back to checklists

Determining Whether There is a Data Breach Checklist

Breaches are becoming more common because of the collection and storage of mass amounts of data. But how do you know if a breach occurred? What type of information is important and what actually constitutes a breach. This checklist provides an overview of what to look for and how to assess whether a breach occurred. Remember, you should always conduct a debriefing whenever you think a breach occurred.

  • Describe incident and nature of confidential information that was potentially compromised

  • Deduce whether the information was secured* (was the information encrypted or otherwise unusable, unreadable, or indecipherable to an unauthorized individual?)

    Note: Secured means encrypted in a manner that meets or exceeds the National institute of Standards and Technology (NIST) standard or is otherwise modified so that the Personal Information (PI) is rendered unreadable, unstable, or undecipherable by an unauthorized person. If you do not know if the information was secured by NIST standards, contact your Administration’s IT Security Administrator.

  • Determine whether the information is personal information?

    Note: PI means an individual’s first name or first initial and last name in a combination with any one or more of the following: Social security number; Driver’s license number or Washington identification card number; or Full account number, credit or debit card number or any required security code, access code, or password that would permit access to an individual’s financial account.

  • Determine to whom the disclosure of Personal information was made (i.e. was it made to an authorized person, unauthorized person etc.) and whether that person would not reasonably be able to retain the information?

  • Determine whether the acquisition, access or use of the PI, was used by or for any or all of the factors below

    1. By an employee or contractor to an employee or contractor;
    2. Unintentional;
    3. Made in good faith and within the scope of authority; AND
    4. With no further unauthorized use or disclosure.
  • Determine whether disclosure of the PI was: (Check all that apply):

    1. Inadvertent;
    2. By an employee or contractor who is authorized to access PI;
    3. To another employee or contractor authorized to access PI; AND
    4. With no further unauthorized use or disclosure


back to checklists

The Office of Privacy and Data Protection announces beta testing of “Privacy Modeling,” a new web application that identifies the privacy laws relevant to the product or service you wish to create.

Go to Privacy Modelling App

Something went wrong. Please try again.