Sample Data Breach Policy & Procedure

Note: Please review your contracts for specific requirements. This sample policy and procedure was adapted from the Washington Coalition of Sexual Assault Programs and is intended to serve as an example. It can be altered to meet the unique requirements of your organization’s work.

Sample data breach policy

All services provided by this Program are confidential. The Program recognizes the very personal and private nature of the information that may be shared by those dealing with the trauma of domestic and sexual violence. The Program is committed to honoring the choices of survivors and to provide services in a manner that facilitates client empowerment. The Program will take all necessary steps under this policy and Washington and federal law to preserve the privacy rights of those who receive its services, unless expressly authorized by the client to do otherwise.

Records kept for the purpose of providing advocacy to survivors will contain minimal information specifically designed to provide continuity of services and supportive assistance. Information is only documented to the extent necessary to provide services.

Data Breach: Unauthorized access to, unauthorized acquisition of, or accidental release of personal information that compromises the security, confidentiality, or integrity of the personal information (PII) constitutes a data breach.

  • Reasonable attempt shall be made to notify clients whose PII has been compromised or released without authorization.
  • The Executive Director or designee will notify the Office of Crime Victims Advocacy (OCVA) within 24 hours of identification of the data breach.
  • Concurrent to the actions outlined above, steps shall be taken to restore data, reinforce security and to return all systems to full operation as soon as possible.

Sample data breach procedure

Unauthorized access to, unauthorized acquisition of, or accidental release of personal information that compromises the security, confidentiality, or integrity of the personal information (PII) constitutes a data breach.

Identification of a Data Breach
The Executive Director will be notified upon identification of an actual or suspected breach of data. Notification shall occur as soon as possible and not more than 24 hours following the discovery of a data breach. The program will conduct a notification to affected parties:

Notification of a Data Breach
Reasonable attempt shall be made to notify clients whose PII has been compromised or released without authorization. A program staff person, in coordination with the director, will attempt to notify the survivor that their PII has been disclosed.

  • The program staff should discuss with the survivor what information or records were breached, explain the program policy and procedure, engage in safety planning as appropriate, and provide any additional information about the [insert organization name]’s plan to address the breach and contain further breach or exposure of the survivor’s information.

The Executive Director or designee will notify the Office of Crime Victims Advocacy (OCVA) within 24 hours of identification of the data breach.

  • The actual PII will not be disclosed to OCVA in the notification but shall include the extent of the data breach (for example: 1 survivor’s PII accidentally released or a database breach of entire agency client records).

Concurrent to the actions outlined above, steps shall be taken to restore data, reinforce security and to return all systems to full operation as soon as possible. The Executive Director or designee will investigate the data breach cause and notify the OCVA once fixed.

  • This may involve working with an IT person to install malware-blocking software, replacing equipment, or changing the locks to an office or file cabinet.
  • In the event the breach involves paper copies of documents, immediate steps shall be taken to recover and secure all remaining documents.