I
TRIO
Roots of
Progress
Onward
through
Progress
Life can be full of unexpected moments. Identify a time when you experien ced an unexpected moment.
Write an essay about a time when you experienced an unexpected moment. Explain why the moment was
unexpected and how it affected your life. Be sure to explain your choice by using details and examples.
Many students enjoy doing something special for their family and friends. For example they may
take car offer sibling or help clean the basement.
Write an essay that describes something special that you would like to do for your family or
friends. Explain why this would be something special and how your family or friends might react.
Be sure to include details and facts to support your explanation.
"A journey of a thousand miles begins with a single step." - Confucius
Write an essay explaining what this quotation means to you. Use details and examples in your
essay.
"The greatest barrier to success is the fear of failure." - Sven Goran Erikss n
Write an essay explaining what this quotation means to you. Use details and examples in your
essay.
"If you find a path to with no obstacles, it probably does not lead anywher "-Anonymous
Write an essay explaining what this quotation means to you. Use details and examples in your
essay.
U.S. Department of Justice
Instruction 0900.00.01
ACTION LOG
All DOJ directives are reviewed, at minimum, every five years and revisions are made as
necessary. The action log records dates of approval, recertification, and cancellation, as well as
major and minor revisions to this directive. A brief summary of all revisions will be noted. In
the event this directive is cancelled, superseded, or supersedes another directive, that will also be
noted in the action log.
Action
Initial Approval
Authorized by
Luke J.
McCormack
Date
8/6/2013
2
Summary
Summary of Action
U.S. Department of Justice
Instruction 0900.00.01
TABLE OF CONTENTS
ACTION LOG ................................................................................................................................ 2
GLOSSARY OF TERMS ............................................................................................................... 4
I. Background ............................................................................................................................... 7
II. DOJ Core Management Team .................................................................................................. 8
III. Incident Detection and Reporting ............................................................................................. 9
A. Requirement for Reporting .................................................................................................. 9
B. Incident Record .................................................................................................................. 10
C. Initial Assessment .............................................................................................................. 10
D. Criminal Investigation........................................................................................................ 11
E. Incident Notification ........................................................................................................... 11
IV. Internal Notification Process .................................................................................................. 11
A. Requirement for Initial Notification .................................................................................. 11
B. Contents of the Notification ............................................................................................... 11
V. Risk Assessment ..................................................................................................................... 11
A. Incident Analysis................................................................................................................ 11
B. Summary of Facts with Recommendations ........................................................................ 12
C. AAG/A Notification and Meeting Determination .............................................................. 12
D. Other Meeting Determination ............................................................................................ 12
VI. Incident Handling and Response ............................................................................................ 12
A. Course of Action ................................................................................................................ 12
B. Risk Mitigation................................................................................................................... 12
VII. External Breach Notification ................................................................................................. 15
A. Whether Breach Notification is Required .......................................................................... 15
B. Timeliness of the Notification ............................................................................................ 17
C. Source of the Notification .................................................................................................. 17
D. Contents of the Notification ............................................................................................... 18
E. Means of Providing Notification ........................................................................................ 18
F. Who Receives Notification: Public Outreach in Response to a Breach ............................. 20
Appendix A, Sample Written Notifications .................................................................................. 22
Appendix B, General Guidance for the Establishment of a Call Center in the Event of a
Significant Data Breach .......................................................................................................... 24
Appendix C, References ............................................................................................................... 28
3
U.S. Department of Justice
Instruction 0900.00.01
GLOSSARY OF TERMS
Term
Breach
Definition
T
b ac
c
c
,c
,
unauthorized disclosure, unauthorized acquisition, unauthorized
access, or any similar term referring to situations where persons other
than authorized users and for an other than authorized purpose have
access or potential access to information, whether physical or
electronic.
It includes both intrusions (from outside the organization) and misuse
(from within the organization).
Classified National
Security Information
Ca
a
a c
a
ca
a
NSI a
a
a a b
pursuant to Executive Order 13526, Classified National Security
I
a
,
a
c
cc
,
protection against unauthorized disclosure and is required to be
marked to indicate its classified status when in documentary form.
Company or business Identifying information about a company or other business entity that
could be used to commit or facilitate the commission of fraud,
identifiable
deceptive practices or other crimes (for example, bank account
information
information, trade secrets, confidential or proprietary business
information).
Component
An Office, Board, Division, or Bureau of the Department of Justice as
defined in 28 C.F.R. Part 0 Subpart A, Paragraph 0.1.
Cybersecurity
incident
Actions taken through the use of computer networks that result in an
actual or potentially adverse effect on an information system and/or
the information residing therein.
Harm
For the purposes of this document, harm means any adverse effects
that would be experienced by an individual or organization (e.g., that
may be socially, physically, or financially damaging) whose
information was breached, as well as any adverse effects experienced
by the organization that maintains the information.
Identity Theft
T ac
ba
a
a
a
without authorization in an attempt to commit or facilitate the
commission of fraud or other crimes. The resulting crimes usually
occur in one of the following ways. Identity thieves may attempt to:
x Gain unauthorized access to existing bank, investment, or
credit accounts using information associated with the person
x Withdraw or borrow money from existing accounts or charge
purchases to the accounts
x O
acc
a
ab
a
a
4
U.S. Department of Justice
Instruction 0900.00.01
Term
Definition
x Ob a
c
, ca c
ca , a
,
other identification documents using the stolen identity
Incident
An occurrence that actually or potentially jeopardizes the
confidentiality, integrity, or availability of an information system or
the information the system processes, stores, or transmits or that
constitutes a violation or imminent threat of violation of security
policies, security procedures, acceptable use policies or standard
computer security practices.
National Security
System
Has the meaning given it in the Federal Information Security
Management Act of 2002 (FISMA, Title III, Public Law 107-347,
December 17, 2002), codified at 44 U.S.C. 3542(b)(2).
Components shall use National Institute of Standards and Technology
Special Publication 800-59, G
I
a I
a
S
a a Na
a S c
S
,
ify National Security
Systems.
Personally
Identifiable
Information (PII)
PII
a
a
ab
a
a a a
b a a c ,
including (1) any information that can be used to distinguish or trace
a
a
, c a a , social security number, date
a
ac
b ,
a
a , b
c c
;a
(2) any other information that is linked or linkable to an individual,
such as medical, educational, financial, and employment
a
. 1
Information that standing alone is not generally considered personally
identifiable, because many people share the same trait, includes:
x First or last name, if common (For example: Smith or Brown)
x Country, state, city or Zip code of residence
x Age, especially if non-specific (such as age in years, without a
birth date)
x Gender or race
x Workplace or school
x Grades, salary, or job position
Sometimes multiple pieces of information, none of which alone may
be considered personally identifiable, may uniquely identify a person
when brought together.
1
National Institute of Standards and Technology Special Publication 800-122, Guide to Protecting the
Confidentiality of Personally Identifiable Information (PII), April 2010, f
e 6 Thi defi i i i he GAO
expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19. GAO Report 08-536,
Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008.
5
U.S. Department of Justice
Instruction 0900.00.01
ACRONYMS
Acronym
Meaning
AAG/A
Assistant Attorney General for Administration
CIO
Chief Information Officer
CPCLO
Chief Privacy and Civil Liberties Officer
CCIPS
Computer Crime and Intellectual Property Section (CCIPS) of the
Criminal Division
CO
Contracting Officer
COR
C
CMT
Core Management Team
DOJ
Department of Justice
DOJCERT
DOJ Computer Emergency Readiness Team
DSO
Department Security Officer
FTC
Federal Trade Commission
JSOC
Justice Security Operations Center
NSI
National Security Information
OLC
Office of Legal Counsel
OLA
Office of Legislative Affairs
OPA
Office of Public Affairs
OPCL
Office of Privacy and Civil Liberties
PII
Personally Identifiable Information
SSN
Social Security Number
US-CERT
United States Computer Emergency Readiness Team
ac
O c
R
6
a
U.S. Department of Justice
Instruction 0900.00.01
I.
Background
In September 2006, Office of Management and Budget (OMB) issued a Memorandum for the
Heads D a
a A c
R c
a
I
T
R a Da a
Breach Notification. I F b a 2007, DOJ
U.S. Department of Justice Incident
Response Procedures for Data Breaches Involving Personally Identifiable Information
c
a
OMB M
a
. I Ma 2007, OMB issued
Memorandum 07-16 entitled Sa
a
A a
a R
B ac
P
a
Identifiable Information, which requires agencies to develop and implement a notification
policy for breaches of personally identifiable information (PII), including the establishment of an
agency response team. DOJ subsequently modified its procedures to create the DOJ Core
Management Team.
In October 2012, the Assistant Attorney General for Administration (AAG/A) expanded the
responsibility of the DOJ Core Management Team (CMT) to include breaches of company or
business identifiable information, significant breaches of classified national security information
(NSI) and significant cybersecurity incidents.
