Information Security and Privacy

Return to: AAA Partners Index
  • Security Incident Reporting Procedures

    If you believe you have experienced a security incident, as a reporting person you must complete the steps below; however reporting a security incident to CDA does not relieve CDA Contractors and their Subcontractors from other required reporting obligations (i.e., reporting to local law enforcement, other State or Federal agencies, etc.). Contractors and their Subcontractors must consult their own internal policies and procedures to ensure all security incident reporting requirements are met.

    A security incident is defined as an occurrence involving a CDA authorized user that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.

    Examples of security incidents include, but are not limited to:

    • Stolen items such as a laptop; thumb drives, backpack containing work-related files
    • Faxing client’s information to an unintended recipient

    Security Incident Report Part A (CDA 1025a) PDF File

    Security Incident Report Part B (CDA 1025b) PDF File


    • Step 1) Report Crime to local law enforcement, if required:

      • In case of stolen items or criminally caused property damage, the reporting person files a report immediately with the appropriate local law enforcement agency
    • Step 2) Complete Security Incident Report – Part A (CDA 1025a):

      • Upon detection, reporting person immediately calls assigned CDA Program Analyst to report potential security incident; reporting incidents by voicemail or email is unacceptable; direct person-to-person communication is required
    • Step 3) Receive incident determination from CDA Program Manager:

      • Does the reported incident meet the criteria for reporting?
        • No: close case but Contractor or their Subcontractor should consider completing a Corrective Action Plan and/or providing staff training to avoid a similar circumstance in the future
        • Yes:
          • Complete and submit Security Incident Report – Part B (CDA 1025b) to CDA Program Manager via email and “cc” assigned CDA Program Analyst
          • Provide additional information or clarification, if requested
          • Upon approval, implement corrective action plan (CAP)
          • Report completion of CAP via email to CDA Program Manager and “cc” assigned Program Analyst
      • Is incident a breach?
        • No: close case
        • Yes:
          • Compile list of affected clients
          • Receive notification template from CDA Program Manager
          • Submit completed template to CDA Program Manager
          • Upon notification approval, send notifications to affected clients to the extent possible, within ten business days from the date the CDA IRT determined the information was, or is reasonably believed to have been, acquired by an unauthorized person per SIMM 5340-C and in no case, later than 60 calendar days after discovery of a breach, per SHIPM 2.4.1 IIIG2. Any decision to delay notification should be made by CDA’s Director or designee and should not exacerbate the risk of harm to any affected individuals (see California Civil Code Section 1798.29(a) and California Civil Code Section 1798.29(c) for examples of circumstances that may delay the ten-day timeframe)
          • Send copy of final, signed notification to CDA Program Manager
          • Close case
    • Step 4) Reporting person coordinates with CDA’s Incident Manager to prepare for follow-up inquiries from the public:

      • Ensures a toll-free phone line is available and will be answered by trained staff
      • Ensures adequate staffing available to receive and handle inquiries
      • Creates instructions for staff on where to direct both public and media inquiries
      • Develops a complaint resolution and/or escalation process
      • Reporting person provides response to inquiries from individuals who have been notified of the loss or disclosures of their personal information and keeps CDA’s Program Manager aware of the response
  • Definitions

    Authorized User: CDA Contractor and its Subcontractors/Vendors or other business associates performing work for CDA on or off CDA’s work site.

    Breach: Unauthorized access, acquisition, use or disclosure of hardcopy or electronic data that compromises the security, confidentiality, or integrity of personal information (PI) maintained by CDA’s authorized users.

    CDA Incident Response Team (IRT): Consists of the following CDA employees who are responsible for responding to an incident and a breach of PI or protected health information in the most expeditious and efficient manner possible:

    • Program Manager of the program or office experiencing the incident or breach
    • Incident Manager
    • Office of Legal Services
    • Privacy Officer
    • Public Information/Communications Officer
    • Information Security Officer (ISO)/Escalation Manager
    • Chief Deputy Director
    • Division Deputy Director

    Incident Manager: Member of CDA’s IRT who is responsible for managing a particular security incident.

    Personal Information (PI): Information maintained, collected, accessed, or stored by CDA or its authorized user which identifies or describes an individual. PI includes but is not limited to:

    • Name
    • Social Security Number
    • Home Address
    • Home Phone number
    • Driver's License number
    • Medical history
    • Statements made by, or attributed to, an individual

    Protected Health Information (PHI): Information maintained, collected, accessed, or stored by CDA or its authorized users which includes individually identifiable health information that is maintained or transmitted electronically or by any other form or medium.

    PHY includes but is not limited to:

    • Name
    • Social Security Number
    • Home Address
    • Home Phone number
    • Birth date
    • Driver's License number
    • Medical number
    • Medical history

    Reporting Person: A CDA authorized user who has first-hand knowledge of a security incident and completes a Security Incident Report (CDA 1025) and any other applicable reporting requirements.

    Security Incident: An occurrence involving a CDA authorized user that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.

Related Links

Telephone Icon
Need Help?
If you are within California and are looking for services
call 1-800-510-2020
If you are outside California
call 1-800-677-1116