32 CFR 310.51 - Lost, stolen, or compromised information.
(1) The United States Computer Emergency Readiness Team (US CERT) within one hour of discovering that a breach of personally identifiable information has occurred. Components shall establish procedures to ensure that US CERT reporting is accomplished in accordance with the guidance set forth at http://www.us-cert.gov.
(i) The underlying incident that led to the loss or suspected loss of PII (e.g., computer incident, theft, loss of material, etc.) shall continue to be reported in accordance with established procedures (e.g., to designated Computer Network Defense (CND) Service Providers (reference (z)), law enforcement authorities, the chain of command, etc.).
(2) The Senior Component Official for Privacy within 24 hours of discovering that a breach of personally identifiable information has occurred. The Senior Component Official for Privacy, or their designee, shall notify the Defense Privacy Office of the breach within 48 hours upon being notified that a loss, theft, or compromise has occurred. The notification shall include the following information:
(i) Identify the Component/organization involved.
(ii) Specify the date of the breach and the number of individuals impacted, to include whether they are DoD civilian, military, or contractor personnel; DoD civilian or military retirees; family members; other Federal personnel or members of the public, etc.
(iii) Briefly describe the facts and circumstances surrounding the loss, theft, or compromise.
(iv) Briefly describe actions taken in response to the breach, to include whether the incident was investigated and by whom; the preliminary results of the inquiry if then known; actions taken to mitigate any harm that could result from the breach; whether the affected individuals are being notified, and if this will not be accomplished within 10 working days, that action will be initiated to notify the Deputy Secretary (see § 310.14); what remedial actions have been, or will be, taken to prevent a similar such incident in the future, e.g., refresher training conducted, new or revised guidance issued; and any other information considered pertinent as to actions to be taken to ensure that information is properly safeguarded.
(2) The Component shall determine whether administrative or disciplinary action is warranted and appropriate for those individuals determined to be responsible for the loss, theft, or compromise.