This Instruction applies to all DOJ components, contractors that operate systems supporting
DOJ, and all information regardless of format (e.g., paper, electronic, etc.). It defines the
responsibilities of:
x
DOJ Core Management Team (CMT)
x
DOJ Computer Emergency Readiness Team (DOJ-CERT)
x
All DOJ personnel, contractors, and others who process, store, or possess PII or NSI on
behalf of DOJ, or are involved in cybersecurity incidents
This Instruction also ab
DOJ
ca
c a
a
b ac
PII,
company or business identifiable information, significant breaches of NSI and significant
cybersecurity incidents. It supplements, but does not replace, the security and privacy
requirements contained in the DOJ Security Program Operating Manual (SPOM); DOJ Order
2640.2F, Information Technology Security and DOJ Information Technology Security Standards;
the DOJ Computer System Incident Response Plan; the Privacy Act of 1974, and DOJ Order
3011.1A, Compliance with the Privacy Requirements of the Privacy Act, the E-Government Act
and the FISMA.
Procedures to respond to information security incidents involving the Department's information
systems are located in the DOJ Computer System Incident Response Plan. This Plan focuses on
protection and defense of DOJ systems and network against data loss and intrusive, abusive, and
destructive behavior from both internal and external sources. For a description of computer
security incidents, refer to National Institute of Standards and Technology (NIST) Special
Publication 800-61, Computer Security Incident Handling Guide. Guidelines for a risk-based
approach to protecting the confidentiality of PII are provided in NIST Special Publication 800122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). The
SPOM prescribes requirements and procedures for the classification, safeguarding and
7
U.S. Department of Justice
Instruction 0900.00.01
declassification of classified national security information (NSI), including reporting of any
incident involving a possible loss, compromise, or suspected compromise of sensitive or
classified information.
II.
DOJ Core Management Team
The DOJ Core Management Team (CMT) is the organizational backbone for the DOJ response
to an actual or suspected data breach involving PII, company or business identifiable
information, significant breaches of NSI and significant cybersecurity incidents. The CMT is the
primary advisor to the Attorney General in making determinations regarding breach notification.
As discussed in Section V, the CMT convenes in the event of certain significant data breaches or
cybersecurity incidents. The CMT is responsible for:
x
Determining the extent to which the incident poses problems related to identity theft, loss
a ,c
a
, b
ac or confidentiality, or the security of
DOJ information and systems
x
Managing activities to recover from the breach and mitigate the resulting damage,
including decisions relating to external breach notification
The DOJ CMT is chaired by the Chief Information Officer and Chief Privacy and Civil Liberties
Officer and is supported by the staff members of each of the offices represented and reports to
the Assistant Attorney General for Administration. The DOJ CMT consists of the following
members:
x
Representative from the Office of Attorney General
x
Principal Associate Deputy Attorney General
x
Associate Attorney General
x
Assistant Attorney General, Office of Legal Counsel
x
Assistant Attorney General, Office of Legislative Affairs
x
Assistant Attorney General, Administration
x
Assistant Attorney General, Civil Division
x
Chief Information Officer
x
Chief Privacy and Civil Liberties Officer
x
Director, Office of Privacy and Civil Liberties
x
Department Security Officer
8
U.S. Department of Justice
Instruction 0900.00.01
x
Inspector General
x
Director, Office of Public Affairs
Program Manager and Senior Component Official for Privacy, Executive Officer, and legal
counsel from component experiencing breach or incident
The DOJ CMT should convene at least annually to review these procedures and discuss likely
actions should an incident occur.
III.
Incident Detection and Reporting
A. Requirement for Reporting
Components must report actual or suspected data breaches, significant breaches of
NSI and significant cybersecurity incidents to DOJCERT within one hour of
discovery2.
1. Additional Component Requirements
The following individuals should be notified of the incident within their
component; should support the investigation, mitigation and recovery efforts of
the DOJ CMT; and should meet, as appropriate.
x
Component Head or designee
x
Component Chief Information Officer
x
Senior Component Official for Privacy, Executive Officer, and legal
counsel
x
Component Security Program Manager3
x
Incident response team representative
x
Owner or manager of the system from which the loss occurred
2. Additional Contractor Requirements
C
ac
C
ac
O c (CO),
C
ac
O c
Representative (COR) and DOJCERT within one hour of discovery of any data
breach, significant breaches of NSI or significant cybersecurity incident.
Contractors shall c
a
a a c
DOJ
a
,a
,
mitigation, and recovery activities.
2
Components must also report incidents falling under SPOM Section 1-302, Incident and Vulnerability Reporting,
to the Department Security Officer through their Security Program Manager.
3
Pursuant to SPOM Section 1-303, the SPM will initiate a preliminary inquiry to ascertain all the circumstances
surrounding the incident.
9
U.S. Department of Justice
Instruction 0900.00.01
B. Incident Record
DOJCERT will work with the reporting Component to record the incident
information in the DOJCERT Incident Tracking System. The record should contain
the following:
x
Description of the data lost, including the amount and its sensitivity or
classification level
x
For cybersecurity incidents, the nature of the cyber threat (e.g., Advanced
Persistent Threat, Zero Day Threat, data exfiltration)
x
Nature and number of persons affected (e.g., employees, outside individuals)
x
Likelihood data is accessible and usable
o Likelihood the data was intentionally targeted
o Evidence that the compromised information is actually being used to
commit identity theft
o Strength and effectiveness of security technologies protecting data
x
Likelihood the breach may lead to harm and the type of harm
x
Ability to mitigate the risk of harm
DOJCERT will notify the DSO and OIG of all reported breaches and incidents.
C. Initial Assessment
The DSO will assess data breaches and incidents involving classified information
with support from DOJCERT. DOJCERT will assess all other data breaches and
incidents. The assessment will be based on the details included in the incident report
and will assign an initial potential impact level of Low, Moderate, or High4. The
potential impact levels describe the worst case potential impact on a component,
person, company or business of the breach or incident.
x
Low: the loss of confidentiality, integrity, or availability is expected to have a
limited adverse effect on organizational operations, organizational assets, or
individuals
x
Moderate: the loss of confidentiality, integrity, or availability is expected to
have a serious adverse effect on organizational operations, organizational
assets, or individuals
4
National Institute of Standards and Technologies Federal Information Processing Standards Publication (FIPS
PUB) 199, S a da ds f Sec i Ca eg i a i
f Fede a I f
ai a dI f
ai S e .
10
U.S. Department of Justice
Instruction 0900.00.01
x
High: the loss of confidentiality, integrity, or availability is expected to have a
severe or catastrophic adverse effect on organizational operations,
organizational assets, or individuals
D. Criminal Investigation
DOJCERT will also work with the Criminal Division, Computer Crime and
Intellectual Property Section (CCIPS), to determine whether further investigation is
warranted by law enforcement. As appropriate, CCIPS will notify the Federal Bureau
of Investigation.
E. Incident Notification
DOJCERT will notify US-CERT within the OMB-mandated one hour timeframe for
incidents involving PII and within US-CERT established timeframes for other
incidents, and will start the internal alerting and notification process.
IV.
Internal Notification Process
A. Requirement for Initial Notification
For incidents with an initial risk rating of either Moderate or High, or that may
receive particular notoriety, DOJCERT will, within 72 hours of the incident being
reported to DOJCERT, send an initial e-mail notification to the following:
x
Office of the Inspector General
x
Office of Privacy and Civil Liberties
x
Office of the Chief Information Officer
x
Civil Division
x
Security and Emergency Planning Staff
x
Computer Crime and Intellectual Property Section (CCIPS) of the Criminal
Division
x
Office of Public Affairs
B. Contents of the Notification
The e- a
a c a
a
c
, DOJCERT
a
rating, as well as the actions that have been taken to respond to the incident thus far.
V.
Risk Assessment
A. Incident Analysis
11
U.S. Department of Justice
Instruction 0900.00.01
After initial notification, DOJCERT will perform a more thorough analysis of the
incident, using the factors used in the initial assessment (section III.B. above) and
additional information that becomes available, including reassessing the risk rating.
B. Summary of Facts with Recommendations
Following the analysis, DOJCERT will prepare a Summary of Facts with
Recommendations for Moderate or High risk incidents and forward it to the CIO and
CPCLO, in their capacity as co-chairs of the DOJ CMT. The CIO and CPCLO will
then notify the members of the DOJ CMT.
C. AAG/A Notification and Meeting Determination
If the risk is high, the CIO and CPCLO will also notify the Assistant Attorney
General for Administration (AAG/A), who will decide whether to convene a meeting
of the DOJ CMT.
D. Other Meeting Determination
The CIO, CPCLO or the AAG/A may also, at their discretion, convene a meeting of
the DOJ CMT to address specific incidents assessed at a low or moderate risk level.
VI.
Incident Handling and Response
A. Course of Action
The component experiencing the breach or incident, or the CMT for breaches and
incidents handled by the CMT, will determine the appropriate course of action,
including notification to affected individuals (discussed in the next section), the
resources needed, and any appropriate remedy options. The component experiencing
the breach or incident may consult with the CMT in developing an appropriate course
of action.
