Responding to Data Incidents: A Step-By-Step Guide for CAAs
Mobilize: Assemble an incident response team.
OnGuard assembled an internal team including the Executive Director, IT Director, Executive Committee of the Board, and the outsourced CFO whose systems were compromised. This team, at the direction of the Executive Committee, led OnGuard staff and took actions with respect to the data incident. OnGuard also brought in external experts, such as legal counsel and forensic data specialists, to join the incident response team. OnGuard spoke with its insurance provider about the incident and learned that it would not cover the forensic data specialist team under its policy. Nevertheless, OnGuard felt that the forensic data specialists were well worth the expense as they were able to quickly identify the source of the data incident and help OnGuard better understand the specifics of the incident, which informed the CAA’s obligations following the incident.
Building an incident response team is a critical step in the response process, as this team will work collaboratively to determine the most effective and efficient way to address the data incident. A data incident response team typically includes a CAA’s:
- Executive Director;
- IT Director, or staff familiar with the CAA’s technology and systems;
- Fiscal staff member;
- HR Director, or staff familiar with the CAA’s operations and communications;
- In-house or outside legal counsel knowledgeable about applicable state laws, to help the CAA understand and satisfy its legal obligations;
- Forensic data company to help a CAA investigate the data incident by collecting data from IT systems, analyzing evidence, and preventing further damage by outlining steps to remediation;
- Insurance provider, if any expenses involved in the incident are covered by insurance, in which case the insurer may dictate certain aspects of the data incident response; and
- Any other individuals necessary depending on the type of information implicated (for example, if Head Start data is implicated, involve the Head Start Director).
Including legal counsel in the incident response team is critical to ensure compliance with applicable laws after the data incident. In general, the costs of professional and consultant services, such as the costs of obtaining legal counsel and forensic data specialists, may be paid for with federal funds subject to certain factors such as the need, scope and nature of the services. The costs of such services must also be reasonable and not contingent upon recovery from the federal government. 2 C.F.R. § 200.459. The allowability of federal funds to pay for certain legal services, however, is limited under 2 C.F.R. § 200.435 and discussed further in this Guide under Step 8: Assess Financials. Documented procurement procedures consistent with state and local laws and regulations as well as the Uniform Guidance should be followed when engaging outside professionals. 2 C.F.R. §§ 200.317 – 200.327. Further information regarding how to pay for an attorney is available in the CAPLAW resource, Working with Attorneys.
Upon identifying a data incident, a CAA should notify its insurance carrier as soon as possible regardless of whether the CAA has a cyber-specific insurance policy, as there is a possibility that another insurance policy may cover some of the costs of the incident response. Targeted cyber insurance, however, is often crucial to cover such incidents because general insurance policies often exclude data breaches and cyber events from coverage. Even where a CAA has cyber insurance, it is important to meet any notification requirements and follow all steps required by the policy to receive the benefit of that insurance. For example, some cyber insurance policies require the policyholder to implement MFA for it to cover the costs of a data incident. The insurance provider may also dictate certain aspects of the data incident response, such as requiring the CAA to use the insurer’s legal counsel. Keep in mind, however, that if the interests of the CAA and the insurer conflict, the CAA may consider retaining its own counsel.
The costs of insurance that is required or approved and maintained pursuant to a federal award are allowable under the Uniform Guidance and may be covered with federal funds. 2 C.F.R. 200.447(a). Costs of other insurance in connection with the general conduct of activities at the CAA, such as cybersecurity insurance, are also allowable subject to certain limitations, including that the coverage must be in accordance with the CAA’s policy and sound business practice. 2 C.F.R. § 200.447(b). Costs incurred as a result of losses not covered under nominal deductible insurance coverage may be paid for with federal funds, provided they are in keeping with sound management practice. 2 C.F.R. § 200.447(c). It is important that a CAA maintains insurance coverage that is viewed as standard in its industry, because if the CAA experiences losses which could have been covered by permissible insurance, and the CAA failed to obtain that insurance, such losses may not be paid for with federal funds. 2 C.F.R. § 200.447(c).
This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.