Managing Data Breach Notices and Responses

Updated as of: September 19, 2019

Preemptive Love Coalition [*corporate name], a U.S. registered 501(c)3 charitable organization, (“Preemptive Love Coalition,” “we,” “us,” or “our”), has issued this Data Breach Management Policy to describe how we respond to any reported data security breach or data security incident (each such instance, a “Data Breach,” as more thoroughly described below), to ensure we can act responsibly, and to protect our collected information as far as possible. 

Data Breaches will vary in impact and risk depending on the content and quantity of data involved, the circumstances of the loss, and the speed of response to the incident. By managing all perceived Data Breaches in a timely manner, it may be possible to contain and recover the data before an actual breach occurs, reducing the risks and impact to Preemptive Love Coalition and our customers, employees, and website visitors.

Overview:

This policy applies to all Preemptive Love Coalition information, regardless of format, and is applicable to all employees, contractors, and data processors acting on behalf of Preemptive Love Coalition. It should be read in conjunction with our Privacy Policy and supports our compliance with the General Data Protection Regulation (the “GDPR”) concerning our handling of the personal data of users, customers, and website visitors from the European Economic Area (“Data Subjects”).

The aim of this policy is to standardize our response to any reported Data Breach and ensure that reports are appropriately logged and managed in accordance with best practice guidelines. 

By adopting a standardized, consistent approach to all reported incidents, we aim to ensure that: 

  • Incidents are reported in a timely manner and can be properly investigated; 
  • Incidents are handled by authorized and skilled personnel; 
  • Appropriate levels of our management are involved in response management;
  • Incidents are recorded and documented; 
  • The impact of the incidents is understood and action is taken to prevent further damage; 
  • Evidence is gathered, recorded, and maintained in a form that will withstand internal and external scrutiny; 
  • External bodies or Data Subjects are informed as required; 
  • The incidents are dealt with efficiently and normal operations restored; and 
  • The incidents are reviewed to identify future improvements in policies and procedures. 

Data Breach:

A Data Breach is considered to be any loss of, or unauthorized access to, our data, usually involving personal or confidential information, including intellectual property. Data Breaches include the loss, modification, or theft of data or equipment on which data is stored, inappropriate access controls allowing unauthorized use, human error (e.g. information sent to the incorrect recipient), hacking attacks and “blagging” (incidents involving information obtained by deception).

Data Security Incident:

A data security incident arises where there is the risk of a Data Breach, but a loss or unauthorized access has not actually occurred. It is not always clear if an incident has resulted in a Data Breach; by reporting all perceived data security incidents quickly, steps can be taken to investigate, secure the information, and prevent the incident becoming an actual Data Breach (e.g., by reporting an email, which IT can then remove before it has been read, ensuring that the data has been contained and not been seen by the incorrect recipient).

For the purposes of this policy, “Data Breaches” include both confirmed and suspected incidents.

Responsibilities:

1) Information Users.  All information users are responsible for reporting actual, suspected, threatened, or potential information security incidents and for assisting with investigations, as necessary, particularly if urgent action must be taken to prevent further damage.

2) Heads of Departments.  Heads of departments are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required. 

3) Lead Responsible Officers.  “Lead Responsible Officers” will be responsible for overseeing management of the Data Breach in accordance with this Data Breach Management Plan (as described below). Suitable delegation may be appropriate in some circumstances. 

4) Preemptive Love Coalition’s IT Group.  Where the Data Breach involves digital information or technical security, our IT group will be responsible for the technical controls to support securing the network and containing or recovering the data.

5) Data Protection Officer (“DPO”).  The DPO is responsible for providing advice and guidance and must be informed of any incident or breach that involves personal data. Our DPO, Dane Barnett, can be contacted at dataprotection@preemptivelove.org.

Data Classification:

 All reported incidents will need to include the appropriate data classification in order for assessment of risk to be conducted. Data classification, as referred to in this policy, means the following categories:

1) Public Data.  Information intended for public use or information that can be made public without any negative impact for Preemptive Love Coalition. 

2) Internal Data.  Information regarding the day-to-day business operations of Preemptive Love Coalition. Primarily for employee use, though some information may be useful to third parties who work with Preemptive Love Coalition. 

3) Confidential Data.  Information of a more sensitive nature for the business operations of Preemptive Love Coalition, representing basic intellectual capital and knowledge. Access should be limited to only those people who need to know as part of their role within Preemptive Love Coalition. 

4) Highly confidential Data.  Information that, if released, will cause significant damage to our business activities or reputation or would lead to violation of U.S. federal regulation or the GDPR. Access to this information should be highly restricted.

