Responding to Data Incidents: A Step-By-Step Guide for CAAs 

Discover: Understand what happened and why.

The forensic data company analyzed the incident and discovered the day the incident occurred, how the systems were hacked, which individuals’ information was stolen during the incident, and what information was implicated. OnGuard’s sensitive information was obtained through a third-party consultant, its outsourced CFO, whose accounting system was hackable and not secure. As a result, a hacker accessed OnGuard’s confidential staff and client financial information held in the outsourced CFO’s system. The compromised data included information required to file taxes, such as names, dates of birth, tax status, addresses, tax deductions, and Social Security numbers. OnGuard had all this information within two days of working with the forensic data company, which put OnGuard in a position to respond adequately to the incident. 

The data incident response team will work to discover what information was compromised, including: 

  • What type of data is implicated (financial data, PII, etc.);  
  • Whose data is implicated (clients, employees, etc.); and 
  • Whether specific sectors of privacy laws are triggered (e.g., Head Start Act, state privacy laws).  

The data incident response team must understand how the data was compromised, i.e., the vulnerability that allowed the incident to occur. Below are a few areas where vulnerabilities may exist, as well as ways such vulnerabilities can be addressed.  


Third-Party Consultants
 

CAAs often engage with third-party consultants and vendors who may introduce vulnerabilities into the organization. A consultant, for example, may store CAA data and use weak passwords to protect it, making CAA data ripe for attack. When entering into the business relationship, many third-party consultants and vendors will provide the CAA with a form agreement which the CAA should approach as a starting point for negotiations. The CAA can then review the form agreement to identify any key issues, such as ensuring that the third-party service provider has adequate data security protection practices. Key issues and provisions to consider when reviewing such contracts are described in further detail in this Guide under Step 6: Remediate.  

 

Employees 

Employee passwords often act as the first line of defense against unauthorized access to sensitive CAA data and may be vulnerable to attack. Password security can be addressed by updating security protocols, utilizing password vaults, working with technology companies (many of which specialize in working with nonprofits, such as Tech Impact and TechSoup), and implementing effective training to empower employees to identify and report potential threats. Phishing attacks often target employees through deceptive emails or messages. Understanding the nature of phishing and ransomware attacks can help organizations develop and implement robust cybersecurity strategies and training. 


Remote Work
 

A CAA that works with shared employees or employees who work remotely should implement the security protocols necessary to keep the CAA’s sensitive information safe. For example, if shared or remote employees do not work on the CAA’s server, a data breach could occur by employees accessing the CAA’s systems remotely through their unsecured Wi-Fi. One solution for addressing this vulnerability is to implement a virtual private network (VPN), which encrypts the information that flows from employee devices to the CAA’s platforms, and vice versa. 

This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.