Data Breach Response Policy

**1.0 ~~Purpose~~ Purpose**

~~The~~This ~~purpose~~policy ofestablishes the ~~policy is to establish the goals~~framework and ~~the vision~~objectives for the organization's data breach response process. ~~This~~It ~~policy will clearly define to whom it applies and under what circumstances, and it will include~~defines the ~~definition~~scope of aapplicability, ~~breach,~~outlines ~~staff~~procedures for suspected or confirmed breaches, clarifies roles and responsibilities, sets standards for incident prioritization, and ~~metrics (e.g., to enable prioritization of the incidents), as well as~~mandates reporting, remediation, and feedback mechanisms. The purpose is to ensure a coordinated, effective, and timely response to protect the organization's data, personnel, and stakeholders. This policy ~~shall~~must be ~~well~~effectively ~~publicized~~communicated and ~~made~~readily ~~easily available~~accessible to all personnel ~~whose~~involved ~~duties involve~~in data privacy and security protection.

The

organization

~~<ORGANIZATION~~is ~~NAME>~~committed ~~Information~~to ~~Security's intentions for publishing~~maintaining a ~~Data~~culture ~~Breach~~of ~~Response~~openness, ~~Policy~~trust, ~~are~~and integrity. This includes a proactive approach to ~~focus significant attention on~~ data security and ~~data~~a ~~security~~structured ~~breaches and how <ORGANIZATION NAME>’s established culture of openness, trust and integrity should respond~~response to ~~such~~potential ~~activity.~~breaches. <ORGANIZATION NAME> Information Security is committed to protecting <ORGANIZATION NAME>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

~~Background~~

This policy ~~mandates~~aims ~~that~~to ~~any~~protect the organization, its employees, partners, and associated individuals from harm resulting from unauthorized data access or disclosure, whether intentional or unintentional.

**2.0 Background**

Any individual who suspects that a theft, ~~breach~~breach, or unauthorized exposure of ~~<ORGANIZATION~~the ~~NAME>~~organization's Protected ~~data~~Data or ~~<ORGANIZATION NAME>~~ Sensitive ~~data~~Data may have occurred has ~~occurred~~an ~~must~~immediate ~~immediately provide a description of what occurred via e-mail~~obligation to ~~Helpdesk@<ORGANIZATION~~report ~~NAME>.org,~~the byincident. ~~calling~~Reports ~~555-1212,~~should ordescribe the circumstances and be submitted promptly through the ~~use~~designated ofinternal ~~the~~channels ~~help~~(e.g., ~~desk~~IT Help Desk email, dedicated phone line, or internal reporting ~~web page at http://<ORGANIZATION NAME>~~portal). ~~This~~These ~~e-mail~~reporting ~~address, phone number, and web page~~channels are actively monitored by the ~~<ORGANIZATION NAME>’s~~designated Information Security ~~Administrator.~~personnel ~~This~~or team responsible for initiating investigations. All reports will ~~investigate~~be ~~all reported thefts, data breaches and exposures~~investigated to ~~confirm~~determine if a ~~theft,~~data breach or exposure has occurred. IfConfirmed aincidents ~~theft,~~will ~~breach or exposure has occurred,~~trigger the ~~Information~~established ~~Security~~Incident ~~Administrator~~Response ~~will follow the appropriate procedure in place.~~Procedure.

**3.0 Scope**

~~2.0 Scope~~

This policy applies to all ~~whom~~employees, contractors, vendors, and partners who collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle ~~personally identifiable information~~sensitive or protected information, including Personally Identifiable Information (PII) and Protected Health Information (PHI), on behalf of ~~<ORGANIZATION~~the ~~NAME>~~organization. ~~members. Any agreements~~Agreements with third-party vendors ~~will~~must ~~contain~~include ~~language~~provisions ~~similar~~requiring ~~that~~adherence ~~protects~~to ~~the~~comparable ~~fund.~~data protection and breach notification standards.

**4.0 Policy: Incident Response Protocol**

~~3.0~~**4.1 ~~Policy~~Incident ~~Confirmed~~Confirmation and Initial Response**

Upon confirmation of a theft, data breach, or exposure involving Protected or Sensitive Data, immediate steps will be taken to contain the incident, including isolating affected systems and revoking access where necessary to prevent further unauthorized activity.

