1. Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1

2. "Breach" is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. "Personal information" means a Nebraska resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable: (a) Social security number; (b) Motor vehicle operator's license number or state identification card number; (c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account; (d) Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or (e) Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation. Email notification favored more than in many jurisdictions, if you normally communicate by email with the breach victim. 2 Data Breach - What is it? Nebraska's Breach Notification Law, Chapter 87-801 through 807

3. The District’s Breach Risk Mitigation Plan Identify Stakeholders Privacy Officer / Legal / Compliance (SRO/Principal/Superintendent) Information Technology (David Davis and team) Public Relations (Melissa Price) Establish Analysis and Communication Protocols Internal Procedures Remediation and Recovery Considerations Insurance Policies (ALICAP) Ensure the Stakeholders have authority to act instantaneously Included in Internal Procedures Communication stream to include Principal and Superintendent Information Security Multiple levels of electronic data security including the use of software and hardware filtering and firewall protection Use of encrypted file transfer technology for sensitive personnel data to state and federal government agencies and to financial institutions External access to District resources using secured web sites Policies and Procedures Board policies and internal procedures in place Not sharing passwords Password change policies FERPA 3

4. District Security Breach Incident Analysis Communication - Ensure that decision makers receive real time information, confidentiality is maintained when necessary and outreach is effective when appropriate Breach Containment – Can breach be contained and stopped without destroying critical evidence? Should an internal or external firm be used? Harm Determination – Technical forensics may be valuable in connection with ALICAP insurance coverage. Choose third party vendors carefully to minimize expense and avoid PCI issues. Consider specialized ID Theft Forensics as part of the strategy. District IT department participates in online courses including topics such as computer forensics and ethical hacking Legal - Involve legal counsel immediately to avoid legal and regulatory pitfalls. ALICAP has engaged Jon Neiditz as outside counsel specializing in data breach management. 4 The Basic Response Steps

5. Communication & Remediation – ALICAP ALICAP Insurance Coverage Crisis Management Response Expenses - $50,000 limit to c over the following expenses following a breach and reported within 60 days of the date it is first discovered. Legal Expenses - Cost to investigate and establish the breadth of the loss Forensic Information Technology Services – sublimit of $10,000 to review the nature and extent of the personal data compromise with a $1,000 deductible. Information Materials – Loss prevention and customer support information. Help Line – A toll free telephone line for “affected individuals” Notification Costs – Cost to notify each party impacted by a security breach Credit Monitoring – Cost to provide the parties impacted by a security breach with credit monitoring Identity Restoration Case Management – Services provided for affected individuals through the process of correcting credit and other records to restore control of his/her personal identity. 5