Data Breaches & Victim Service Providers: Considerations for Developing Effective Policies
This resource is part of the OVC-funded Human Trafficking Confidentiality Toolkit. For resources specific to OVW grantees, click here.
The Issue
Many victim service providers now maintain electronic records that contain detailed personally identifying information (PII) about people who have received services. Because confidentiality and privacy are essential to the safety and well-being of program participants, and because electronic systems are vulnerable to data breaches, the Department of Justice (DOJ) requires all grantees, including OVC Human Trafficking grantees, to have a data breach response plan in place in the event of an actual or imminent “breach” of PII collected within the scope of an OJP grant-funded program or activity. For more information on the Office of Management and Budget (OMB) data breach response plan requirement for all federal agencies, see OMB Memorandum M-17-12. Most states and territories also have laws that require entities, which may include human trafficking services programs, to follow certain steps in the event of a data breach.
What Organizations Can Do
If (or when) electronic records are breached and PII is disclosed outside of the agency, it is important that victim service providers have a data breach response plan in place, adhering to relevant federal requirements and state laws, while also protecting the privacy and confidentiality of program participants whose PII was disclosed. You will need to inform program participants that their information was disclosed so that they can take steps to protect against any potential fallout of that disclosure. Your response plan should include details on how to safely contact current and former program participants to inform them of the data breach.
The following are considerations for programs to discuss in order to best manage data and create solid data breach policies that prioritize the safety and privacy of program participants. We recommend consulting an attorney to ensure you are following federal, state, territorial, and local laws and requirements while drafting policies.
Consideration #1: Audit Your Data Intake and Retention Processes
The best way to avoid releasing PII in a data breach is to minimize the amount of PII collected and retained in the first place. The best practice for data collection is to collect as little information as possible, and to keep it for the minimum amount of time necessary, while taking into consideration documentation requirements of funders such as information needed for award implementation purposes and performance measures. 1) Review all of your current data collection and retention practices, 2) do not collect information that is unnecessary, 3) minimize the amount of time you keep the data, and 4) review these policies and practices on a yearly basis. For more information, see our FAQs on Record Retention and Deletion.
Consideration #2: Develop Strong Data Security Measures
Work with IT professionals to ensure your agency’s data security measures are up-to-date and that you have the proper mechanisms in place to protect the
information you collect. Because the information you collect and keep is sensitive and could have a profound impact on the privacy and safety of the program participants you serve, it is critical that your data be as secure as possible. Review your data security practices every year and update as necessary. For more information on the importance of privacy, confidentiality, and data security see our Data Security Checklist to Increase Victim Safety & Privacy.
Consideration #3: Determine Applicable Laws
The first step to creating internal policies and procedures is to identify the specific requirements and laws that apply to your program. While OVC award conditions and state data breach notification laws outline specific requirements that organizations must follow when an individual’s personal data is breached, they do not provide template policies. We recommend policies be drafted in consultation with an attorney to ensure that all applicable legal requirements are considered and incorporated.
Federal Requirements
In a few instances, victim service providers may also be subject to the Health Insurance Portability and Accountability Act (HIPAA). (Read the U.S. Department of Health and Human Services’ Covered Entities & Business Associates document to find out if HIPAA rules apply to your organization.) The HIPAA Privacy and Security Rules have specific requirements for protection of protected health information data, along with specific protocols programs must follow in response to data breach events.
State & Territorial Laws
Every U.S. state and territory has a data breach response law. These laws generally set out specific requirements for how organizations should notify individuals whose sensitive personal information has been breached. The Privacy Rights Clearinghouse has published a summary of all state and territorial data breach statutes.
In most states and territories, the statute applies to organizations that electronically store names or personally identifying numbers in an unredacted, unencrypted format. If victim service programs collect and store personally identifying numbers (such as social security numbers) or maintain personal information in an unencrypted format, they may be required to comply with these statutes. Note: It is not best practice for victim service providers to collect or store social security numbers. For more information, refer to Consideration #1: Audit Your Data Intake and Retention Processes. It is not best practice to store PII in an unencrypted format. Ensuring data is encrypted will significantly decrease the possibility of a breach.
Consideration #4: Contacting People Affected by the Breach
Starting in FY24, OVC-funded anti-trafficking service providers are expected to have or to establish policies which follow VAWA confidentiality procedures. Programs must make reasonable attempts to notify current and former program participants if their information is going to be disclosed when there is a valid mandate. This requirement also applies in the case of an accidental or unauthorized disclosure, such as a data breach. Programs should have processes in place for making reasonable attempts to notify and provide follow-up support to program participants.
Such processes must be designed so that programs can contact the program participant without disclosing to others that the person received services, which means carefully considering how a program participant will be notified and how to minimize the risks of accidental or intentional interception. Programs should also be sure to consider how notifications may impact program participants and be prepared to respond. Some program participants may need advocacy related services, some may want emotional support, and others may request referrals as they deal with the fallout of accidental or unauthorized disclosure.
Most state and territorial data breach response statutes are prescriptive in their notification requirements and require direct written notification to every person affected by a data breach, either by mail or email. Although there are potential safety and privacy concerns when a victim service provider contacts a program participant in this way, these statutes generally do not recognize such concerns as an exception to this requirement. (This is another reason that programs should limit the amount of PII they retain in the first place, and ensure that the personally identifying data they do store is encrypted and secure.) However, some state and territorial data breach notification statutes may be flexible and allow privacy and safety considerations to be included in data breach response policies, as long as the organization develops a policy and procedure that is consistent with the spirit of the statute. For example, many states allows conspicuous notice on an agency’s website in lieu of mailing or emailing notices.
Programs should work with partners, such as a local attorney and their state & territorial coalitions to develop a reasonable and safe mechanism for notifying program participants of a data breach that complies with all applicable laws.
Breach notification policies need to:
take into account program participants’ safety and privacy,
not breach program participant confidentiality,
meet the intent of all applicable laws, and
reasonably inform program participants whose data has been breached so they can take measures to minimize the harm that may have been caused by the breach.
Consideration #5: Notifying Government Agencies
As detailed in the award condition language, OVC grant recipients’ data breach response procedures must include a process for reporting the actual or imminent breach of personally identifying information to an OVC Program Manager no later than 24 hours after an occurrence of an actual breach or the detection of an imminent breach. Programs that are HIPAA-covered entities must also comply with the HIPAA Breach Notification Rule, found at 45 CFR §§ 164.400-414.
Summary
Those seeking and receiving anti-trafficking services face significant safety and privacy risks, which can quickly increase if their personal information is shared without their consent. The strict confidentiality obligations outlined in VAWA were drafted to minimize such risks by ensuring that victim service programs are legally bound to protect the privacy and autonomy of program participants. Organizations should employ best practices related to data collection, retention and deletion, and work with a local attorney and their state or territorial coalition to ensure that in the event of a data breach, they have a response plan in place that carefully balances their legal obligations with the safety, privacy, and emotional well-being of the program participants they serve. For a policy template, see The Victims Rights Law Center Model Data Breach Policy.
This document was drafted in cooperation with Alicia L. Aiken, JD and the Resource Sharing Project.
© 2026 Alicia L. Aiken, JD. And the National Network to End Domestic Violence, Safety Net Project.
This project was produced by National Network to End Domestic Violence under 15POVC-24-GK-00890-HT, awarded by the Office for Victims of Crime, Office of Justice Programs, U.S. Department of Justice. The opinions, findings, and conclusions or recommendations expressed in this resource are those of the contributors and do not necessarily represent the official position or policies of the U.S. Department of Justice.
