Section 410.70  Required Notifications to the Board and Procedures Following Security Breach

a)         Notwithstanding any other provision of law, every election authority and vendor is required to notify the Board:

1)         as soon as practicable, but in no case more than 5 business days, following the discovery of any security breach in the computer-based voter registration system that subjects voter registration data to unlawful access; or

2)         as soon as practicable, but in no case more than 30 days, following the implementation of a material change to the functionality, capability, reliability, or operation of the computer-based voter registration system.

b)         A notification of a security breach under subsection (a)(1) may be made jointly by the election authority and vendor but must be accompanied by:

1)         a complete timeline of events including when the security breach began, when the security breach was discovered, and the steps taken to address it; and

2)         detailed documentation that identifies the systems and data affected and allows for identification of the root causes of the security breach.

c)         Following a security breach in the computer-based voter registration system, Board staff will analyze the circumstances surrounding the security breach and make recommendations to the election authority and to the computer-based voter registration system vendor for the mitigation of future risk, including, but not limited to, bringing the computer-based voter registration system into compliance with any additional requirements of the certification standards verification process that have been added since the most recent certification of the computer-based voter registration system.