Data Breach Response Policy
The purpose of this document is to define Impexium policies for responding to potential breaches of sensitive information. This policy is focused on the specific types of security incidents that may involve the accidental disclosure of personally-identifiable information (PII) to unauthorized third-parties.
This policy applies to all Impexium employees and third-party contractors that collect, process or otherwise handle sensitive personal information of employees or customers.
PRIVACY BREACH PREPARATION AND ORGANIZATION
Privacy Breach Response Team – Impexium will establish and staff a special team with the responsibility of planning for, analyzing and responding to data breaches. The team must be composed of qualified individuals from various department including (but not limited to) Information Security, Legal, Human Resources, Marketing/PR.
Privacy Breach Response Plan – Impexium will establish and maintain a written Privacy Breach Response Plan detailing the requirements of the response program. The plan must include the names and contact information of specific individuals required to implement the plan, as well as detailed standards and procedures for implementing official breach response policies.
PRIVACY BREACH IMPACT ANALYSIS
Security Incident Analysis – Each security incident reported to the Impexium Computer Emergency Response Team (CERT) that involves the possible disclosure of sensitive personal information (PII) of employees or customers must be analyzed to determine the event qualifies as a breach under Impexium standards.
Breach Notification Analysis – Each security event identified as a breach must be further analyzed to determine the notification requirements for the breach. Breaches that trigger the notification requirements must be logged and reporting immediately to the Privacy Breach Response Team.
THIRD PARTY REPORTING
Third Party Reporting System – Impexium will establish a formal reporting mechanism to allow third-parties that process sensitive personal information to report a breach of such information. Impexium Computer Emergency Response Team members will respond with 24 hours of such notification.
Acceptable Notification Methods – Impexium will use any one or more of the following methods to notify customers’ Data Protection Officer in the event of a data breach:
(1) Written Letter via First Class Mail to the last known address of the individual;
(2) Electronic Mail to the last known electronic mail address,
(3) Personal phone call (only in cases of extremely high risk of identity theft)
Timeliness of Notification – All official customer notifications must be made within 72 hours of the confirmation of the breach by Impexium.
Record of Notification – Impexium will keep a record of each customer notification attempt, including the individual, date, time and notification method.
Content of Notification – Regardless of the method by which notice is provided to individuals, notice of a breach must include, to the extent possible, the following:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of PII that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
- The steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
Exception in the Case of Investigation – The notification requirements of this policy may be suspended if they are found to impede a criminal investigation. This exception must be requested by law enforcement and approved by Impexium management.
Reporting to Governing Bodies – If the discovered breach triggers the Governing Body Reporting Requirement, Impexium will immediately report details of the breach to the appropriate jurisdiction or legal entity that requires such notice. A list of governing bodies for each law requiring a breach notification must be maintained by the Legal Department, as well as the proper forms required for such a breach.
Reporting Requirements – To facility the timely reporting of breaches to governing bodies, The Privacy Breach Response Team must maintain a list of forms required to report the breach to various legal entities or jurisdictions.
Dedicated Support Line – As part of the breach notification and remediation plan, Impexium will maintain a dedicated support line to handle customer inquiries regarding the breach. The support line will include an email address and toll-free telephone number. Each support person must be trained in the remediation options available to customers.
Breach Incident Review – The Information Security Department must review the details of any privacy breach recorded by Impexium, even if the incident did not trigger a public announcement. The review must include a detailed analysis of what lead to the breach and a recommended set of updates to existing controls to mitigate the risk of any further breaches.
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Impexium reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Impexium does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Impexium reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, should provide a written or verbal complaint to his or her manager, any other manager or the Human Resources department as soon as possible
ROLES AND RESPONSIBILITIES
Management – Each organizational unit head is responsible for ensuring proper security and protection for all personally identifiable information (PII) within her or his purview.
Privacy Breach Response Team – This group is responsible for the planning, analyzing and responding to data breaches.
Information Security Department – This group is responsible for formulating, policies, procedures and standards for the security of sensitive personal data. The Information Security Department is also responsible for developing training for employees on the various types of security incidents that may trigger a data breach.
Marketing/PR Department – The Marketing Department, with the help of the Privacy Breach Response Team, is responsible for maintaining a list of media outlets and contact information in the event that media must be notified of a breach.
Legal Department – The Legal Department is responsible for identifying, with help of the members of the Breach Response Team, the various breach reporting requirements for each jurisdiction in which Impexium handles personally identifiable information (PII).
Employees and other users – Each user that processes or handles PII is responsible for following the information protection policies designed to protect this information. Individuals are also responsible for notifying management if they suspect that a breach of such notification may have occurred.
TERMS AND DEFINITIONS
Breach Discovery – A data breach is considered “discovered” within 24 hours of its initial report and when the “notification clause” has been triggered.
Governing Body Notification Requirement – A privacy breach found to contain PII that requires reporting to the regulatory agency or other governing body will trigger this notification requirement.
Notification Requirement – A data breach of sensitive personal information that is found to be reasonably likely to result in identify theft will trigger a Notification Requirement.
Notification Burden of Proof – The requirement to demonstrate that all required notifications were made in response to a privacy breach.
Privacy Breach – A privacy breach occurs when personal information is collected, retained, accessed, used, or disclosed in ways that are not in accordance with the provisions of the enterprise’s policies, applicable privacy laws, or regulations.
Privacy Breach Response Team – A special multi-disciplinary team that is responsible for planning, analyzing and responding to privacy breaches. The team will be composed of qualified individuals from various department including (but not limited to) Information Security, Legal, Human Resources, Marketing/PR.
Personally Identifiable Information (PII) – Information that alone, or when combined with other personal or identifying information can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are neither encrypted nor redacted:
- Social security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number; or
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to financial accounts.
Privacy-Applicable Law – Relevant laws, enactments, regulations, binding industry codes, regulatory permits and licenses that are in effect and address the protection, handling and privacy of target privacy data.
Sensitive personal information – Personal information that requires an extra level of protection and a higher duty of care, for example, information on medical or health conditions, certain financial information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual preferences, or information related to offenses or criminal convictions.
AICPA/CICA Generally Accepted Privacy Principles
Mass. Gen. Laws ch. 93H
NIST Special Publication 800-61, Computer Security Incident Handling Guide
VA CODE § 18.2-186.6
Data Classification Policy, Privacy Program Policy, Incident Response Policy, Identify Theft Prevention Policy (Red Flags)