Standardizing Federal PII Breach Response: OMB Updates Guidance for Agencies, Contractors, and Grant Recipients
Client Alert | 1 min read | 01.11.17
On January 3, 2017, the Office of Management and Budget (OMB) issued M-17-12, which updates and supersedes 2006 and 2007 OMB memoranda on preparing for and responding to breaches of personally identifiable information (PII) by imposing minimum standards on agencies for incident response programs, training and awareness, reporting, and documentation, coupled with requiring use of a flexible framework to assess and mitigate the risk of harm to individuals potentially affected by a PII breach. While making clear that a PII breach does not necessarily indicate an absence of adequate safeguards, the updated guidance also requires agencies to impose specific requirements, such as encryption, training, and incident-response obligations, on all contractors and subcontractors (at any tier); identifies PII-related requirements for federal grant recipients; and directs the FAR Council to “promptly… create appropriate contract clauses and regulatory coverage.”
Contacts
 - Partner, Crowell Global Advisors Senior Director - Washington, D.C.- D | +1.202.624.2698
 
- Washington, D.C. (CGA)- D | +1 202.624.2500
 
 
Insights
Client Alert | 13 min read | 10.30.25
Federal and State Regulators Target AI Chatbots and Intimate Imagery
In the first few years following the public launch of generative artificial intelligence (AI) in the autumn of 2022, litigation related to AI focused primarily on claims of copyright infringement. Suits revolved around allegations that the data on which AI models train, and/or the output they produce, infringe upon the intellectual property rights of others. (While some of these cases have settled or reached preliminary judgments, many remain ongoing.)
- Client Alert | 3 min read | 10.30.25 - Is Course Hero Heading to Summer School After Summary Judgment Loss? 
- Client Alert | 6 min read | 10.29.25 - Enhancing UK cyber security resilience and leadership engagement 
- Client Alert | 9 min read | 10.28.25 - Key Takeaways from a Consequential Month of Russia-Related Sanctions 