Data Breach Reporting:

Confirmed or suspected Data Breaches should be reported promptly to the DPO as the primary point of contact at dataprotection@preemptivelove.org. The report should include full and accurate details of the Data Breach, including who is reporting the Data Breach and what classification of data is involved. Where possible, a Data Breach Report Form should be completed as part of the reporting process (see Appendix 1). 

Once a Data Breach has been reported, an initial assessment will be made to establish the severity of the Data Breach and who the lead responsible officer will be (see Appendix 2).

All Data Breaches will be centrally logged in the [IS Global Service Management] tool to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes. 

Data Breach Management Plan:

The management response to any reported Data Breach will involve the following four elements: 

  1. Containment and Recovery 
  2. Assessment of Risks 
  3. Consideration of Further Notification 
  4. Evaluation and Response 

Each of these four elements will need to be conducted in accordance with the checklist for Data Breaches (see Appendix 3). An activity log recording the timeline of the incident management should also be completed (see Appendix 4). 

Authority:

Preemptive Love Coalition’s employees, contractors, consultants, customers, and website visitors who act in violation of this policy (or who do not act to implement it, as applicable) may be subject to disciplinary procedures or other appropriate sanctions.

References:

Information Commissioner 

https://ico.org.uk/media/1562/guidance_on_data_security_breach_management.pdf 

Appendix 1: Data Breach Report Form

Description of the Data Breach:
Who identified the Data Breach? 

When was the Data Breach identified?
Who is reporting the Data Breach?

(Name/Post/Dept.)
Contact details: (Telephone/Email)
Classification of the data breached:

  1. Public Data
  2. Internal Data
  3. Confidential Data
  4. Highly confidential Data
Volume of data involved:
Confirmed or suspected Data Breach?
Is the Data Breach contained or ongoing?
If ongoing, what actions are being taken to recover the data?
Who has been informed of the Data Breach?
Any other relevant information:

Email form to the DPO: dataprotection@preemptivelove.org

Call (254) 400-2033 and advise that a Data Breach Report form is being sent.

Received by:
Date/Time:

Appendix 2:    Evaluation of Incident Severity

The severity of the incident will be assessed by the Data Protection Officer. Assessment would be made based upon the following criteria:

High Criticality: Major Incident Contact:
  • Highly confidential personal data
  • Data Breach concerning personal data involves >1000 Data Subjects
  • External third-party data involved
  • Significant or irreversible consequences
  • Likely media coverage
  • Immediate response required, regardless of whether it is contained or not
  • Requires significant response beyond normal operating procedures
 Lead Responsible Officer:

  • To be determined by the [Incident Management Team/ DPO].

Other relevant contacts:

  • [Information Compliance Team]
  • Internal senior managers, as required
  • Contact external parties, as required (i.e. police and/or Data Subjects impacted]
Moderate Criticality: Serious Incident Contact:
  • Confidential data
  • Not contained within Preemptive Love Coalition/affiliates
  • Data Breach involves personal data of more than 100 Data Subjects
  • Significant inconvenience will be experienced by Data Subjects impacted
  • Incident may not yet be contained
  • Incident does not require immediate response
  • Incident response may require notification to Preemptive Love Coalition’s senior managers
 Lead Responsible Officer:

  • Head of department affected by the incident, [or On-call IT Incident Manager]

Other relevant contacts:

  • Head of Legal Services
  • Director of Human Resources
  • Director of External Relations
  • Head of Security
  • Chief Information Officer
  • [Information Compliance Team]
Low Criticality: Minor Incident Contact:
  • Internal or confidential data
  • Small number of Data Subjects involved
  • Risk to Preemptive Love Coalition is low
  • Inconvenience which may be suffered by Data Subjects impacted
  • Loss of data is contained/encrypted
  • Incident can be responded to during working hours

Example: Email sent to the wrong recipient; loss of an encrypted mobile device

 Lead Responsible Officer:

  • Head of Department (may delegate responsibility to another appropriate member of staff)

Other relevant contacts:

  • [IT Service Management/ Incident Manager] to advise and lead on technical aspects of containment/recovery
  • DPO to follow up on policy procedures for managing Data Breaches

Appendix 3:    Data Breach Checklists

  1. Containment and Recovery
  2. Assessment of Risks
  3. Consideration of Further Notification
  4. Evaluation and Response
Step Action Notes
A Containment and Recovery: To contain any Data Breach, to limit further damage as far as possible, and to seek to recover any lost data.
1 [Incident Management Team/ DPO] to ascertain the severity of the Data Breach and to determine if any personal data is involved. See Appendix 2.
2 [Incident Management Team/ DPO] to identify a Lead Responsible Officer for investigating the Data Breach and forward a copy of the Data Breach Report. Lead Responsible Officer to oversee full investigation and produce report.

