Data breaches are not the concern of just information technology staff; they are the concern of everyone who has access to and handles Part C/Part B 619 data. A data breach may take numerous forms, from inadvertent disclosure of personally identifiable information (PII) to intentional hacking. Even the physical loss of a laptop computer with PII through negligence or theft can constitute a breach. Regardless of the type or magnitude, the ultimate effect of a breach is the same: greater risk of malicious data use and reduced institutional confidence. Those whose PII is released risk having their information accessed and used for any number of nonauthorized and potentially negative purposes including but not limited to identify theft, undesired solicitations, or residence location found by those with adverse intentions. Not only can a breach have significant negative effects on children and families, it can also negatively affect program staff, program functions and the state agency as a whole. Specifically, public awareness of a data breach can hamper subsequent efforts to collect and use Part C/Part B 619 data that are important to the agency’s goals and long-term positive results.
Of course, like insurance, the best data breach response policy is the one never used. Establishing and maintaining high levels of data security and data authorization reduce the risk of data breach. However, even with robust security policies and procedures, data are vulnerable to theft, loss, and unauthorized use. A data breach can happen at any time to data stored at any level. Therefore, an agency must have a data breach response policy regardless of whether data are stored internally, in the cloud, or with a third-party vendor.
A data breach response policy establishes a set of procedures to be followed in the event of a data breach: how and when the breach should be reported to authorities, how and when to inform the public—specifically those at risk because of the data breach, recommendations to the public to reduce the post-breach risk, sanctions the agency might consider if warranted, and strategies to minimize future risk of a breach.
Other federal non-educational requirements, including Medicaid and the Health Insurance Portability and Accountability Act (HIPAA), may also apply with respect to data security and data breaches. Additionally, almost every state has a data breach law that should be included in a data breach policy for Part C/Part B 619 programs.
Part C and Part B 619 programs do not operate independently of the state agency in which they are housed. Thus, the structure of any data governance already within an agency is of particular importance. Before developing a data breach response policy, Part C and Part B 619 programs should review any policies regarding data breaches developed by the agency in which their program resides. Existing policies might need to be updated with specific references or provisions related to Part C or Part B 619, in which case the considerations and the template below may be helpful in proposing language.
Where no policy on data breach response exists or a separate policy related to Part C or Part B 619 is needed, the template following the Considerations section is fully editable and prepopulated with language to expedite writing new data breach response policies.
Use the questions below to discuss, consider, and develop a comprehensive data breach response policy. Where appropriate, procedures and operational manuals that detail specific actions supporting implementation of this policy should be created. (See the PTAC Data Breach Response Checklist.) In developing the policy, it is important to consider responses proportional to the different types and magnitudes of data breaches. For example, if in the course of a workday a person without training and authorization viewed a computer screen with PII. A measured course of action could be to talk to the agency staff member who did not follow policy regarding locking the computer screen when away from his/her desk. A disproportional response might be to contact the individuals whose PII was exposed.
A data breach response policy need not address all the questions below to be effective. However, considering each question will help ensure that states/programs draft a comprehensive policy with detailed procedures. The policy should be updated or amended at a later date as additional breach scenarios or risks surface.
1. Data Breach Response Policy: Scope
- How does this policy align with any existing state policy and/or broader state agency data breach response policies?
- What Part C/619 data are included and excluded by this data breach response policy?
- What constitutes an unauthorized release or access of personally identifiable information (PII) (e.g., unauthorized copying of data, system hacking, unauthorized data viewing, loss of flash drive or laptop with data)?
- Who must adhere to the data breach response policy (e.g., staff, participating agencies, vendors, contractors)?
- Are there binding clauses in contracts with vendors regarding data breach responsibilities?
- What data breach training exists for agency staff?
2. Data Breach Response Policy: Responsibility
- Who (what role) is responsible for informing Part C/619 staff and ensuring their compliance with the data breach response policy?
- If a Part C/Part B 619 data breach is suspected, who (what role) is responsible for investigating and confirming it?
- What team or individuals are responsible for authorizing and carrying out the actions of the data breach response?
- What monitoring/tracking will occur to ensure policy compliance? What monitoring documentation is needed?
3. Data Breach Response Policy: Data Breach Immediate Actions
- Who (what role) reports a Part C/619 data breach to administration?
- When shall a data breach be reported internally?
- Under what circumstances shall a data breach be reported to individuals potentially at risk?
- Under what circumstances shall a data breach be publicly reported?
- How should a data breach be reported to those at risk? To the public?
- When will individuals and/or public be notified?
- Who (what role) will notify individuals and/or public about the data breach?
4. Data Breach Response Policy: Post Breach Actions
- Under what circumstances will sanctions/consequences be levied on those responsible for the Part C/Part B 619 data breach?
- What procedures will be taken to prevent similar data breaches in the future (e.g., investigation, process review, training, security measures)?
- What are the projected timeline and process for implementing these response procedures?
When analyzing the privacy and confidentiality requirements for children with disabilities, it is critical to begin by examining the IDEA requirements first. If you or members of your staff have questions, please contact your State Lead in OSERS Office of Special Education Program’s (OSEP) Monitoring and State Improvement Planning Division.