4047: Data Breach Response

  1. Preparation - A data breach is an instance in which personal information as defined by state law or personally identifiable information as defined by federal law is released or accessed in an unauthorized manner. In order to ensure compliance with state and federal law, the following preparatory steps shall be taken in the event of a breach.
    1. Data Governance - The administrator, or designee, will create an annually updated data directory that will include:
      1. Computing devices purchased by the ESU,
      2. Software that is installed on ESU devices,
      3. Staff members with access to ESU devices,
      4. Staff members with active usernames and passwords for any ESU software.
    2. New Devices and Software - Any new software or device that is used in an ESU building for ESU purposes will be submitted to the administrator or designee for inclusion in the directory.
  2. Incident Response Plan
    1. Assessment and Investigation
      1. If the ESU becomes aware of a data breach it will make every reasonable effort to remedy the cause of the breach as soon as possible.
      2. The ESU will conduct a good faith, reasonable, and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose.
      3. This investigation will include, but not be limited to, an assessment of what software, hardware, and physical documents were accessed; which ESU personnel had access to the compromised data; and what specific data was compromised.
    2. Notification of Effected Individuals
      1. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the ESU shall give notice to the affected Nebraska resident.
      2. Notice shall be made as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
    3. Notification of Law Enforcement and Outside Organizations
      1. Should notice of the breach be required to any individual, notice of the breach will be simultaneously sent to the Nebraska Attorney General’s office.
      2. The Administrator will determine if the Family Policy Compliance Office will be notified of the breach.
      3. The Administrator will determine if the Privacy Technical Assistance Center will be notified of the breach.

Adopted on: February 12, 2019
Reviewed on: March 13, 2023