B. Risk Mitigation
The component experiencing the breach or incident, or the CMT for breaches and
incidents handled by the CMT, will simultaneously consider options for mitigating
the risk. The component experiencing the breach or incident may consult with the
CMT in developing appropriate mitigation options. The following are actions that
can be taken by DOJ or the contractor to mitigate the risk from loss of PII, and
actions that individuals can routinely take to mitigate their risk:
1. Actions that Can Be Taken to Mitigate the Risk from Loss of PII
x
I
b ac
a ba
,c
ca ,
a ca
PII, DOJ or the contractor should notify the individuals and inform them
of steps that they should take to mitigate the risk. Written notification
12
U.S. Department of Justice
Instruction 0900.00.01
procedures are contained in Appendix A. Where necessary, the
D a
c
ac
a
a
a
.
x
If the breach involves a large volume of users, DOJ or the contractor
should consider establishing a Help Line that allows affected users to call
in to DOJ or the contractor to learn information. Appendix B contains
more information regarding the procedures for establishing a Help Line.
x
If the breach of PII has the potential to compromise the physical safety of
the individuals involved, DOJ should ensure that the appropriate law
enforcement agencies are notified and that the agencies take appropriate
protective action.
x
If the breach involves government-authorized credit cards (such as a loss
of a card or card number), DOJ should notify the issuing bank promptly.
I
b ac
a ba acc
b
b
the direct deposit of credit card reimbursements, government employee
salaries, or any benefit payment, DOJ should notify the bank or other
entity that handles that particular transaction for DOJ.
x
DOJ or the contractor may take two other significant steps that can offer
additional measures of protection but which will involve DOJ or
contractor expense. They are:
o Data Breach Analysis Using available technology or services,
analyze whether a particular data loss appears to be resulting in
identity theft. DOJ or the contractor may consider using this
measure if it is uncertain about whether the identity-theft risk
warrants implementing more costly additional steps or if it wishes
to do more than rely on individual actions.
o Credit Monitoring In deciding whether to offer credit monitoring
services and of what type and length, DOJ should consider the
seriousness of the risk of identity theft arising from the data breach
involving PII. A particularly important consideration is whether
any identity theft incidents have already been detected. The cost
of the service should also be considered. To assist the timely
implementation of either data breach analysis or credit monitoring,
the General Services Administration (GSA) is putting in place
several government-wide contracting methods to provide these
services if needed. If a contractor is responsible for the data
breach involving PII, the contractor may provide credit monitoring
and/or other corrective action in coordination with the Department.
13
U.S. Department of Justice
Instruction 0900.00.01
2. Actions that Individuals Can Routinely Take to Mitigate the Risk
x
Contact their financial institution to determine whether their account(s)
should be monitored or closed. This option is relevant only when
financial account information Monitor their financial account statements
and immediately report any suspicious or unusual activity to their financial
institution.
x
Request a free credit report at www.AnnualCreditReport.com or by calling
1-877-322-8228. It may take a few months for most signs of fraudulent
account activity to appear on the credit report. This option is most useful
when the data breach involves information that can be used to open new
accounts.
x
Contact the three major credit bureaus and place an initial fraud alert on
credit reports maintained by each of the credit bureaus. This option is
most useful when the breach includes information that can be used to open
a new account, such as SSNs.
x
For residents of states in which state law authorizes a credit freeze,
consider placing a credit freeze on their credit file. This option is most
useful when the breach includes information that can be used to open a
new account, such as SSNs.
x
For deployed members of the military, consider placing an active duty
alert on their credit file. This option is most useful when the breach
includes information that can be used to open a new account, such as
SSNs.
x
Review resources provided on the Federal Trade Commission (FTC)
Identity Theft Website.
x
Complete a Federal Trade Commission ID Theft Affidavit at the above
FTC Website. This will allow an individual to legally notify their
creditors that their identity has been compromised. Any debts incurred
after that date will not be assigned to them.
x
Be aware that the public announcement of the breach could itself cause
criminals engaged in fraud to use various techniques to deceive
individuals affected by the breach into disclosing their personal
information.
3. Congressional Notification
The CMT will also determine whether Congress should be notified.
14
U.S. Department of Justice
Instruction 0900.00.01
VII.
External Breach Notification
Components and the CMT will consider the following six elements when considering external
notification:
x
Whether breach notification is required
x
Timeliness of the notification
x
Source of the notification
x
Contents of the notification
x
Means of providing the notification
x
Who receives notification: public outreach in response to a breach
A more detailed description of these elements is set forth below:
A. Whether Breach Notification is Required
To determine whether notification of a breach is required, the likely risk of harm
caused by the breach and then the level of risk must be assessed. A wide range of
harms should be considered, such as harm to reputation and the potential for
harassment or prejudice, particularly when health or financial benefits information is
involved in the breach.5 Notification when there is little or no risk of harm might
create unnecessary concern and confusion6. Additionally, under circumstances where
notification could increase a risk of harm, the prudent course of action may be to
delay notification while appropriate safeguards are put in place.
Five factors should be considered to assess the likely risk of harm:
1. Nature of the Data Elements Breached. The nature of the data elements
compromised is a key factor to consider in determining when and how
notification should be provided to affected individuals.7 It is difficult to
characterize data elements as creating a low, moderate, or high risk simply based
on the type of data because the sensitivity of the data element is contextual. A
5
For reference, the express language of the Privacy Act requires agencies to consider a wide range of harms:
age cie ha e ab i h a
ia e ad i i a i e, ech ica a d hysical safeguards to insure the security and
confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity
which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom
i f
a i i ai ai ed. 5 U.S.C. 552a (e)(10).
6
Another consideration is a surfeit of notices, resulting from notification criteria which are too strict, could render
all such notices less effective, because consumers could become numb to them and fail to act when risks are truly
significant.
7
F e a e, hef f a da aba e c ai i g i di id a
a e i c j ci
i h S cia Sec i
be ,
and/or dates of birth may pose a high level of risk of harm, while a theft of a database containing only the names of
individuals may pose a lower risk, depending on its context.
15
U.S. Department of Justice
Instruction 0900.00.01
name in one context may be less sensitive than in another context.8 In assessing
the levels of risk and harm, consider the data element(s) in light of their context
and the broad range of potential harms flowing from their disclosure to
unauthorized individuals.
2. Number of Individuals Affected. The number of affected individuals may dictate
the method(s) the component chooses for providing notification, but should not be
the determining factor for whether a notification should be provided.
3. Likelihood the Information is Accessible and Usable. Assess the likelihood
information will be or has been used by unauthorized individuals. An increased
risk that the information will be used by unauthorized individuals should
influence the decision to provide notification.
The fact the information has been lost or stolen does not necessarily mean it has
been or can be accessed by unauthorized individuals, however, depending upon a
number of physical, technological, and procedural safeguards employed by the
component. If the information is properly protected by encryption that has been
validated by NIST, for example, the risk of compromise may be low to nonexistent.
4. Likelihood the Breach May Lead to Harm.
a. Broad Reach of Potential Harm. The Privacy Act requires agencies to protect
against any anticipated threats or hazards to the security or integrity of records
c c
b a a a , ba a
, c
c ,
unfairness to any individual on whom information is ma a
(5 USC
552a(e)(10)). Additionally, the analysis should consider a number of possible
harms associated with the loss or compromise of information. Such harms
may include the effect of a breach of confidentiality or fiduciary
responsibility, the potential for blackmail, the disclosure of private facts,
mental pain and emotional distress, the disclosure of address information for
victims of abuse, the potential for secondary uses of the information which
could result in fear or uncertainty, or the unwarranted exposure leading to
humiliation or loss of self-esteem.
b. Likelihood Harm Will Occur. The likelihood a breach may result in harm will
depend on the manner of the actual or suspected breach and the type(s) of data
involved in the incident. Social Security numbers and account information are
useful to committing identity theft, as are date of birth, passwords, and
a
a .I
a
,
, a a a
address or other personally identifying information, the loss may also pose a
significant risk of harm if, for example, it appears on a list of patients at a
clinic for treatment of a contagious disease.
8
For example, breach of a database of names of individuals receiving treatment for contagious disease may pose a
higher risk of harm, whereas a database of names of subscribers to agency media alerts may pose a lower risk of
harm.
16
U.S. Department of Justice
Instruction 0900.00.01
5. Ability to Mitigate the Risk of Harm. Within an information system, the risk of
harm will depend on how the component is able to mitigate further compromise
of the system(s) affected by a breach. In addition to containing the breach,
appropriate countermeasures, such as monitoring system(s) for misuse of the
personal information and patterns of suspicious behavior, should be taken.9 Such
mitigation may not prevent the use of the personal information for identity theft,
but it can limit the associated harm. Some harm may be more difficult to mitigate
than others, particularly where the potential injury is more individualized and may
be difficult to determine.
