Responding to Data Incidents: A Step-By-Step Guide for CAAs
Identify: Understand whether a data incident has occurred.
OnGuard CAA employees recognized discrepancies in their personal tax returns and reported this information to OnGuard’s Executive Director, who then mentioned this issue to OnGuard’s outside legal counsel. Counsel advised that the discrepancies may have been the result of a potential data incident, and recommended consulting with a forensic data company. The forensic data company very quickly identified the data incident, and informed OnGuard that staff and client data, including social security numbers, names, and dates of birth, had been implicated.
The earlier a CAA knows a data incident has occurred, the sooner it can act to contain it and minimize the damage. To quickly and properly identify a data incident, a CAA must understand what data is, and recognize the types of data of concern in the context of an incident.
Data is information used to make decisions, such as a CAA’s facts and numbers involving its programs, clients, or employees. Federal and state laws, including funding source regulations, outline what types of data a CAA is required by law to protect.
At the federal level, the rules that govern the administration and use of federal funds — Office of Management and Budget’s (OMB) Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards (Uniform Guidance) — apply to most, if not all, of the federal funding a CAA receives. With respect to data, the Uniform Guidance defines “personally identifiable information” (PII) and “protected personally identifiable information” (Protected PII). 2 C.F.R. § 200.1. PII means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information, including an individual’s name and address, since that information taken together can identify the individual. Protected PII more specifically means an individual’s first name or first initial and last name in combination with one or more types of information, including social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother’s maiden name, criminal, medical and financial records, and educational transcripts. A CAA will need to reference specific federal funding source statutes and regulations to determine its obligations to protect additional information not covered by the Uniform Guidance definitions. Like OnGuard, a CAA will also need to work with local counsel to identify if state laws expand the type of data that a CAA is obligated to protect.
A data incident is a security event that compromises the integrity or confidentiality of the data a CAA is legally required to protect. A data breach is a data incident that results in the exposure of sensitive or otherwise protected data to an unauthorized party. In this Guide we use the term “data incident”, however, keep in mind that not all data incidents will rise to the level of a data breach. Early identification of a data incident before actual exposure of protected data could prevent the CAA from experiencing an eventual data breach.
Maintaining internal controls is key to identifying data incidents as well as protecting data. The Uniform Guidance requires CAAs to establish and maintain effective internal control over federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. 2 C.F.R. § 200.303. Internal controls are processes designed and implemented to provide reasonable assurance regarding the achievement of objectives relating to effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. 2 C.F.R. § 200.1. As part of the internal controls required under 2 C.F.R. § 200.303(e), CAAs must take reasonable measures to safeguard Protected PII and other sensitive information. The Uniform Guidance also directs CAAs to follow OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, which requires management to evaluate the effectiveness of internal controls annually.
A cyber risk assessment is one example of an internal control that can help a CAA identify the risk or the occurrence of a data incident. There are many frameworks for conducting a cyber risk assessment, with NIST Cybersecurity Framework being one of the most recognized. Such assessments are typically conducted at least every two years, and among other things, focus on identifying data incident indicators. Indicators are direct signs that an incident may have occurred or is occurring. While indicators vary based on the type of attack, common red flags include alerts from antivirus software, unusual login times, unexpected user account lockouts, unexplained heavy traffic in the network, a ransomware threat, and malfunctioning security software.
This identification step has occurred once a CAA becomes aware that data is exposed, such as having a cyber risk assessment raise a red flag or, like OnGuard, hearing about unusual tax or financial activity from staff. If alarm bells are ringing, a CAA should listen and determine the source of alarm, which may include following up on leads or reports from staff or hiring a data security consultant to look further into the concern.
This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.