Responding to Data Incidents: A Step-By-Step Guide for CAAs
Remediate: Address vulnerabilities to prevent future incidents.
Following the incident, OnGuard activated MFA for all CAA staff upon each log-in to CAA accounts. OnGuard updated contracts with all vendors to include indemnification language and an addendum putting responsibility for data incidents on the contractor. OnGuard’s cyber liability policy was also updated to allow for subrogation, which permits its insurer to seek recovery from third-party vendors and contractors.
Once a CAA understands the details of the data incident and has fulfilled any related legal obligations, it should address the security gaps that left its data vulnerable to attack. As part of this process, a CAA should analyze whether to implement privacy measures such as encryption, updated passwords, or MFA moving forward. A CAA may also wish to update agency policies as needed, such as remote work policies, or may consider an update to its communication strategy for responding to future data incidents.
If a third-party consultant or vendor was targeted in the data incident the CAA may consider the following as part of its remediation, with the help of an attorney in its state.
1. Negotiate or re-negotiate contracts with vendors, including a review of some of the following key issues;
- Data ownership: The contract should clearly state that the CAA is the sole and exclusive owner of the data uploaded, transferred, or otherwise provided by the CAA.
- Data sharing and use rights: The contract should specifically cover the rights of the vendor to use, aggregate, manipulate, or share customer data for other purposes, and should state that the vendor will maintain the confidentiality of the CAA’s information and limit the vendor’s use of the information to that which is necessary to perform its obligations under the contract.
- Indemnification language: The vendor should agree to defend the CAA from claims or lawsuits by third parties that result from a breach of the vendor’s obligations.
- Compliance with privacy laws: The contract should require that the vendor comply with applicable privacy and data security laws and should also incorporate state law and federal funding source requirements on data privacy and security.
- Vendor representations and warranties: The vendor should promise that they have adequate security measures in place to protect the security and confidentiality of the CAA’s data.
- Notification: The vendor should be required to notify the CAA if a data incident takes place. For this purpose, it is crucial to consider what the definition of a data incident is under the contract which requires notification, and whether it is required for the vendor to reimburse the CAA for reasonable out-of-pocket expenses if the vendor is at fault for the incident.
- Insurance: The insurance carried by each party should be addressed, and the contract may require both parties to maintain cyber insurance.
- Subrogation: If a vendor’s actions contributed to or caused the vulnerabilities leading to the incident, insurers may cover the CAA’s expenses, but will reserve the right to subrogate. Subrogation means that the insurer will try to recover its loss by collecting that amount from the third-party that caused the insurance loss.
- CAPLAW’s resource, Is Your Head in the Cloud? Contemplating Cloud Computing for Community Action Agencies, includes additional information and concepts to consider when negotiating technology-related vendor contracts, especially those with cloud providers.
2. Set up a questionnaire for each vendor to establish areas of data vulnerability;
3. Monitor vendors for compliance with data security practices; and
4. Verify that vendors have remedied any identified vulnerabilities.
This resource is part of the Community Services Block Grant (CSBG) Legal Training and Technical Assistance (T/TA) Center. It was created by Community Action Program Legal Services, Inc. (CAPLAW) in the performance of the U.S. Department of Health and Human Services, Administration for Children and Families, Office of Community Services Cooperative Agreement – Award Number 90ET0505-01. Any opinion, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Health and Human Services, Administration for Children and Families.