Data Breach Action Plan
A data breach incident reaches far beyond the individuals whose identities are stolen. The school or parish responsible for retaining the data may be held liable, having a financial impact as well as an impact on the parish or school’s reputation. Because of the considerable exposures and risks of data breach, it is vital that our parishes and schools have a response plan in place prior to an incident of data breach.
What is a Data Breach?
A data breach generally refers to an organization’s unauthorized or unintentional exposure, disclosure or loss of sensitive personal information, which can include personally identifiable information such as Social Security numbers or financial information such as credit card numbers.* Just this past January, the Associated Press reported that the computer networks of a California college had been infected with software viruses that illegally transmitted personal data from students and employees to locations overseas, effecting up to 100,000 students and 3,000 employees. Illegal software installed on college computers had recorded keystrokes and took screen shots to capture user information, sending the data to China, Russia and other countries. School officials responded by notifying students and staff of the breach, removing the viruses from its servers and computers, strengthening network security at the school, and advising students and staff to avoid online activities on campus computers that require passwords or personal information.
What To Do in the Event of a Data Breach
In the event that a data breach occurs, it is critical that the incident be addressed immediately. The response will be most effective if there is a plan in place before the incident occurs. For this reason, the Office of Risk Management (ORM) has identified a comprehensive emergency response team and has developed an action plan specifically designed for incidents of data breach. In partnership with Kroll Investigative Services, we can provide you with access to high quality support services such as credit monitoring, credit repair, and counseling. The following is a summary of the data breach services now available to you through the ORM and Kroll Investigative Services:
- Access to Crisis Response Team
- Investigative Services
- Legal Support
- Credit Monitoring Services
- Credit Repair & Counseling Services
- Internal & External Communications Support
The Crisis Response Team consists of the following:
- ORM Claims Manager to oversee the investigation, coordinate the response team and manage the services and costs.
- Legal Counsel, including subrogation counsel to consider potential recovery from third party.
- Communications Specialist to assist with immediate communication and parent/parishioner/staff notifications.
- Secretary for Communications to prepare and assist with media statements and, with Public Relations / Media Consultant, develop public relations strategy and ongoing media management.
- Security Consultant (when appropriate) to assess the security procedures and corrective actions, and to assist in the development of improved procedures and processes to mitigate the likelihood of another breach.
- Kroll Investigative Services to issue prepared information packages to each affected individual, with multi-lingual capability, credit monitoring services, and credit repair services and counseling for any individuals who are adversely impacted by the release. This service includes a multi-lingual call center.
If You Suspect a Breach
In the event you suspect a breach, either through paper form or electronic, please take the following actions:
- Immediately discontinue operation of and/or access to the source of the breach.
- Immediately notify the appropriate authorities if criminal activity is suspected or the data was lost or misplaced offsite; i.e., a laptop containing sensitive information is stolen.
- Notify the Claims Manager of the Office of Risk Management, Kent Wilkins: Tel: 617-746-5743
- Notify corporate or general counsel.
- Identify a primary contact within the organization to serve as the first point of contact for all members of the Crisis Response Team.
- Have senior staff available at your school/parish to meet with the Crisis Response Team.
- Confirm the type of data compromised (Social Security numbers, names, etc.)
- To the extent possible, secure a listing of the contact information for all potentially affected parties.
- Identify and secure contact information for any individuals who were not affected but will need to receive communication to that affect and to enable management of perceptions and expectations.
- Identify any possible responsible parties and obtain contact information and copies of relevant contracts or agreements.
- Document the process containing the data and/or the process that resulted in the breach.
Please remember —the Crisis Response Team and the associated services are provided at no cost to your school or parish. The Office of Risk Management is available should you have any questions or concerns regarding these services, or if you need assistance in implementing any of the above steps.