This policy establishes how we will respond in the event of a data breach, and also outlines an action plan that will be used to investigate potential breaches and to mitigate damage if a breach occurs. This policy is in place to both minimize potential damages that could result from a data breach and to ensure that parties affected by a data breach are properly informed of how to protect themselves.
This policy applies to all incidents where a breach of customer or employee’s personal identifying information is suspected or confirmed.
Personal Identifying Information (PII) – Information that that can be used to distinguish or trace an individual’s identity. PII includes, but is not limited to, any of the following:
Breach – Any situation where PII is accessed by someone other than an authorized user, for anything other than an authorized purpose.
A breach or a suspected breach of PII must be immediately investigated. Since all PII is of a highly confidential nature, only personnel necessary for the data breach investigation will be informed of the breach. The following information must be reported to appropriate management personnel:
Management will then make a record of events and people involved, as well as any discoveries made over the course of the investigation and determine whether or not a breach has occurred.
Perform a Risk Assessment
Once a breach has been verified and contained, perform a risk assessment that rates the:
All information collected during the risk assessment must then be compiled into one report and analyzed. The Risk Assessment must then be provided to appropriate personnel in charge of data breach response management.
Notifying Affected Parties
Responsibility to notify is based both on the number of individuals affected and the nature of the PII that was accessed. Any information found in the initial risk assessment will be turned over to the legal counsel of who will review the situation to determine if, and to what extent, notification is required. Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Notification will be made in a timely manner, but not so soon so as to unnecessarily compound the initial incident with incomplete facts or to make identity theft more likely through the notice.
In the case that notification must be made:
Based off the findings of the risk assessment, a plan will be developed to mitigate risk involved with the breach. The exact course of action will be based on the type of PII that was involved in the data breach. The course of action will aim to minimize the effect of the initial breach and to prevent similar breaches from taking place.
ACA Compliance Services, Inc. will also provide steps to mitigate risks that can be taken by affected individuals. The steps provided to affected individuals will depend on the nature of the data breach. If the breach has created a high risk for fraudulent use of financial information, customers may be advised: