appropriations for Credit Monitoring Services, April 14, 2008
Decision
Matter of: Nuclear Regulatory Commission—Availability of Appropriations for Credit Monitoring Services
DIGEST
If the Nuclear Regulatory Commission were to mistakenly disclose to the public personally identifiable information of an employee or private citizen, its appropriation is available to pay for credit monitoring services as long as the Commission determines that it is necessary under the particular circumstances. In making such a determination, the Commission should be guided by the risk-based, tailored approach outlined by the Office of Management and Budget. Such an expenditure would be consistent with statutory breach notification and mitigation requirements and, notwithstanding any collateral personal benefit to an employee or individual, would be a necessary expense of the agency.
DECISION
The Nuclear Regulatory Commission (NRC) asks whether it may use appropriated funds to pay for credit monitoring services for employees or private citizens in the unlikely event that the government mistakenly discloses their personally identifiable information to the public. Letter from Leslie W. Barnett, Director, Division of Planning, Budget, and Analysis, Office of the Chief Financial Officer, NRC, to Gary L. Kepplinger, General Counsel, GAO, Dec. 4, 2007 (Request Letter). As discussed below, because NRC's appropriation is available for such a purpose as part of its overall information security program, we conclude that the expense would be authorized as a necessary expense of the agency, provided that the agency determines the expenditure to be necessary under the particular circumstances presented.[1]
In response to a request by the U.S. Customs and Border Protection on whether its appropriation is available to pay for credit monitoring services for employees who had become, or may become, victims of identity theft, we recently issued a decision stating that credit monitoring services for federal employees are generally personal expenses not chargeable to an agency's appropriation. B-309604,
BACKGROUND
By statute, federal agencies are responsible for providing information security protections and complying with security standards and guidelines. Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. sect. 3544(a). OMB has stated in its implementing guidance that [s]afeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public. Memorandum for the Heads of Executive Departments and Agencies, OMB,
OMB has issued guidance providing a menu of steps for agencies to consider in the event of a data breach so that the agency may pursue a risk-based, tailored response. Memorandum for the Heads of Departments and Agencies, OMB, Subject: Recommendations for Identity Theft Related Data Breach Notification,
NRC states that it has robust programs in place to comply with all applicable requirements and the OMB directives on protecting personal information of employees and private citizens in its possession. Request Letter, at 1. As part of its security program, NRC has prepared a breach notification policy providing that the agency will consider steps that can be taken to mitigate further compromise of [personal information] and to mitigate any negative results from the breach. . . . In addition to containing the breach, appropriate countermeasures, such as monitoring system(s) for misuse of the [information] and patterns of suspicious behavior should be taken. NRC Breach Notification Policy, at 7, available at www.nrc.gov/site-help/privacy.html#personal (last visited
NRC is of the opinion that appropriated funds may be used to pay for credit monitoring services when the government is the cause of the mistaken disclosure of an employee's or private citizen's personal information. Request Letter, at 1. It believes that paying for such services, perhaps for a period limited to 1 year, would be a reasonable and cost-effective means of mitigating the adverse consequences resulting from the government's mistaken disclosure of an employee's or private citizen's personal information.
DISCUSSION
Ordinarily, credit monitoring services are personal expenses because the expenditure primarily benefits the individual or employee, not the agency. Appropriations are generally not available for the personal expenses of government employees. B-309604,
Unlike our recent decision addressing the use of the Customs and Border Protection's appropriation to pay for employees' credit monitoring services, in which we found the credit monitoring services for employees to be personal in nature, the NRC request presupposes that government action or inaction compromised the individuals' identities. Under these circumstances, the government has an interest in ensuring the public trust in handling the vast amounts of personal information it maintains. Moreover, Congress has required agencies to protect this information and has imposed affirmative obligations on agencies to address breaches and mitigate risks when government action or inaction mistakenly compromises personal information. As stated above, FISMA specifically addresses the possibility of inadvertent disclosures of information and requires agencies to have procedures for detecting, reporting, and responding to security incidents, including mitigating risks before substantial damage is done. 44 U.S.C. sect. 3544(b)(7).
In light of these obligations and responsibilities, we think that NRC would have a reasonable basis for such an expenditure: purchase of credit monitoring services for affected individuals is a means of mitigating the risk caused by the agency's inadvertent disclosure. NRC's intention of purchasing credit monitoring services, consistent with OMB policy, directly relates to the FISMA's statutory requirement to minimize damage resulting from breaches and appears to be a reasonable implementation of this requirement.
CONCLUSION
Given this statutory and administrative framework, we would not object to the use of appropriated funds to purchase credit monitoring services in the event of a security breach if the agency administratively determines that the expense is necessary. Any such determination, of course, should be made in accordance with OMB policy cautioning against routinely providing for such services in the event of a data breach.
Gary L. Kepplinger
General Counsel
[1] Our practice when rendering decisions is to obtain a factual record from the relevant federal agency and, as appropriate, other interested parties, and to elicit the legal position, if any, of the agency and other interested parties on the subject matter of the request. GAO, Procedures and Practices for Legal Decisions and Opinions, GAO-06-1064SP (
[2] This OMB memorandum is available at www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf (last visited