Personal tools

Breach or Data Breach

An incident involving the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where:

    • A person other than an authorized user accesses or potentially accesses PII; or
    • An authorized user accesses or potentially accesses PII for other than the authorized purpose.

Breaches do not require evidence of harm to an individual, or of unauthorized modification, deletion, exfiltration, or access to information.

PII can be breached in any format, including physical (paper), electronic, and verbal/oral.

A determination of whether a breach occurred is dependent on the availability of facts and circumstances; thus, the determination may occur at any time and any disposition of breach status is not necessarily final.

The Elements of a Breach are further defined as follows:

    • Unauthorized modification is the act or process of changing components of information and/or information systems.
    • Unauthorized deletion is the act or process of removing information from an information system.
    • Unauthorized exfiltration is the act or process of obtaining—without authorization or in excess of authorized access—information from an information system without modifying or deleting it.
    • Unauthorized access is the act or process of logical or physical access without permission to a Federal agency information system, application, or other resource.

Examples of breaches that must be reported include, but are not limited to the following:

    • loss of control or similar occurrence (e.g., unencrypted email transmission) of sensitive or High Risk DOE employee or contractor PII;
    • loss of control or similar occurrence of Department credit card holder information;
    • loss of control or similar occurrence of PII collected from or pertaining to members of the public;
    • loss of control or similar occurrence of system security information (e.g., user name, passwords, security question responses, etc.);
    • incorrect delivery of PII to an unauthorized person;
    • theft of or compromise of PII; and
    • unauthorized access to PII stored on Department-managed information systems or managed for the Department, including websites, data centers, cloud services, etc.

For these purposes, reportable PII does not include common business exchanges such as names and/or business contact information.

Examples of breaches of PII include, but are not limited to:

    • A laptop or removable storage device containing PII is lost or stolen and information on the device is accessed;
    • An employee or contractor’s system access credentials are lost or stolen to gain access to files containing PII;
    • An unencrypted email containing sensitive or High Risk PII is sent to the wrong person, inside or outside of the Department email network;
    • Files or documents with PII, such as medical information, are lost or stolen during shipping, courier transportation, or relocation;
    • PII is posted, either inadvertently or with malicious intent, to a public website or can be accessed through a Departmental-operated web page or website;
    • An unauthorized person overhears Departmental employees or contractors discussing the PII of another individual; or
    • An IT system that collects, maintains, or disseminates PII is accessed or compromised by an unauthorized person or malicious actor.
No items have been linked to this term.
  • Information and Analysis
  • Information Technology
  • Security

Document Actions