Responding to Data Incidents: A Step-By-Step Guide for CAAs
Assess Financials: Consider how to pay financial obligations.
OnGuard’s insurance would not approve its claim because the data incident occurred with a third-party contractor, and the CAA did not have MFA which was a requirement under the policy. As a result, the data incident resulted in significant costs for the CAA, including legal fees, forensic data company fees, costs associated with sending out notification letters, and more, many of which the CAA paid for with unrestricted funds.
Data incidents may impose significant financial burdens on a CAA. The CAA should assess whether federal or state funds may be used to pay any costs of responding to an incident. If multiple programs’ funds are affected by a data incident, the CAA should allocate the costs associated with data incident response across the impacted funding sources.
The financial impact of a data incident is experienced in multiple ways. There are the expenses associated with addressing the incident itself, such as the cost of notifying affected individuals, working with legal counsel, and engaging experts to investigate. There are also expenses associated with any enforcement actions if the CAA is found liable for failure to properly protect the data and/or respond to a data incident. A failure to comply with notice requirements, for example, may lead to fines or penalties.
Under the Uniform Guidance, costs resulting from violations of federal, state, or local law (including fines and penalties) are unallowable unless a CAA obtains prior written approval from the Federal awarding agency. 2 C.F.R. § 200.441. Furthermore, a CAA cannot use federal funds for legal fees related to any potential lawsuit brought by federal, state, or local government, or joined by the federal government regarding inadequate protection of or response to the data incident. 2 C.F.R. § 200.435(b). Thus, if the organization in your state overseeing data incident concerns (such as the Attorney General’s Office) deems the CAA’s actions related to or in response to the incident inadequate and brings a claim against the CAA, then federal funds may not be used to pay for the CAA’s fees related to the lawsuit.
The costs of insurance required by the federal award, approved by the federal funding source, or maintained in connection with the general conduct of activities (if certain factors are met) is an allowable expense under the Uniform Guidance. 2 C.F.R. §§ 200.447(a) – (b). However, a CAA cannot use federal funds to pay for losses which could have been covered by permissible insurance. 2 C.F.R. § 200.447(c). CAAs should therefore ensure that they have the proper insurance coverage in case of a data incident.
This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.