Data Governance Toolkit: Data Breach Response

DG toolkit icon

Data breaches are not the concern of just information technology (IT) staff; they are the concern of everyone who has access to and handles Part C or Part B 619 data. A data breach response policy establishes a set of procedures to be followed in the event of a data breach: how and when the breach should be reported to authorities; how and when to inform the public, especially those at risk because of the data breach; recommendations to the public to reduce the post-breach risk; sanctions the agency might consider; and strategies to minimize future risk of a breach. This section contains topical information, a packet with a considerations worksheet and a policy template, and an option to request technical assistance.

A data breach may take numerous forms, from inadvertent disclosure of personally identifiable information (PII) to intentional hacking. Even the physical loss of a laptop computer with PII through negligence or theft can constitute a breach. Regardless of the type or magnitude, the ultimate effect of a breach is the same: greater risk of malicious data use and reduced institutional confidence. Those whose PII is released risk having their information accessed and used for any number of nonauthorized and potentially negative purposes, including but not limited to identity theft, undesired solicitations, or discovery of residence location by persons or entities with adverse intentions.

Not only can a breach have significant negative effects on children and families, but it can also negatively affect program staff, program functions, and the state agency as a whole. Specifically, public awareness of a data breach can hamper subsequent efforts to collect and use Part C or Part B 619 data that are important to the agency’s goals and long-term positive results.

Of course, like insurance, the best data breach response policy is the one never used. Establishing and maintaining high levels of data security and data authorization reduces the risk of data breach. However, even with robust security policies and procedures, data are vulnerable to theft, loss, and unauthorized use. A data breach can happen at any time to data stored at any level. Therefore, an agency must have a data breach response policy regardless of whether data are stored internally, in the cloud, or with a third-party vendor.

Other federal noneducational requirements, including Medicaid and the Health Insurance Portability and Accountability Act (HIPAA), may also apply with respect to data security and data breaches. Additionally, almost every state has a data breach law that should be included in a data breach policy for Part C and Part B 619 programs.

Published February 2021.