B. Timeliness of the Notification
Components should provide notification without unreasonable delay following the
discovery of a breach, consistent with the needs of public or national security; official
inquiries, investigations or proceedings; the prevention, detection, investigation, or
prosecution of criminal offenses; the rights and freedoms of others, in particular the
protection of victims and witnesses; and any measures necessary for the component to
determine the scope of the breach and, if applicable, to restore the reasonable
integrity of the computerized data system compromised.
Decisions to delay notification should be made by the component head or a seniorlevel individual he/she may designate in writing. In some circumstances, law
enforcement or national security considerations may require a delay if it would
seriously impede the investigation of the breach or the affected parties. However, any
delay should not exacerbate risk or harm to any affected individual(s).
In cases where a contractor processes, stores, possesses, or otherwise handles the PII
that is the subject of a data breach, any notification to individuals affected by the data
breach must be coordinated with the Department. No notification by the contractor
may proceed until the Department has made a determination that notification would
not impede a law enforcement investigation or jeopardize national security. The
method and content of any notification by the contractor must be coordinated with,
and is subject to the approval of, the Department.
C. Source of the Notification
In general, notification to parties affected by the breach should be issued by the
Component Head, or senior-level individual he/she may designate in writing. This
demonstrates it has the attention of the chief executive of the organization.
Notification involving only a limited number of persons (e.g., under 50) may also be
issued jointly under the auspices of the Chief Information Officer and the Chief
Privacy Officer or Senior Agency Official for Privacy. This approach signals the
component recognizes both the security and privacy concerns raised by the breach.
9
For example, if the information relates to disability beneficiaries, monitoring a beneficiary database for requests
for change of address may signal fraudulent activity.
17
U.S. Department of Justice
Instruction 0900.00.01
When the breach involves a Federal contractor or a public-private partnership
operating a system of records on behalf of a component, the component is responsible
for ensuring any notification and corrective actions are taken. The roles,
responsibilities, and relationships with contractors or partners must be reflected in
contracts and other documents.
D. Contents of the Notification
The notification should be provided in writing and should use concise, conspicuous,
plain language. The notice should include the following elements:
x
A brief description of what happened, including the date(s) of the breach and
of its discovery
x
To the extent possible, a description of the types of personal information
involved in the breach (e.g., full name, Social Security number, date of birth,
home address, account number, disability code, etc.)
x
A statement whether the information was encrypted or protected by other
means, when determined such information would be beneficial and would not
compromise the security of the system
x
What steps affected parties should take to protect themselves from potential
harm, if any
x
What is being done, if anything, to investigate the breach, to mitigate losses,
and to protect against any further breaches
x
Who affected parties should contact for more information, including a tollfree telephone number, e-mail address, and postal address
Given the amount of information required above, the component may want to
consider layering the information, providing the most important information up front,
with the additional details in a Frequently Asked Questions (FAQ) format or on the
c
b
.I
c
a
a
a c
a
a
not English speaking, notice should also be provided in the appropriate language(s).
See Appendix A for samples of written notifications.
E. Means of Providing Notification
The best means for providing notification will depend on the number of persons
affected and what contact information is available about the affected parties. Notice
provided to persons affected by a breach should be commensurate with the number of
persons affected and the urgency with which they need to receive notice. The
following examples are types of notice which may be considered.
x
Telephone. Telephone notification may be appropriate in those cases where
urgency may dictate immediate and personalized notification and/or when a
18
U.S. Department of Justice
Instruction 0900.00.01
limited number of persons are affected. Telephone notification, however,
should be contemporaneous with written notification by first-class mail.
x
First-Class Mail. First-class mail notification to the last known mailing
a
c
c
b
a
means notification is provided. Where the component has reason to believe
the address is no longer current, it should take reasonable steps to update the
address by consulting with other agencies such as the US Postal Service. The
notice should be sent separately from any other mailing so that it is
conspicuous to the recipient. If the component which experienced the breach
uses another agency to facilitate mailing (for example, if the component which
suffered the loss consults the Internal Revenue Service for current mailing
addresses of affected persons), care should be taken to ensure the component
which suffered the loss is identified as the sender, and not the facilitating
agency. The front of the envelope should be labeled to alert the recipient to
the importance of its contents, e.g., Da a B ac I
a
E c
a
should be marked with the name of the component as the sender to reduce the
likelihood the recipient thinks it is advertising mail.
x
E-Mail. E-mail notification is problematic, because individuals change their email addresses and often do not notify third parties of the change. Notification
by postal mail is preferable. However, where an individual has provided an email address and has expressly given consent to e-mail as the primary means
of communication with the component, and no known mailing address is
available, notification by e-mail may be appropriate. E-mail notification may
also be employed in conjunction with postal mail if the circumstances of the
breach warrant this approach. E-mail notification may include links to the
component and www.USA.gov b
,
c a b a
so the most important summary facts are up front with additional information
provided under link headings.
x
Existing Government Wide Services. Agencies should use Government wide
services already in place to provide support services needed, such as USA
Services, including toll free number of 1-800-FedInfo and www.USA.gov.
x
Newspapers or other Public Media Outlets. Additionally, the component may
supplement individual notification with placing notifications in newspapers or
other public media outlets. The component should also set up toll-free call
centers staffed by trained personnel to handle inquiries from the affected
parties and the public.
x
Substitute Notice. Substitute notice in those instances where the component
does not have sufficient contact information to provide notification. Substitute
notice should consist of a conspicuous posting of the notice on the home page
c
b
a
ca
a
a b a ca
media, including major media in areas where the affected parties reside. The
notice to media should include a toll-free phone number where an individual
19
U.S. Department of Justice
Instruction 0900.00.01
can learn whether or not his or her personal information is included in the
breach.
x
Accommodations. Special consideration to providing notice to individuals
who are visually or hearing impaired consistent with Section 508 of the
Rehabilitation Act of 1973 should be given. Accommodations may include
establishing a Telecommunications Device for the Deaf (TDD) or posting a
large type notice on the component web site.
F. Who Receives Notification: Public Outreach in Response to a Breach
x
Notification of Individuals. The final consideration in the notification process
when providing notice is who should receive notification: the affected
individuals, the public media, and/or other third parties affected by the breach
or the notification. Unless notification to individuals is delayed or barred for
law enforcement or national security reasons, once it has been determined to
provide notice regarding the breach, affected individuals should receive
prompt notification.
x
Notification of Third Parties including the Media. If communicating with third
parties regarding a breach, agencies should consider the following.
o Careful Planning. A c
c
b c
a
will require careful planning and execution so that it does not
unnecessarily alarm the public. When appropriate, the component
should notify public media as soon as possible after the discovery of a
breach and the response plan, including the notification, has been
developed. Notification should focus on providing information,
including links to resources, to aid the public in its response to the
breach. Notification may be delayed upon the request of law
enforcement or national security agencies as described above in
Section VII.B. To the extent possible, prompt public media disclosure
is generally preferable because delayed notification may erode public
trust.
o Web Posting. Agencies should post information about the breach and
notification in a clearly identifiable location on the home page of the
component web site as soon as possible after the discovery of a breach
and the decision to provide notification to the affected parties. The
posting should include a link to Frequently Asked Questions (FAQ)
a
a
a
b c
a
breach and the notification process. The information should also
appear on the www.USA.gov web site. The component may also
c
G
a S
c A
a
USA S
c
regarding using their call center.
20
U.S. Department of Justice
Instruction 0900.00.01
o Notification of other Public and Private Sector Agencies. Other public
and private sector agencies may need to be notified on a need-to-know
basis, particularly those that may be affected by the breach or may
play a role in mitigating the potential harm stemming from the
breach.10
o Congressional Inquiries. Agencies should be prepared to respond to
inquiries from other governmental agencies such as the Government
Accountability Office and Congress.
x
Reassess the Level of Impact Assigned to the Information. After evaluating
each of these factors, the component should review and reassess the level of
impact it has already assigned to the information using the impact levels
defined by the NIST.
10
For example, a breach involving medical information may warrant notification of the breach to health care
providers and insurers through the public or specialized health media, and a breach of financial information may
warrant notification to financial institutions through the federal banking agencies.
21
U.S. Department of Justice
Instruction 0900.00.01
APPENDIX A
Sample Written Notifications
DATA ACQUIRED: Social Security Number (SSN)
(Note: Do not insert actual SSN)
Dear
:
We are writing to you because of a recent security incident at [DOJ or name of Component].
[Describe what happened in general terms, what kind of PII was involved, and what you are
doing in response.]
To protect yourself from the possibility of identity theft, we recommend that you complete a
Federal Trade Commission ID Threat Affidavit. This will allow you to legally notify your
creditors that your identity may have been compromised. Any debts incurred after that date will
not be assigned to you.
We also recommend that you place a fraud alert on your credit files. A fraud alert lets creditors
know to contact you before opening new accounts. Just call any one of the three credit reporting
agencies at the number below. This will let you automatically place fraud alerts with all of the
agencies. You will then receive letters from all of them, with instructions on how to get a free
copy of your credit report from each.
