Security Incident Reporting Procedures

    Step 1 Report Crime to local law enforcement, if required

    In case of stolen items or criminally caused property damage, the reporting person files a report immediately with the appropriate local law enforcement agency

    Step 2 Complete Security Incident Report

    Security Incident Report Part A (CDA 1025A) PDF File

    Upon detection, reporting person immediately calls assigned CDA Program Analyst to report potential security incident; reporting incidents by voicemail or email is unacceptable; direct person-to-person communication is required

    Step 3 Receive incident determination from CDA Program Manager

    Does the reported incident meet the criteria for reporting?

    Yes

    • Complete and submit Security Incident Report – Information Security Incident Report Part B (CDA 1025B) PDF File to CDA Program Manager via email and "cc" assigned CDA Program Analyst
    • Provide additional information or clarification, if requested
    • Upon approval, implement corrective action plan (CAP)
    • Report completion of CAP via email to CDA Program Manager and "cc" assigned Program Analyst

    No

    Close the case but the Contractor or their Subcontractor should consider completing a Corrective Action Plan and/or providing staff training to avoid a similar circumstance in the future.

    Is the Incident a Breach?

    Yes

    • Compile list of affected clients
    • Receive notification template from CDA Program Manager
    • Submit completed template to CDA Program Manager
    • Upon notification approval, send notifications to affected clients to the extent possible, within ten business days from the date the CDA IRT determined the information was, or is reasonably believed to have been, acquired by an unauthorized person per SIMM 5340-C and in no case, later than 60 calendar days after discovery of a breach, per SHIPM 2.4.1 IIIG2. Any decision to delay notification should be made by CDA’s Director or designee and should not exacerbate the risk of harm to any affected individuals (see California Civil Code Section 1798.29(a) and California Civil Code Section 1798.29(c) for examples of circumstances that may delay the ten-day timeframe)
    • Send copy of final, signed notification to CDA Program Manager
    • Close the case

    No

    Close the case

    Step 4 Reporting person coordinates with CDA’s Incident Manager to prepare for follow-up inquiries from the public

    • Ensures a toll-free phone line is available and will be answered by trained staff
    • Ensures adequate staffing available to receive and handle inquiries
    • Creates instructions for staff on where to direct both public and media inquiries
    • Develops a complaint resolution and/or escalation process
    • Reporting person provides response to inquiries from individuals who have been notified of the loss or disclosures of their personal information and keeps CDA’s Program Manager aware of the response