Data Breach: Next Steps

Tips

Below is a guideline to use when your organization is informed of a data breach or investigating a security incident. Please confer with your own legal counsel for specifics for your organization.

Proactive Measures

  • Be familiar with your incident response plan (IRP) and business continuity plan.
  • Implement a data retention and deletion policy and process to eliminate as much risk as possible and update that plan annually.
  • Follow cybersecurity best practices including risk management and training.
  • Document the personally indefinable information (PII) you are collecting.
    • Meet with each department to review the data they process.
    • What data are your APIs sharing and how?
  • Review your processes for handling PII.
    • Implement MFA.
    • Apply least privilege access permissions.
  • Ensure you have data privacy language or a data privacy agreement (DPA) in place with all third parties that your organization shares PII; the agreement should state the duties of the provider and duties of the district in the event of a data breach.
  • Contact your cybersecurity insurance company and ask if they want organizations to provide a “notice of circumstances” before the organization receives any official confirmation of a data breach.
  • Review Missouri Laws:
    • 407.1500 – take note of the definition of a “Breach of Security” or “breach”
    • 162.1475
  • Train staff on how a data breach is defined by law.
  • Create a district policy on what you will share as far as transparency, even if laws don’t require notification.  What is in the best interest of the district?
  • Create templates for letters to notify parents, students and required entities (e.g., state, DESE, Attorney General, etc.).
  • When third parties send breach notices, know who they will go to in your organization. What if that person is out of the office?
  • If your organization receives a notice, who needs to be notified?

If your organization was the cause of the breach or a third party was the cause

  • Confirm the event was a data breach.
    • If the event happened internally, review the definition of a data breach per state law and DPA.
    • If a third-party data breach is suspected, wait until you receive “official” confirmation from the vendor or reliable source before stating there was a breach. Conducting independent searches to confirm suspicion has resulted in inaccurate information.
  • Follow your incident response plan (IRP)
    • Determine the impact.
    • Continuously monitor PII and other sensitive data for leakage and loss.
  • Consult your legal counsel and cybersecurity insurance.
  • Documentation to review:
    • Federal and state laws and duty to notify.
    • Terms of service agreement/Indemnity section.
    • Data privacy agreement.
  • Inform staff of potential increased phishing attacks relating to the resource impacted.
  • Follow legal counsel’s guidance on family/staff notification, reporting, DPA obligations and legal action.
  • Document the time spent on responding, mitigating, number of emails from public requesting information, number of people impacted and how, etc. Document and organize all emails concerning the incident.
  • Research the scenario and define a process to mitigate this from occurring in the future as much as you can.  Being able to show due diligence goes a long way to protecting your organization.

Frequently Asked Questions

*Please refer to your own legal counsel on the specifics for your organization.

  • An organization uses a third-party platform that integrates with a resource that had a data breach; who has the notification responsibility?
    • The third-party has the obligation to notify the organization.
  • If an organization needs to notify former students who live in another state, is the organization responsible for understanding and following the reporting laws of the other state?
    • Please consult with your legal counsel.
  • If an organization had a data privacy agreement with the third-party that had the breach but no longer utilizes the service, will they be notified?
    • If the breach includes data from your organization, the third party should notify you.
  • If an organization has received notification from the third party that they were affected and the detailed information will be forthcoming, do they have an obligation to notify at that time?
    • Typically, until the organization receives confirmation of specific data breached, the decision to notify is up to the organization and legal counsel.  Consider the implications of transparency and trust with your community.

If you are interested in a template for your Incident Response Plan, please email security@more.net.

PTAC Data Breach Checklist