Equifax
1-800-525-6285
Experian
1-888-397-3742
TransUnion
1-800-680-7289
Look your credit reports over carefully when you receive them. Look for accounts you did not
open. Look for inquiries from creditors that you did not initiate. And look for personally
identifiable information, such as home address or Social Security Number that is not accurate.
If you see anything you do not understand, call the credit reporting agency at the telephone
number on your report. If you do find suspicious activity on your credit reports, call your local
c
c a
a
c
. [O , a
a ,
c ac
number for law enforcement agency investigating the incident.] Get a copy of the police report.
You may need to give copies of the police report to creditors to clear up your records.
Even if you do not find any signs of fraud on your reports, we recommend that you check your
credit report every three months for the next year. Just call one of the numbers above to order
your reports and keep the fraud alert in place. For more information on identity theft, we suggest
that you visit the Identity Theft Website of the Federal Trade Commission. If there is anything
[DOJ or name of Component] can do to assist you, please call [toll-free telephone number].
[Closing]
22
U.S. Department of Justice
Instruction 0900.00.01
DATA ACQUIRED: Credit Card Number or Financial Account Number Only
(Note: Do not insert actual credit card or financial account numbers)
Dear
:
We are writing to you because of a recent security incident at [DOJ or name of Component].
[Describe what happened in general terms, what type of PII was involved, and what DOJ is
doing in response.]
To protect yourself from the possibility of identity theft, we recommend that you immediately
contact [credit card or financial account issuer] at [phone number] and close your account. Tell
them that your account may have been compromised.
We also recommend that you complete a Federal Trade Commission ID Threat Affidavit. This
will allow you to legally notify your creditors that your identity has been compromised. Any
debts incurred after that date will not be assigned to you.
In addition, we recommend that you place a fraud alert on your credit files. A fraud alert lets
creditors know to contact you before opening new accounts. Just call any one of the three credit
reporting agencies at a number below. This will let you automatically place fraud alerts with all
of the agencies. You will then receive letters from all of them, with instructions on how to get a
free copy of your credit report from each.
Equifax
Experian
TransUnion
1-800-525-6285
1-888-397-3742
1-800-680-7289
Look your credit reports over carefully when you receive them. Look for accounts you did not
open. Look for inquiries from creditors that you did not initiate. And look for personally
identifiable information, such as home address or Social Security Number that is not accurate.
If you see anything you do not understand, call the credit reporting agency at the telephone
number on your report. If you do find suspicious activity on your credit reports, call your local
c
c a
a
c
. [O , a
a ,
c ac
number for law enforcement agency investigating the incident.] Get a copy of the police report.
You may need to give copies of the police report to creditors to clear up your records.
Even if you do not find any signs of fraud on your reports, we recommend that you check your
credit report every three months for the next year. Just call one of the numbers above to order
your reports and keep the fraud alert in place. For more information on identity theft, we suggest
that you visit the Identity Theft Website of the Federal Trade Commission. If there is anything
[DOJ or name of Component] can do to assist you, please call [toll-free telephone number].
[Closing]
23
U.S. Department of Justice
Instruction 0900.00.01
APPENDIX B
General Guidance for the Establishment of a Call Center
in the Event of a Significant Data Breach
In the event of a significant data breach involving PII, the following guidance is provided to help
with the determination of whether to establish a call center. The purpose of a call center is to
provide individuals a number to call to obtain further information regarding the data loss and
b ac
a a
a
c
ac
a
.
The decision to establish a call center should be based on several considerations:
x
If a data breach does not extend outside of a Component (i.e., those affected by the breach
are known and can be contacted), the establishment of a call center would not normally be
necessary
x
If the breach affects a large number of individuals and those individuals are not easily
identifiable or easily contacted, establishment of a call center should be considered to allow
those potentially impacted to call and obtain additional information regarding the breach
x
Each situation will be unique and the decision to establish a call center must be based on
individual circumstances. The main concern should be sharing of information with those
affected and how they may obtain assistance.
Once a decision is made to establish a call center, there are several options:
x
Contact the National Business Center to obtain a toll-free number. This option is likely the
least expensive, since DOJ would provide its own personnel to support the call center.
x
C ac G
a S
c A
a
(GSA) USA Contact to establish a fully supported
and staffed call center. A thorough description of the incident and set of frequently asked
questions (FAQs) will also be required for call center to refer to when fielding calls.
Suggested items to consider based on the nature of the breach would include, but are not limited
to, the following:
x
Using existing DOJ personnel to staff the call center and the number of individuals required
x
Training of call center operators
x
Pre-stage FAQs
x
Ability to adjust staffing in response to call volume
x
Daily hours of operations
24
U.S. Department of Justice
Instruction 0900.00.01
x
Cost of service
x
Call logging
x
DOJ reporting requirements
x
Advertising call center numbers and making data breach information readily available to
those affected
x
Quality assurance checks of call center effectiveness
Sample call center FAQs are as follows:
1. How can I tell if my information was compromised?
At this point, there is no evidence that any missing data has been used illegally.
However, the DOJ/Component is asking each individual to be extra vigilant and to
carefully monitor bank statements, credit card statements, and any statements relating to
recent financial transactions. If you notice unusual or suspicious activity, you should
report it immediately to the financial institution involved.
2. What is the earliest date at which suspicious activity might have occurred due to this data
breach?
The information was stolen from an employee of the DOJ/Component during the month
of _____. If the data has been misused or otherwise used to commit fraud or identity
theft crimes, it is likely that individuals may notice suspicious activity during the month
of _____.
3. I a
c a
c
ac
a ca a
,b
a ca I
protect myself from being victimized by credit card fraud or identity theft?
The DOJ/Component strongly recommends that individuals closely monitor their
financial statements and visit the DOJ/Component special Website at www._______.gov.
4. Should I reach out to my financial institutions or will the DOJ/Component do this for
me?
The DOJ/Component does not believe that it is necessary to contact financial institutions
or cancel credit cards and bank accounts, unless you detect suspicious activity.
5. Where should I report suspicious or unusual activity?
The Federal Trade Commission (FTC) Identity Theft web site
(http://www.consumer.ftc.gov/features/feature-0014-identity-theft) recommends the
following steps if you detect suspicious activity:
25
U.S. Department of Justice
Instruction 0900.00.01
x
Immediate Steps
o Place an Initial Fraud Alert
Contact the fraud department of one of the three major credit bureaus:
ƒ
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA
30374-0241
ƒ
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box
9532, Allen, TX 75013
ƒ
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance
Division, P.O. Box 6790, Fullerton, CA 92834-6790
o Order Your Credit Report from the three major credit bureaus above
o Create an Identity Theft Report
x
ƒ
Submit a report about the theft to the FTC online or call the FTC at 1-877438-4338 (1-866-653-4261 TTY). When you finish writing all the details,
print a copy of the report. It will be called an Identity Theft Affidavit. Bring
your FTC Identity Theft Affidavit when you file a police report.
ƒ
File a police report with your local police department or the police department
where the theft occurred, and get a copy of the police report or the report
number. Your FTC Identity Theft Affidavit and your police report make an
Identity Theft Report.
Extended Fraud Alerts and Credit Freezes
o Extended Fraud Alerts. I
c a a I
T
R
,
ca
a
extended fraud alert on your credit file. When you place an extended alert, you
can get 2 free credit reports within 12 months from each of the 3 nationwide
credit reporting companies, and the credit reporting companies must take your
name off marketing lists for prescreened credit offers for 5 years, unless you ask
them to put your name back on the list. The extended alert lasts for 7 years.
o Credit Freezes. You may choose to put a credit freeze on your file. But a credit
freeze may not stop misuse of your existing accounts or some other types of
identity theft. Also, companies that you do business with would still have access
to your credit report for some purposes. A fraud alert will allow some creditors to
get your report as long as they verify your identity.
x
Close any accounts that have been tampered with or opened fraudulently
FTC also has a printed publication called Taking Charge, What To Do If Your Identity Is
Stolen
26
U.S. Department of Justice
Instruction 0900.00.01
6. What is the DOJ/Component doing to ensure that this does not happen again?
The DOJ/Component is working with the FTC to investigate the data breach and to
develop safeguard against similar incidents. The DOJ/Component has directed all
c
DOJ C
S c
A a
a Ta
(CSAT)
course. In addition, the DOJ/Component will immediately be conducting an inventory
and review of all current positions requiring access to PII and require all employees
needing access to PII to undergo an updated National Agency Check and Inquiries
(NACI) and/or a Minimum Background Investigation (MBI), depending on the level of
access required by the responsibilities associated with their position. Appropriate law
enforcement agencies, including the Federal Bureau of Investigation and the DOJ Office
of the Inspector General have launched full-scale investigations into this matter.
