Assess the likely risk of harm and level of impact of a suspected data breach in order to determine whether notification to affected individuals is needed. In addition to any immediate remedial actions they may take, agencies should assess a suspected or confirmed breach to determine if there is a likely risk of harm and the level of impact, if applicable.
The OMB has outlined five factors that should be considered in assessing the likely risk of harm: (1) nature of the data elements breached, (2) number of individuals affected (3) likelihood the information is accessible and usable, (4) likelihood the breach may lead to harm, and (5) ability of the agency to mitigate the risk of harm. Once a risk level is determined, agencies should use this information to determine whether notification to affected individuals is needed and, if so, what methods should be used. OMB instructed agencies to be mindful that notification when there is little or no risk of harm might create unnecessary concern and confusion. It also stated that while the magnitude of the number of affected individuals may dictate the method chosen for providing notification, it should not be the determining factor for whether an agency should provide notification.
Offer assistance to affected individuals (if appropriate)
Agencies should have procedures in place to determine whether services such as credit monitoring should be offered to affected individuals to mitigate the likely risk of harm. OMB instructed agencies that, while assessing the level of risk in a given situation, they should simultaneously consider options for attenuating that risk.
Analyse breach response and identify lessons learned
Agencies should review and evaluate their responses to a data breach, including any remedial actions that were taken, and identify lessons learned, which should be incorporated into agency security and privacy policies and practices as necessary. NIST recommended holding a "lessons learned" meeting with all involved parties after a major incident and periodically after lesser incidents, as resources permit, to assist in handling similar incidents and improving security measures.