DPO should ensure that the Lead Responsible Officer has appropriate resources including sufficient time and authority. 
3 Identify the cause of the Data Breach and whether the Data Breach has been contained.

Ensure that any possibility of further data loss is removed or mitigated as far as possible.

 Establish what steps can or need to be taken to contain the Data Breach from further data loss. Contact all relevant departments who may be able to assist in this process.

This may involve actions such as taking systems offline or restricting access to systems to a very small number of staff until more is known about the incident.
4 Determine whether anything can be done to recover any losses and limit any damage that may be caused. E.g., physical recovery of data/equipment or where data is corrupted, through use of back-ups.
5 Where appropriate, the Lead Responsible Officer (or nominee) will inform the police. E.g., stolen property; fraudulent activity.
6 Ensure all key actions and decisions are logged and recorded on the timeline.

 

B Assessment of Risks To identify and assess the ongoing risks that may be associated with the Data Breach.
7 What type and volume of data is involved? Data classification and volume of personal data.
8 How sensitive is the data? Sensitive personal data? By virtue of definition within the GDPR or sensitive because of what might happen if misused (i.e. banking details) or sensitive to our business operations?
9 What has happened to the data? E.g. if data has been stolen, it could be used for purposes which are harmful to the Data Subjects to whom the data relates; if it has been damaged, this poses a different type and level of risk.
10 If the personal data was lost or stolen, were there any protections in place to prevent access or misuse? E.g., encryption of the personal data/device.
11 If the personal data was damaged/corrupted /lost, were there protections in place to mitigate the impact of the loss? E.g., back-up tapes or copies.
12 How many Data Subjects’ personal data are affected by the Data Breach?
13 Who are the Data Subjects whose personal data has been compromised? Employees, contractors, consultants, customers, clients, suppliers?
14 What could the personal data tell a third party about an individual Data Subject?

Could it be misused?

 Consider this regardless of what has happened to the personal data, particularly with regard to the sophistication of the thief/defrauder (if known). 
15 Is there actual/potential harm that could come to any Data Subjects? E.g., are there risks to:

  • physical safety;
  • emotional wellbeing;
  • reputation;
  • finances;
  • identity (theft/fraud from release of non-public identifiers); or
  • a combination of these and other private aspects of their lives?
16 Are there wider consequences to consider? E.g. a risk to public health or loss of public confidence in an important service we provide?
17 Are there others who might advise on risks/courses of action? E.g. If Data Subjects’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help prevent fraudulent use.

 

C Consideration of Further Notification Notification is to enable Data Subjects who may have been affected to take steps to protect themselves or allow the regulatory bodies to perform their functions.
18 Are there any legal, contractual, or regulatory requirements to notify? E.g., terms of funding; contractual obligations.
19 Can notification help Preemptive Love Coalition meet its obligations under the GDPR (or under applicable U.S. federal regulations)? E.g., prevent any unauthorized access, use, loss of, or damage to the personal data.
20 Can notification help the affected Data Subject(s)? Could Data Subjects act on the information provided to mitigate risks (e.g. by changing passwords or monitoring their accounts)?
21 Consider whom to notify, what to tell them, and how to communicate the message.
  • There are a number of different ways to notify those affected. Always bear in mind the security of the medium as well as the urgency of the situation.
  • Include a description of how and when the Data Breach occurred and what personal data was involved. Include details of what has already been done to respond to the risks posed by the Data Breach.
  • When notifying Data Subjects, give specific and clear advice on the steps they can take to protect themselves and also how we will be willing to help them.
  • Provide a way in which Data Subjects can contact us for further information or to ask questions about what has occurred (e.g., the DPO contact information).
22 Consider, as necessary, the need to notify any third parties who can assist in helping or mitigating the impact on Data Subjects. E.g., police, insurers, professional bodies, funders, trade unions, website/system owners, bank/credit card companies.

 

D Evaluation and Response To evaluate the effectiveness of Preemptive Love Coalition’s response to the Data Breach.
23 Establish where any present or future risks lie.
24 Consider the personal data and contexts involved. E.g., what personal data is held, its extent, sensitivity, where and how it is stored, how long it is kept.
25 Consider and identify any weak points in existing security measures and procedures. E.g., in relation to methods of storage and/or transmission, use of storage devices, levels of access, systems/network protections.
26 Consider and identify any weak points in levels of security awareness/training. Fill any gaps through training or tailored advice.
27 Report on findings and implement recommendations. Report to [Information Management Team and] the DPO.

Appendix 4: Timeline of Data Breach Management

Date Time Activity Decision Authority