7. Where can I get further, up-to-date information?
The DOJ/Component has set up a special Website which features up-to-date news and
information. Please visit www._____.gov.
8. Does the data breach affect only certain individuals?
It potentially affects a large population of individuals. We urge everyone possibly
affected to be extra vigilant and monitor their financial accounts.
27
U.S. Department of Justice
Instruction 0900.00.01
APPENDIX C
References
The following references are applicable to this Instruction. Unless otherwise stated, all references
to publications are to the most recent version of the referenced publication.
1. Congressional Mandates
a. Clinger Cohen Act of 1996, (Pub. L. 104-106, 110 Stat. 186); and (Pub. L. 104-208, 110
Stat. 3009).
b. Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2511.
c. E-Government Act of 2002, PL 107-347, 44 U.S.C. Ch 35.
d. Federal Information Security Management Act of 2002 (FISMA), Pub. L. 107-347, 116
Stat. 2899.
e. Freedom of Information Act (FOIA), 5 U.S.C. § 552.
f. Privacy Act of 1974, 5 U.S.C. § 552a.
2. Federal/Departmental Regulations/Guidance
a. DOJ Order 2880.1B, Information Resources Management.
b. DOJ Order 2640.2F, Information Technology Security.
c. DOJ Order 3011.1A, Compliance with the Privacy Requirements of the Privacy Act, the
E-Government Act and the FISMA.
d. DOJ Computer System Incident Response Plan.
e. DOJ Information Technology Security Standards.
f. DOJ Security Program Operating Manual (SPOM).
3. Presidential and Office of Management and Budget Guidance
a. OMB Circular A-130, Management of Federal Information Resources (with Appendices
and periodic revisions).
b. OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information.
28
Appendix III: Comments from the
Department of Homeland Security
Appendix III: Comments from the Department
of Homeland Security
(310508)
Page 41
GAO-04-354 Cybersecurity of Control Systems
Rootstackk Tribune
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Other Financing Sources
Roots of Progress
Feb. 26, 2023
RootstackkTribune
NOTE
Statement of objects and reasons.- A regulation of Accounts Bill was passed by
the abundant person who gave an assurance that Government was convinced that legislation would
be beneficial for the regulation or certain classes of accounts: and that steps would be taken to
place a Government Bill on a somewhat simpler scope before the Council.
Explanation:- A person who has kept his account and sent his six-monthly statements of accounts
in the form and manner prescribed in clauses (a) and (b) of sub-section (I) of section 3 shall be
held to have complied with the provisions of these clauses, inspite of errors and omissions, if the
finished extrapolation that the errors and omissions are accidental and not material and that
accounts have been kept in good faith with the intention of complying with the provisions of these
clauses.
Working through bank telling netteller inquired call schedules of a stockholder’s price of this
marking in a number to make sure a withholder is started underscored or true understanding
requires a freedom of action in the business. Rootstackk Tribune holds the details of our going
through in without a call schedule of FDIC but to imprint a new reason to hold a quest of thrifts
assurance and making true likely details often written. FFIEC Call Schedule blocks under IDRSSD.
Copyright amendments of a trial standpoint of our details in the rootstackk tribune offers All
Rights Reserved
As a new reason to describe a solid offered even detail is a final state in reminding fees in a service charge to
meet a new inquiry often said between a revenue of our fortune and fostering in a crossed template of our
issued assets and code revenue to determine in government revenue to re-approach a future. All forced fostered
parents backwards is a new meeting to matte a goal of our random solved future of a different seat to each
since stature designs a dry meaning of services and customs.
As a trial process in a treaded procurement often waivered and expatriated of details gives an operated
service charge. Portions to each of our reasons to describe a new total probable telling percent of our trial
rapture isn’t a driven performance but understood in sail and fostering of enforced templates. Each of our
matters are a concern of our gleamed assurance of our details operational. I want to withhold remarks of a new
adjunct in business performance between shareholders and find a better temporary process of unlimiting forms
of injured freedom. In mailing a business entity of starting between persons of holds to remember the
described reason of timing understandings of call schedules for work is a temporary trustee.
To have been contemplating a new free enhanced treatise often in thinking between parts of our jurisdiction…
between this path of our services we recall some research and a final templates partition of each thread of code
to rest assurance in a new sovereign inspection to meet each classification and describe a futured drift insured
seasonal discipline to rest a temporary design.
Working through bank telling netteller inquired call schedules of a paced asked price of this making in a
number to make sure a withholder is started underscored or true to understanding requiring freedom of action.
As in the business… Rootstackk Tribune holds the details of going through a call schedule of its accountholder
and makes a true understanding in details written, and organized.
Copyright amendments of a trial standpoint of our details in the rootstackk tribune offers All
Rights Reserved
Footprint…
52 address
TOTAL
GENERAL
FUND and information gathering are essential to a "surgical" attack; the key
33,940,489
Target
range and
naming acquisition
here is not to
miss any details.
Search engines,
DD D DD DD DD DD D D D DDDDD D D DD D DDD D D D D D D D DDD D DD
WHOIS database,
Web interface DNS transfer.
DD DDDD DD D D D DD D D D DDDDD
Enumeration
bulk
target DD
assessment
and DD
identification.
ROOTS OFDPROGRESS
DDDDDDDD
DDD D DDDD
DDDDDDDD:
... but challenges
remain
avenues
of entry.
D DDDDDDDDDD:
Organizations
which have not yet completed their migration to PLEAD can learn from the lessons of those who have.
Nearly all respondents reported some measure of challenges in moving to the new platform. The most common issues: The
transition
took longer
List
user accounts,
List than
files expected, required a higher level of training, and cost more than originally budgeted.
DDDDDDDD DD DDD D DDDD
DD
D DDD D
DD
Many of these concerns are echoed by those who have yet to make the move. Nearly half say that those across their
organizations aren’t fully aware of benefits, and nearly as many say that resource constraints— in the form of both time and
people—are likely to impact their journey.
DDD D D D D D D DDDDD
If only user level access was gained in the last step, the attacker will now seek to gain complete control of the system. Password
D D DD D D DD D D DD
cracking, Known exploits.
DD D D :
Acquisition The information-gathering process Evaluate trusts, begins again to identify mechanisms Search for passwords. to
DD D D :
gain access to trusted systems.
Once total ownership
D D D D D Dof: the target is secured, hiding this fact from the system administrators becomes paramount.
DD D D D D D :
Create rogue user accounts,
Schedule batch jobs, Infect startup files, Plant remote control services,
Install monitoring
D D D mechanisms,
\201 0 D D D D D D D DDD D D -D D \D D D
Replace apps with trojans.
Copyright amendments of a trial standpoint of our details in the rootstackk tribune offers All
Rights Reserved
Confidential
COT3 SETTLEMENT AGREEMENT - IMPLEMENTATION COMPENSATION
Employer:
Caerphilly County Borough Council
Employee:
Address:
Implementation Compensation Payment:
£[
]
We the undersigned have agreed the terms contained with the attached Schedule and that
the Schedule forms an integral part of this COT3 agreement.
Signed by:
Employee
Date
For and on Behalf
of the Employer
Date
Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/
Downloaded by: rootstackk-music {stenglel23@gmail.com)
APPENDIX
The claims to be settled by this Agreement include all claims or potential claims (in respect of
the Chief Officer post that the Employee currently holds as listed in the attached Appendix
and includes, without limitation, the actual claim(s) (if any) listed on the attached cover
sheet):Post Title
Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/
Downloaded by: rootstackk-music {stenglel23@gmail.com)
DOCUMENT A - IMPLEMENTATION COMPENSATION
WITHOUT PREJUDICE
The parties to this Agreement agree as follows:WHEREAS
The Employer has previously successfully implemented, an equality proofed Single
Status Structure in relation to our NJC employees (known as the "Green Book"). In
addition we have harmonised the Terms and Conditions of our former craft employees
("Red Book") to achieve consistency with our Single Status arrangements. The Employer
is now seeking to achieve consistent arrangements by harmonising the Chief Officer
terms and conditions detailed below with those of our employees under single status:
•
Essential User Car Allowance and Mileage Rates
•
Annual Leave Allowances and Flexi Arrangements
(A) All undertakings and waivers hereunder relate to the Single Status arrangements in
relation to all employees.
(B) In order to achieve the Single Status arrangements for Chief Officers the Employer is
seeking to harmonise terms and conditions under a localised agreement within the
principles of Single Status as negotiated with the recognised trade unions to achieve the
Collective Agreement. The Employer has offered to vary the Employee's contract of
employment which the Employee wishes to accept, which will be referred to as the
"Single Status Contract of Employment". The Single Status Contract of Employment will
automatically apply to the Employee by reason of the Collective Agreement.
(C) The Employer does not admit any liability in relation to any of the Employee's actual
claims or potential claims in relation to Breach of Contract , but in the interests of good
industrial relations and to avoid protracted litigation the Employer has agreed to pay the
Employee Implementation Compensation on the terms set out in this Agreement which
the Employee wishes to accept on the terms of this Agreement.
