Responding to Data Incidents: A Step-By-Step Guide for CAAs 

You just learned that your Community Action Agency (CAA) experienced a data incident. What should you do next?  

With cybercrime increasing, this question arises more and more often. Many CAAs have moved away from paper records toward electronic systems which contain significant amounts of data, and it isn’t always clear what obligations a CAA has when data within its care is compromised.  

The legal framework governing the protection of data is complex and disjointed. Data privacy laws are state and/or industry-specific (e.g., the Head Start Program Performance Standards, Health Insurance Portability and Accountability Act (HIPAA), etc.) and mostly focus on how an organization should protect a certain kind of data, rather than how it should respond to the unintentional disclosure of that data, i.e., a data incident. There is no overarching federal law that establishes an organization’s obligation to not only protect data but also to respond to data incidents. Congress has made attempts to advance comprehensive privacy laws, with the most recent attempt being a draft of the “American Privacy Rights Act”, however there continues to be no current comprehensive federal law on the subject. Many states have privacy laws, which vary in comprehensiveness and coverage. While this Guide provides a review of general principles, a CAA should work with an attorney in its state once a data incident is identified.  

Whether a hacker steals personal information from the CAA’s server, or client information is exposed from CAA records, a CAA can use this Guide to understand the steps it should take in response to a data incident. Taking proper measures can protect a CAA from the legal ramifications of a data incident, as the failure to comply with applicable laws can result in fines and potential lawsuits. This Guide can also assist a CAA in formulating a data incident response plan so that it is better prepared for and can minimize the impact of a data incident, should one occur.  

This Guide references a real-life CAA experience using a fictional CAA name, OnGuard CAA. As the Guide lays out the steps to take in response to data incidents, it provides illustrative examples from OnGuard’s experience. The steps in this Guide, as exemplified by OnGuard, serve as guidance for a CAA’s own response efforts. Since every data incident differs, responses will vary and CAAs should consider the steps in the context of the problem at hand. This may mean tackling the various steps in a different order or working on multiple steps simultaneously. Insurance, for example, plays a large role in data incident response such that the insurance company will likely inform how the CAA responds to the incident and in what order the steps are completed. 

This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.