Responding to Data Incidents: A Step-By-Step Guide for CAAs 

Learn and Adapt: Take what has been learned to better prepare moving forward. 

A CAA must learn and adapt from its experience responding to a data incident to better avoid them in the future. After OnGuard’s data incident experience, the CAA implemented MFA, revisited its contracts with certain third-party vendors, and strengthened its internal controls.

Allowing the lessons learned to inform the development and improvement of internal controls is a great way to prepare for any potential future data incidents. Internal controls can take many forms, including establishing and following systems that use checklists or other verification procedures, or implementing authorization protocols outlining who is permitted to view certain documents and take actions. The CAPLAW resource, Do the Right Thing: Culture of Compliance + Ethics, provides further information to help CAAs understand what internal controls often look like for CAAs and what steps a CAA may take to establish or update approaches, policies, and procedures that help to minimize future risks.

This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.