(D) The Employee acknowledges and accepts that by virtue of receiving the Implementation
Compensation under this Agreement, the employee will not pursue any Breach of
Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/
Downloaded by: rootstackk-music {stenglel23@gmail.com)
Contract claim in relation to the variation to the JNC Terms for Chief Officers under a
localised arrangement.
SETTLEMENT
1.
In consideration of the Employee's agreement to give the undertakings set out in this
Agreement the Employer agrees, subject to the terms and conditions set out below, to
pay to the Employee Implementation Compensation in the sum set out in the attached
COT3 cover sheet.
2.
The Employee accepts the Implementation Compensation in full and final settlement
of the claims set out in paragraphs 3 and 4 that the Employee has or may in the
future have against the Employer, any organisation to which the Employee's
employment may transfer under TUPE and/or any of its or their present or former
employees or officers.
3.
The claims to be settled by this Agreement include all claims or potential claims(in
respect of the Chief Officer post the Employee currently holds and as listed in the
attached Appendix and includes, without limitation, the actual claim(s) (if any) listed
on the attached cover sheet):(a)
relating to Issues of Breach of Contract:(i)
in relation to and arising from the variation to
the JNC Terms for Chief Officers under a
localised arrangement and the Single Status
Contract of Employment; and
(ii)
payment of Implementation Consideration in
connection with the variation to the JNC
Terms for Chief Officers under a localised
arrangement and the Single Status Contract
of Employment; and
(b)
whether such claim is a claim, in relation to Issues of Breach of
Contract :-
Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/
Downloaded by: rootstackk-music {stenglel23@gmail.com)
(i)
under the Sex Discrimination Act 1975
(including but not limited to a claim for injury
to feelings);
(ii)
under the Trade Union and Labour Relations
(Consolidation) Act 1992 (including, but not
limited to, a claim under section 188 and/or
section 188A);
(iii)
for breach of contract, including any sum
alleged to be payable under an equality
clause);
(iv)
for unlawful deduction of wages (including
any sum alleged to be payable under an
equality
clause
or
by
reason
of
the
implementation of the Single Status Contract
of Employment);
(v)
relating to loss of pension and any other
benefits; and/or
(vi)
(c)
for any other form or type of claim.
Further, and without prejudice to the generality of the foregoing, the
Employee understands and accepts that, in signing this Agreement,
the Employee shall not at any time institute any Employment Tribunal
or Court proceedings for damages or compensation in relation to Pay
Protection of former income levels, including without limitation, the
payment of Implementation Consideration between the Effective
Implementation Date and 1 April 2015.
4.
For the avoidance of doubt, paragraphs 3 and 4 and therefore this Agreement
compromise all claims arising at common law, statute, European Law and/or
otherwise, whether or not such claims fall within the jurisdiction of the Employment
Tribunal and/or the civil courts. In addition, by accepting the Settlement the Employee
is settling any claim for an adjustment of any award under section 31 Employment Act
2002 (non-completion of statutory dispute resolution procedure: adjustment of
Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/
Downloaded by: rootstackk-music {stenglel23@gmail.com)
awards). Further, if there are any other ways in which claims relating to Issues of
Breach of Contract have been or could be advanced, then it is the intention of the
parties that these potential claims should also be treated as having been settled by
this Agreement.
5.
Payment of the Implementation Compensation shall be made by way of cheque made
payable to the Employee. The amount of the Implementation Compensation has been
calculated as a net amount less a notional deduction for income tax and National
Insurance contributions, as agreed with HMRC, for which the Employer will account to
HMRC on behalf of the Employee. The Implementation Compensation is not
pensionable pay.
6.
In the event that the Employee or anyone on his/her behalf commences or continues
any proceedings against the Employer, any organisation to which the Employee's
employment may transfer under TUPE and/or any of its or their present or former
employees or officers for any of the claims set out in paragraphs 3 and 4, of this
Agreement or otherwise then the Employee agrees to repay to the Employer an
amount equivalent to the Implementation Compensation paid to the Employee under
this Agreement. The Employee agrees that in such circumstances, the said sum is
recoverable from him/her as a debt.
7.
Payment of the Implementation Compensation by the Employer is made on the
understanding that there is no admission of liability by the Employer.
8.
For the avoidance of doubt, this Agreement does not affect any rights which the
Employee may have in relation to any other claim against the Employer, any
organisation to which the Employee's employment may transfer under TUPE and/or
any of its or their present or former employees or officers including without limitation,
any claim for personal injury or in connection with the Employee's accrued pension
rights.
Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/
Downloaded by: rootstackk-music {stenglel23@gmail.com)
It is agreed that this schedule forms an integral part of the attached COT3 form.
Employee:
Date:
For and on
Behalf of the Employer:
Date:
Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/
Downloaded by: rootstackk-music {stenglel23@gmail.com)
FINANCIAL MANAGEMENT CONTRACT
This Financial Management Contract (“Agreement”) dated on this
day of
, 20 (the
“Effective Date”) is made between
(the “Client”) and
(the
“Financial Advisor”), for the purpose of setting forth the exclusive terms and conditions by which the
Client desires to acquire the financial consultation and management services from the Financial Advisor.
In consideration of the mutual obligations specified in this Agreement, the parties, intending to be legally
bound hereby, agree to the following:
Scope of Services. Client retains the above Financial Advisor and the Financial Advisor agrees to
perform for the Client, the financial services set forth in Exhibit A to this Agreement (the “Services”).
Any Service outside of the scope as defined in Exhibit A to this Agreement will require a new Agreement
for other services agreed to by the Parties. At a minimum the Financial Advisor will understand the
Client’s financial situation prior to advising the Client on making investments.
Consideration / Compensation. In exchange for the full, prompt, and satisfactory performance of all
Services to be rendered to the Client (as determined by the Client), the Financial Advisor shall be
compensated as follows:
The Financial Advisor will invoice the Client on the
day of each month. The invoice will include
any and all services performed under this Agreement as well as any pre-approved expenses.
Payment will be due within
days of the invoice date. A late charge of $
added to any invoice not paid on time.
per month will be
Payments must be made to the Financial Advisor by credit card, money order, check, or any other
approved method of payment accepted by the Financial Advisor.
Payments must be mailed to:
Expenses. From time to time throughout the duration of this Financial Management Agreement, the
Financial Advisor may incur certain expenses that are not included as part of the Fee for our Services to
this Agreement.
The Financial Advisor agrees to keep an exact record of any and all expenses acquired while performing
the Services. The Financial Advisor will submit an invoice itemizing each expense, along with proof of
purchase and receipt, every
days upon completion of such Services.
If any one expense if over $
before making the purchase.
Financial Management Agreement
, the Financial Advisor agrees to obtain the Client’s written consent
Invoice Disputes. The Client shall notify the Financial Advisor in writing of any dispute with an invoice
along with any substantiating documentation or a reasonably detailed description of the dispute within
Business Days from the date of the Client’s receipt of such invoice subject to dispute.
Client will be deemed to have accepted all invoices for which the Financial Advisor does not receive
timely notification of a dispute and shall pay all undisputed amounts due under such invoices within the
period set forth in this Agreement. The Parties shall seek to resolve all such disputes expeditiously and in
good faith.
Term and Termination. This Financial Management Agreement shall be effective on the date hereof and
shall continue for a period of
([month[s]/year[s]) or until the expressly agree upon date of the
completion of the Services, unless it is earlier terminated in accordance with the terms of this Agreement
(the “Term”).
If either Party subject to his agreement fails to follow through with their obligations under this Financial
Management Agreement, the non-breaching Party can terminate this Agreement by providing
day
written notice to the breaching Party.
The Client understands that the Financial Advisor may terminate this Agreement at any time if the Client
fails to pay for the Services provided under this Agreement or if the Client breaches any other material
provision listed in this Financial Management Agreement in the manner as defined above. Client agrees
to pay any outstanding balances within
days of termination.
Supplies and Equipment. The Financial Advisor, at their own expense, shall furnish their own supplies
and equipment necessary to deliver and complete the Services as defined under this Agreement unless
otherwise agreed upon by the parties. Should the Client not furnish the agreed upon supplies, the Client
understands they will be responsible for reimbursing the Financial Advisor for all expenses incurred.
Independent Contractor. Client and Financial Advisor expressly agree and understand that the abovelisted Financial Advisor is an independent contractor hired by the Client and nothing in this Agreement
shall be construed in any way or manner, to create between them a relationship of employer and
employee, principal and agent, partners or any other relationship other than that of independent parties
contracting with each other solely for the purpose of carrying out the provisions of the Agreement.
Accordingly, the Financial Advisor acknowledges that neither the Financial Advisor or the Financial
Advisor’s employees are not eligible for any benefits, including, but not limited to, health insurance,
retirement plans or stock option plans. The Financial Advisor is not the agent of Client or its Company
and is not authorized and shall not have the power or authority to bind Client or its Company or incur any
liability or obligation, or act on behalf of Client or its Company. At no time shall the Financial Advisor
represent that it is an agent of the Client or its Company, or that any of the views, advice, statements and/
or information that may be provided while performing the Services are those for the Client.