**4.2 Incident Response Team Activation**

The designated Executive Leader (e.g., Executive Director, Chief Information Security Officer) will activate and chair an Incident Response Team (IRT) to manage the breach or exposure event. The core IRT will be composed of ~~<ORGANIZATION~~representatives ~~NAME>~~from ~~Protected~~relevant ~~data~~departments, ~~or <ORGANIZATION NAME> Sensitive data~~including:

AsInfrastructure
* ~~soon~~IT asApplications a/ ~~theft,~~Information ~~data~~Security
* ~~breach~~Legal orCounsel
* ~~exposure~~Communications ~~containing~~/ ~~<ORGANIZATION~~Public ~~NAME>~~Relations
* ~~Protected~~Finance ~~data~~(if ~~or <ORGANIZATION NAME> Sensitive~~financial data is ~~identified,~~impacted)
* ~~the process of removing all access to that resource will begin.~~

~~The Executive Director will chair an incident response team to handle the breach or exposure.~~

~~The team will include members from:~~

• ~~IT Infrastructure~~

• ~~IT Applications~~

• ~~Finance (if applicable)~~

• ~~Legal~~

• ~~Communications~~

• ~~Member~~Member/Customer Services (if ~~Member~~member/customer data is ~~affected)~~

impacted)
*

• Human Resources

•The ~~The~~business unit(s) directly affected ~~unit~~ or ~~department~~responsible ~~that uses~~for the ~~involved~~compromised ~~system or output or whose data may have been breached or exposed~~

• ~~Additional departments based on the data type involved,~~system/data.
* Additional ~~individuals~~members as deemed necessary by the ~~Executive~~IRT ~~Director~~

Chair

based

~~Confirmed~~the ~~theft,~~nature ~~breach~~and ~~or exposure of <ORGANIZATION NAME> data~~

~~The Executive Director will be notified~~scope of the ~~theft,~~incident.

~~breach~~

**4.3 orInvestigation ~~exposure.~~and ~~IT,~~Analysis**

~~along~~

The ~~with~~IRT, potentially supported by internal IT and designated external forensic specialists (often coordinated through cyber insurance providers), will conduct a thorough investigation. The objectives are to:

* Determine the ~~designated~~root ~~forensic~~cause ~~team, will analyze~~of the breach or ~~exposure~~exposure.
* ~~to determine~~Identify the ~~root cause.~~

~~Work with Forensic Investigators~~

~~As provided by <ORGANIZATION NAME> cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the~~specific types of data ~~involved;~~involved.
* Ascertain the extent of the impact, including the number of ~~internal/external~~ individuals and/or organizations ~~impacted;~~potentially affected.
* Assess the scope and ~~analyze~~severity of the ~~breach or exposure to determine the root cause.~~ incident.

**4.4 Communication Strategy**

~~Develop~~The IRT, in collaboration with Legal, Communications, and Human Resources departments, will develop and execute a strategic communication plan. This plan will address necessary notifications to:

* Internal personnel
* Regulatory bodies (as required by law)
* Affected individuals
* The public, if deemed necessary.

~~Work with <ORGANIZATION NAME> communications, legal and human resource departments to decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.~~

~~3.2~~**5.0 Ownership and ~~Responsibilities~~Responsibilities**

~~Roles~~* &**Data ~~Responsibilities:~~

Sponsors:**

Individuals

•departments ~~Sponsors - Sponsors are those members of the <ORGANIZATION NAME> community that have~~with primary responsibility for ~~maintaining~~overseeing ~~any particular~~specific information ~~resource.~~resources. Sponsors ~~may~~are betypically designated bybased ~~any~~on ~~<ORGANIZATION~~administrative ~~NAME>~~roles ~~Executive~~or their function in ~~connection~~collecting, ~~with their administrative responsibilities,~~developing, or bymanaging ~~the~~data.
* ~~actual sponsorship, collection, development, or storage of information.~~

• **Information Security ~~Administrator~~Administrator/Team:** isDesignated ~~that~~personnel ~~member of the <ORGANIZATION NAME> community, designated by the Executive Director or the Director, Information Technology (IT) Infrastructure, who provides administrative support~~responsible for the administrative implementation, ~~oversight~~oversight, and coordination of security procedures and ~~systems~~systems, ~~with respect to specific information resources~~acting in consultation with ~~the relevant~~Data Sponsors.

