Responding to Data Incidents: A Step-By-Step Guide for CAAs
Notify and Comply: Satisfy legal obligations triggered by the incident.
Working with local counsel, OnGuard learned that its state’s laws require disclosure to any state resident whose personal information (including Social Security numbers) was or was reasonably believed to have been acquired by an unauthorized person, and that causes or is reasonably believed to cause identity theft or other fraud to any state resident.
The Executive Committee of OnGuard’s board approved sending letters to the affected employees and clients informing them of the data incident involving their personal information. OnGuard sent about two thousand letters in total. The letters noted that if the individual discovers that their identity was stolen, they should notify law enforcement. The letters also included information on credit bureaus and recommended that individuals keep an eye on their credit reports. OnGuard’s state did not, however, require OnGuard to pay for credit reports for these individuals. If OnGuard failed to provide adequate notification, the state’s laws authorized the state Attorney General or a district attorney to impose a penalty or bring an action against OnGuard for a violation.
Broadly applicable state privacy laws, as well as industry-specific laws at the federal and state levels, largely inform a CAA’s legal obligations related to a data incident. Privacy protections vary by state, with certain states such as California having some of the most comprehensive laws in this area. Privacy laws in many states, though not all, exempt nonprofit organizations from compliance. A CAA should work with local counsel to navigate compliance with its state privacy laws.
A CAA must also consider what industry-specific laws may apply based on the type and nature of programs it operates. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Most CAAs are not covered by HIPAA but the few that are must ensure compliance. A CAA should not assume it is covered by HIPAA just because it has health records. HIPAA only applies to “covered entities” and “business associates.” A CAA is a “covered entity” if it is a healthcare provider that transmits health information in electronic form with health plans in connection with certain standard transactions. A CAA is a “business associate” if it has a written business associate agreement with another HIPAA covered entity or business associate. CAAs covered by HIPAA typically run community health clinics. However, HIPAA laws are complex, and a CAA that is unsure if HIPAA applies to it should work with an employee benefits attorney with HIPAA compliance expertise.
State and industry-specific laws often obligate organizations that have experienced a data incident to notify those impacted by the incident, such as clients or employees, law enforcement, insurance carriers, and credit bureaus. The applicable law will detail what triggers this notice requirement and what information the notice must contain. The Federal Trade Commission (FTC), which enforces a variety of consumer protection laws and establishes baseline standards to protect consumer privacy, offers many helpful resources on data incidents including a model letter for organizations to use when providing notice to individuals whose Social Security numbers have been stolen, for example. State Attorney General’s Office websites may also provide online notification forms for organizations to disclose data incidents to the state. CAAs that fail to provide the required notification in response to data incidents may be subject to lawsuits by individuals compromised by the data incident or by the state Attorney General enforcing applicable laws.
This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.