TITLE: B-310865, Nuclear Regulatory Commission--Availability of Appropriations for Credit Monitoring Services, April 14, 2008
BNUMBER: B-310865
DATE: April 14, 2008
**********************************************************************************************************************
B-310865, Nuclear Regulatory Commission--Availability of Appropriations for Credit Monitoring Services, April 14, 2008

   Decision

   Matter of: Nuclear Regulatory Commission--Availability of Appropriations
   for Credit Monitoring Services

   File: B-310865

   Date:  April 14, 2008

   DIGEST

   If the Nuclear Regulatory Commission were to mistakenly disclose to the
   public personally identifiable information of an employee or private
   citizen, its appropriation is available to pay for credit monitoring
   services as long as the Commission determines that it is necessary under
   the particular circumstances. In making such a determination, the
   Commission should be guided by the risk-based, tailored approach outlined
   by the Office of Management and Budget. Such an expenditure would be
   consistent with statutory breach notification and mitigation requirements
   and, notwithstanding any collateral personal benefit to an employee or
   individual, would be a necessary expense of the agency.

   DECISION

   The Nuclear Regulatory Commission (NRC) asks whether it may use
   appropriated funds to pay for credit monitoring services for employees or
   private citizens in the unlikely event that the government mistakenly
   discloses their personally identifiable information to the public. Letter
   from Leslie W. Barnett, Director, Division of Planning, Budget, and
   Analysis, Office of the Chief Financial Officer, NRC, to Gary L.
   Kepplinger, General Counsel, GAO, Dec. 4, 2007 (Request Letter). As
   discussed below, because NRC's appropriation is available for such a
   purpose as part of its overall information security program, we conclude
   that the expense would be authorized as a necessary expense of the agency,
   provided that the agency determines the expenditure to be necessary under
   the particular circumstances presented.[1]

   In response to a request by the U.S. Customs and Border Protection on
   whether its appropriation is available to pay for credit monitoring
   services for employees who had become, or may become, victims of identity
   theft, we recently issued a decision stating that credit monitoring
   services for federal employees are generally personal expenses not
   chargeable to an agency's appropriation. B-309604, Oct. 10, 2007. The
   facts here lead us to a different outcome. Because the proposed purchase
   of credit monitoring services relates to a breach caused by the government
   and may be a means of mitigating damage resulting from the breach,
   appropriated funds are available for this purpose. In determining whether
   providing credit monitoring services is warranted in a particular
   situation, the agency should conduct a risk assessment and fashion a
   tailored response to the breach, consistent with applicable Office of
   Management and Budget (OMB) guidance.

   BACKGROUND

   By statute, federal agencies are responsible for providing information
   security protections and complying with security standards and guidelines.
   Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C.
   sect. 3544(a). OMB has stated in its implementing guidance that
   "[s]afeguarding personally identifiable information in the possession of
   the government and preventing its breach are essential to ensure the
   government retains the trust of the American public." Memorandum for the
   Heads of Executive Departments and Agencies, OMB, May 22, 2007, available
   at www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf (last visited Mar.
   28, 2008). Agencies must also develop and implement an information
   security program, which, among other things, must include "procedures for
   detecting, reporting, and responding to security incidents," including
   "mitigating risks associated with such incidents before substantial damage
   is done." 44 U.S.C. sect. 3544(b)(7).

   OMB has issued guidance providing a "menu of steps for agencies to
   consider" in the event of a data breach so that the agency "may pursue a
   risk-based, tailored response." Memorandum for the Heads of Departments
   and Agencies, OMB, Subject: Recommendations for Identity Theft Related
   Data Breach Notification, Sept. 20, 2006, at attachment, at 1 (September
   Memorandum).[2] The guidance points out that the precise steps to take
   must be decided in light of the particular facts presented and that in
   deciding whether to offer credit monitoring services, "agencies should
   consider the seriousness of the risk of identity theft arising from the
   data breach." September Memorandum at 7. It describes credit monitoring as
   "a commercial service that can assist individuals in early detection of
   instances of identity theft, thereby allowing them to take steps to
   minimize the harm." Id.  at 6. The guidance states further that a credit
   monitoring service typically "notifies individuals of changes that appear
   in their credit reports, such as creation of a new account or new
   inquiries to the file." Id.