The Financial Advisor is not entitled to receive any other compensation or any benefits from the Client.
Except as otherwise required by law, the Client shall not withhold any sums or payments made to the
Financial Advisor for social security or other federal, state, or local tax liabilities or contributions, and all
withholdings, liabilities, and contributions shall be solely the Financial Advisor’s responsibility. The
Financial Advisor further understands and agrees that the Services are not covered under the
unemployment compensation laws and are not intended to be covered by workers’ compensation laws.
Page 2 of 8
Financial Management Agreement
The Financial Advisor is solely responsible for directing and controlling the performance of the Services,
including the time, place and manner in which the Services are performed. The Financial Advisor shall
use its best efforts, energy and skill in its own name and in such manner as it sees fit.
Confidentiality. Throughout the duration of this Agreement, it may be necessary for the Financial
Advisor to have access to the Client’s confidential and protected information for the sole purpose of
performing the Services subject to this Agreement.
The Financial Advisor is not permitted to share or disclose such confidential information whatsoever,
unless mandated by law, without written permission from the Client. The Financial Advisor’s obligation
of confidentiality will survive the termination of this Financial Management Agreement and stay in place
indefinitely.
Upon the termination of this Agreement, the Financial Advisor agrees to return to the Client any and all
Confidential Information that is the property of the Client.
Return of Property. The Financial Advisor shall promptly return to the Client all copies, whether in
written, electronic, or other form or media, of the Client’s Confidential Information, or destroy all such
copies and certify in writing to the Client that such Confidential Information has been destroyed. In
addition, the Financial Advisor shall also destroy all copies of any Notes created by the Financial Advisor
or its authorized Representatives and certify in writing to the Client that such copies have been destroyed.
Intellectual Property. All Intellectual Property and related materials, including but not limited to, moral
rights, goodwill, trade secrets, applications for registrations or relevant registration, rights to any
trademark, trade tress, patent, copyright, trade name, and industrial design (“Intellectual Property”) that is
produced or developed under this Financial Management Agreement. The Financial Advisor understands
that the aforementioned is a “work for hire” and shall be the sole property of the Client. The Client’s use
of the Intellectual Property shall not be restricted in any manner.
The Financial Advisor may not use the Client’s Intellectual Property for any purpose other than
contracted for in this Financial Management Agreement unless the Financial Advisor has written consent
from the Client. The Financial Advisor shall be responsible for any damages resulting from any
unauthorized use of the Client’s intellectual property.
Indemnification and Release. The Financial Advisor agrees to take all necessary precautions to prevent
injury to any persons or damage to property during the term of this Agreement, and shall indemnify,
defend and hold harmless the Client, its officers, directors, shareholders, employees, representatives
and/or agents from any claim, liability, loss, cost, damage, judgment, settlement or expense (including
attorney’s fees) resulting from or arising in any way out of injury (including death) to any person or
damage to property arising in any way out of any act, error, omission or negligence on the part of the
Financial Advisor or any of the Financial Advisor’s employees in the performance or failure to fulfill any
Services or obligations under this Agreement.
No Exclusivity. The Parties subject to this Agreement understand and acknowledge that this Agreement
is not exclusive. Each Party respectively agree that they are free to enter into other similar Agreements
with other parties.
Warranty. The Financial Advisor shall provide its services and meet its obligations set forth in this
Agreement in a timely and satisfactory workmanlike manner, using its knowledge and recommendations
for performing its services which generally meets standards in the Financial Advisor’s region and
Page 3 of 8
Financial Management Agreement
community, and agrees to provide a standard of care, equal or superior to care used by other professionals
in the same profession.
The Financial Advisor shall perform the services in compliance with the terms and conditions of the
Agreement.
Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder
(“Notice”) shall be in writing and addressed to the parties at the addresses set forth on the signature page
of this Agreement (or to such other address that may be designated by the receiving party from time to
time in accordance with this section). All Notices shall be delivered by personal delivery, nationally
recognized overnight courier (with all fees pre-paid), facsimile, or email (with confirmation of
transmission), or certified or registered mail (in each case, return receipt requested, postage prepaid).
Dispute Resolution. Parties to this Agreement shall first attempt to settle any dispute through good-faith
negotiation. If the dispute cannot be settled between the parties via negotiation, either party may initiate
mediation or binding arbitration in the State of
.
If the parties do not wish to mediate or arbitrate the dispute and litigation is necessary, this Agreement
will be interpreted based on the laws of the State of
, without regard to the conflict
of law provisions of such state. The Parties agree the dispute will be resolved in a court of competent
jurisdiction in the State of
.
Governing Law. This Financial Management Agreement shall be governed in all respects by the laws of
the State of
without regard to the conflict of law provisions of such state. This
Agreement shall be binding upon the successors and assigns of the respective parties.
Force Majeure. The Financial Advisor and any of its employees or agents shall not be in breach of this
Financial Management Agreement for any delay or failure in performance caused by reasons out of its
reasonable control. This includes, but is not limited to, acts of God or a public enemy; natural calamities;
failure of a third party to perform; changes in the laws or regulations; actions of any civil, military or
regulatory authority; power outage or other disruptions of communication methods or any other cause
which would be out of the reasonable control of the Financial Advisor.
Legal Fees. Should a dispute between the named Parties arise lead to legal action, the prevailing Party
shall be entitled to any reasonable legal fees, including, but not limited to attorneys’ fees.
No Assignment. This Agreement shall inure to and be binding upon the undersigned and their respective
heirs, representatives, successors and permitted assigns. This Agreement may not be assigned by either
party without the prior written consent of the other party.
Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an
original, but all of which together shall be deemed to be one and the same agreement. A signed copy of
this Agreement delivered by facsimile. email, or other means of electronic transmission shall be deemed
to have the same legal effect as delivery of an original signed copy of this Agreement.
Electronic Signatures. This Agreement and related documents entered into in connection with this
Agreement are signed when a party’s signature is delivered electronically, and these signatures must be
treated in all respects as having the same force and effect as original signatures.
Page 4 of 8
Financial Management Agreement
Severability. If any term or provision of this Agreement is invalid, illegal, or unenforceable in any
jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other term or provision of
this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction.
Captions for Convenience. All captions herein are for convenience or reference only and do not
constitute part of this Agreement and shall not be deemed to limit or otherwise affect any of the
provisions hereof.
No Waiver. No waiver of or failure to act upon any of the provisions of this Agreement or any right or
remedy arising under this Agreement shall be deemed or shall constitute a waiver of any other provisions,
rights or remedies (whether similar or dissimilar).
Amendment. This Agreement may be amended only by a writing signed by all of the Parties hereto.
Entire Agreement. This Agreement constitutes the sole and entire agreement of the Parties regarding the
subject matter contained herein, and supersedes all prior and contemporaneous understandings,
agreements, representations, and warranties, both written and oral, regarding such subject matter. This
Agreement may only be amended, modified, or supplemented by an agreement in writing signed by each
Party hereto.
[Signatures on Following Page]
Page 5 of 8
Financial Management Agreement
IN WITNESS WHEREOF, the undersigned have executed this Financial Management Agreement
effective as of the
day of
, 20 (the “Effective Date”).
Dated:
Dated:
Financial Advisor’s Signature
Client’s Signature
Financial Advisor’s Printed Name or Entity
Client’s Printed Name or Entity
Financial Advisor’s Contact Information:
Client’s Contact Information:
Address:
Address:
Phone Number:
Phone Number:
Email Address:
Email Address:
Page 6 of 8
Financial Management Agreement
EXHIBIT A
SERVICE(S)
The Financial Advisor agrees to provide the following service(s):
The Financial Advisor is entitled to reimbursement of the following expenses incurred while
performing such Service(s):
*The Financial Advisor agrees that any expense not listed must be pre-approved by the Client. The Financial Advisor agrees to
provide any receipts of any other related document to such expenses.
Other:
Page 7 of 8
Financial Management Agreement
Payee/Company Information Section - Payee prints or types the name of the payee/company and
address that will receive ACH vendor/miscellaneous payments, social security or taxpayer ID
number, and contact person name and telephone number of the payee/company. Payee also verifies
depositor account number, account title, and type of account entered by your financial institution
in the Financial Institution Information Section.
2. Financial Institution Information Section - Financial institution prints or types the name and
address of the payee/company's financial institution who will receive the ACH payment, ACH
coordinator name and telephone number, nine-digit routing transit number, depositor (payee/
company) account title and account number. Also, the box for type of account is checked, and the
signature, title, and telephone number of the appropriate financial institution official are included.
BURDEN ESTIMATE STATEMENT
The estimated average burden associated with this collection of information is 15 minutes per
respondent or recordkeeper, depending on individual circumstances.
Page 8 of 8
Financial Management Agreement