Safeguarding Against and Responding to the Breach of Personally Identifiable Information [open pdf - 228KB]
"As part of the work of the Identity Theft Task Force, this memorandum requires agencies to develop and implement a breach notification policy within 120 days. The attachments to this memorandum outline the framework within which agencies must develop this breach notification policy while ensuring proper safeguards are in place to protect the information. Agencies should note the privacy and security requirements addressed in this Memorandum apply to all Federal information and information systems. Breaches subject to notification requirements include both electronic systems as well as paper documents. In short, agencies are required to report on the security of information systems in any formant (e.g., paper, electronic, etc.)."
U.S. Dept. of Homeland Security: http://www.dhs.gov/