•**Users:** ~~Users include virtually all~~All members of the ~~<ORGANIZATION NAME>~~organization community to(including ~~the~~staff, ~~extent~~contractors, ~~they~~consultants, ~~have~~etc.) with authorized access to information ~~resources,~~resources. Users are responsible for adhering to security policies and ~~may~~reporting ~~include~~suspected ~~staff,~~incidents.
* ~~trustees, contractors, consultants, interns, temporary employees and volunteers.~~

• ~~The~~ **Incident Response Team ~~shall~~(IRT):** ~~be chaired~~Chaired by Executive ~~Management~~Management, ~~and~~this ~~shall~~cross-functional ~~include,~~team ~~but~~is ~~will~~responsible ~~not~~for ~~be limited to,~~managing the ~~following~~response ~~departments~~to orconfirmed ~~their~~data ~~representatives:~~breaches ~~IT-Infrastructure,~~as ~~IT-Application~~outlined ~~Security;~~in ~~Communications;~~section ~~Legal; Management; Financial Services, Member Services; Human Resources.~~4.2.

**6.0 Enforcement**

~~4.0 Enforcement~~

~~Any < ORGANIZATION NAME > personnel found in violation~~Violations of this policy by organizational personnel may beresult ~~subject to~~in disciplinary action, up to and including termination of ~~employment.~~employment, ~~Any~~subject ~~third~~to applicable laws and internal procedures. Violations by third-party ~~partner company found in violation~~partners may ~~have~~lead ~~their~~to remediation actions, including termination of contracts or network ~~connection terminated.~~ access.

**7.0 Definitions**

~~5.0~~* ~~Definitions~~**Breach:**

The

~~Encryption~~unauthorized acquisition, access, use, or ~~encrypted~~disclosure of Protected Data or Sensitive Data that compromises its security or privacy.
* **Encryption:** The process of converting data –(plain ~~The~~text) ~~most effective way to achieve data security. To read an encrypted file, you must have access to~~into a ~~secret~~coded format (ciphertext) requiring a specific key or password ~~that~~for ~~enables~~decryption, ~~you to decrypt it. Unencrypted~~enhancing data issecurity.
* ~~called~~**Information ~~plain~~Resource:** ~~text;~~

The

~~Plain text – Unencrypted data.~~

~~Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages~~data and ~~computer~~information ~~systems~~assets ~~and~~managed ~~can often be considered an expert on~~by the ~~subject(s).~~

~~Protected Health Information (PHI) - Under US law is any information about health status, provision of health care,~~organization or ~~payment~~its ~~for~~units.
* ~~health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.~~

**Personally Identifiable Information (PII) ~~- Any data that could potentially identify a specific individual.~~:** Any information that can be used to distinguish ~~one~~or ~~person~~trace ~~from~~an ~~another~~individual's ~~and~~identity, either alone or when combined with other personal or identifying information.
* **Protected Health Information (PHI):** As defined under applicable laws (e.g., HIPAA in the US), information relating to health status, healthcare provision, or payment for healthcare that can be ~~used~~linked ~~for~~to ~~de-anonymizing~~a ~~anonymous~~specific ~~data~~individual.
* ~~can be considered~~

**Protected ~~data~~Data:** -A ~~See~~collective term referring to PII ~~and~~and/or PHI

~~Information~~requiring ~~Resource - The data and information assets of an organization, department or unit.~~

~~Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize~~specific security ~~risks~~measures.
* to**Plain ~~physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.~~

~~Sensitive data -~~Text:** Data that is ~~encrypted~~not orencrypted.
* in**Safeguards:** ~~plain~~Technical, ~~text~~administrative, and ~~contains~~physical ~~PII~~controls orimplemented ~~PHI~~to ~~data.~~protect information ~~See~~resources ~~PII~~from threats and ~~PHI~~minimize ~~above.~~security risks.
* **Sensitive Data:** Data classified by the organization as requiring protection due to its confidential nature, including but not limited to Protected Data.