   NRC states that it has robust programs in place to comply with all
   applicable requirements and the OMB directives on protecting personal
   information of employees and private citizens in its possession. Request
   Letter, at 1. As part of its security program, NRC has prepared a breach
   notification policy providing that the agency will "consider steps that
   can be taken to mitigate further compromise of [personal information] and
   to mitigate any negative results from the breach. . . . In addition to
   containing the breach, appropriate countermeasures, such as monitoring
   system(s) for misuse of the [information] and patterns of suspicious
   behavior should be taken." NRC Breach Notification Policy, at 7, available
   at www.nrc.gov/site-help/privacy.html#personal (last visited Mar. 28,
   2008).

   NRC is of the opinion that appropriated funds may be used to pay for
   credit monitoring services when the government is the cause of the
   mistaken disclosure of an employee's or private citizen's personal
   information. Request Letter, at 1. It believes that paying for such
   services, perhaps for a period limited to 1 year, would be a reasonable
   and cost-effective means of mitigating the adverse consequences resulting
   from the government's mistaken disclosure of an employee's or private
   citizen's personal information. Id.

   DISCUSSION

   Ordinarily, credit monitoring services are personal expenses because the
   expenditure primarily benefits the individual or employee, not the agency.
   Appropriations are generally not available for the personal expenses of
   government employees. B-309604, Oct. 10, 2007. We have allowed exceptions
   to the general rule when a particular expenditure for an item that is
   ordinarily considered to be personal in nature primarily benefits the
   government, notwithstanding the collateral benefit to the employee.
   B-302993, June 25, 2004. We generally resolve whether an expense is
   personal or official by assessing the benefits to the agency and the basis
   for the expenditure.

   Unlike our recent decision addressing the use of the Customs and Border
   Protection's appropriation to pay for employees' credit monitoring
   services, in which we found the credit monitoring services for employees
   to be personal in nature, the NRC request presupposes that government
   action or inaction compromised the individuals' identities. Under these
   circumstances, the government has an interest in ensuring the public trust
   in handling the vast amounts of personal information it maintains.
   Moreover, Congress has required agencies to protect this information and
   has imposed affirmative obligations on agencies to address breaches and
   mitigate risks when government action or inaction mistakenly compromises
   personal information. As stated above, FISMA specifically addresses the
   possibility of inadvertent disclosures of information and requires
   agencies to have procedures for detecting, reporting, and responding to
   security incidents, including mitigating risks before substantial damage
   is done. 44 U.S.C. sect. 3544(b)(7).

   In light of these obligations and responsibilities, we think that NRC
   would have a reasonable basis for such an expenditure: purchase of credit
   monitoring services for affected individuals is a means of mitigating the
   risk caused by the agency's inadvertent disclosure. NRC's intention of
   purchasing credit monitoring services, consistent with OMB policy,
   directly relates to the FISMA's statutory requirement to minimize damage
   resulting from breaches and appears to be a reasonable implementation of
   this requirement.

   CONCLUSION

   Given this statutory and administrative framework, we would not object to
   the use of appropriated funds to purchase credit monitoring services in
   the event of a security breach if the agency administratively determines
   that the expense is necessary. Any such determination, of course, should
   be made in accordance with OMB policy cautioning against routinely
   providing for such services in the event of a data breach.

   Gary L. Kepplinger's signature

   Gary L. Kepplinger
   General Counsel

   ------------------------

   [1] Our practice when rendering decisions is to obtain a factual record
   from the relevant federal agency and, as appropriate, other interested
   parties, and to elicit the legal position, if any, of the agency and other
   interested parties on the subject matter of the request. GAO, Procedures
   and Practices for Legal Decisions and Opinions, GAO-06-1064SP (Washington,
   D.C.: Sept. 2006), available at www.gao.gov/legal/resources.html. In this
   instance, the request letter provided sufficient information for our
   decision.

   [2] This OMB memorandum is available at
   www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf (last
   visited Mar. 28, 2008).