||Any L&I staff
Make a Preliminary Assessment of the Incident
When and where did the security breach occur?
What devices or paperwork were lost, stolen or breached?
If devices were stolen, were they immediately reported to law enforcement?
What potential data might be involved?
Can the data be used for fraudulent or other purposes?
- An individual’s name
- Social Security number
- Credit Card information
- Financial data
- Driver’s license number
- State identification card number
- Health information
- Any other specific information that might identify an individual
Is there other information at risk?
How many individuals were affected by the security breach?
Notify Appropriate People within the Commonwealth
Make the following Executive Offices’ contacts:
Make the following internal contacts:
- Governor’s office
- OA/OIT’s Chief Information Security Officer (CISO) can be reached at 1-877-552-7478 or via e-mail to
- Office of General Counsel (OCC) (Note: Deputy Chief of Staff, is the point of contact from the Governor’s office.)
- Deputy Secretary responsible for the business area
- Deputy Secretary of Administration
- Chief Information Officer (CIO)
- Agency CISO
- Communications and Press Office (CPO)
- Agency OCC
Further Evaluate the Scope of the Incident
- Does there appear to be evidence of suspicious behavior or negligence by an employee?
- Was there criminal intent by an employee? If so, does the Office of Inspector General need to conduct interviews?
- Has the agency completed the IT security incident form?
- Does a backup of the system/data exist?
- Is there a similar functioning device that can be analyzed to help determine the risk?
- Does the agency’s human resource department need to be involved?
- If there was physical damage to a building, should the agency hire security guards?
- Do the access codes for the building need to be updated?
- Were users’ ID and passwords disabled that might have been associated with the stolen or lost devices?
- Should the agency’s employees be briefed on the situation?
- Has a key person within the agency been identified to monitor the progress and communicate the actions to the appropriate people identified in Step 2 of this checklist?
Determine Need to Notify Public
- Do commonwealth employees need to be informed of the incident?
- Should the public be notified of the incident? If so, consider the following:
- Develop talking points
- Key Message
- Next steps
- Press Release
- Press Conference
- Contact other states
- Any national associations that could assist in communicating the information to the public
- If law enforcement was involved, did the agency consult with them to determine the timing of what and when details of the security breach could be released to the public?
- Has an individual been designated as the contact person for releasing information?
- Have the communication messages to employees, legislators, and the public regarding the security breach been coordinated?
- When does the agency need to notify affected citizens?
Communication to the Public
- How are affected individuals going to be notified of the potential identity theft?
- Has a notification letter been prepared announcing the incident to the affected individuals?
- Should a fact sheet be provided to the individuals and legislators with the following key elements?
- Outline the incident
- Explain the actions currently being taken by the agency
- Include the contact information (e.g., the toll free number and website)
- Any other pertinent information
- Does a toll free number need to be established to address questions from the individuals?
- Does a call center need to be established to handle the calls?
- Should questions and answers be developed and shared with the individual?
- Would a website be beneficial to share information with the individual on the incident and next steps?
- What types of services need to be purchased for affected individuals in order to mitigate the data breach?
- Does a contract need to be setup with one of the credit bureaus to provide free credit monitoring for affected individuals?
- How often should the credit bureau track statistics and report any identity thefts to your agency?
- If a contract is established with one of the credit bureaus, how will the information be communicated to the individuals?
- Does a reminder letter on the credit services need to be sent to the citizens?
- When the credit bureau is unable to locate a credit file for an individual, should a notification be sent?
Analyze Need to Address Data Security Weaknesses
- Did the agency have full disk encryption on the hardware devices?
- Was the security software up-to-date?
- Did the agency employ other local security measures outside of encryption (i.e., password protected files, multiple factor authentication, etc.)?
- Did the agency have security procedures in place? If so, were the procedures followed? If not, do procedures need to be implemented?
- Does the agency need to conduct a security assessment?
- Should this type of sensitive data be stored in the current location?
- Does the access to the data need to be restricted?
- Was the data being saved to the network and not to the local hard drives?
- If the data should be stored in that particular location, is there a way to truncate the information?
- If the agency has field offices with similar security, should the alarms be tested?
- Does the agency need to conduct a risk analysis and security threat assessment if items were stolen from the building?