One data breach in the summer of 2015 against the United States government cost taxpayers more than $350 million. Since 2005, the U.S. government has lost more than 183 million personnel records and countless files containing sensitive information. Despite all of this, the government has failed to create a policy for responding to data breaches. As proof of a lack of any clear policy, this Note analyzes two recent breaches against the government and explains how the responses, or lack thereof, are at opposite ends of the response continuum.
This Note creates a policy for government response to data breaches. This policy analyzes the factors surrounding the breach, including the actor who perpetrated the breach, the information stolen, and the potential uses for that information. This Note then lays out a continuum of potential responses, from doing nothing to kinetic action. Lastly, this Note creates a decision matrix that assigns responses to breaches based on the factors of the breach. The result is a policy shell that allows government decision makers to respond to breaches in a way that instills confidence in the American public and deters potential hackers.