Data Breach Protocol

Objectives

To establish procedures and set expectations in the event of a data breach.
To outline an action plan that will be used to investigate possible breaches and to mitigate damage if a breach has occurred market.
To ensure that parties affected by a data breach are properly informed of how to protect themselves.

Scope

This policy applies to all incidents where a breach of personal identifying information is suspected or confirmed relating to a customer of AIM or a user of software developed by AIM.

Definitions

Personal Identifying Information (PII) – information that can be used to distinguish or trace an individual's identity. PII includes, but is not limited to, any of the following:

Social Security numbers
Credit card information (credit card numbers – whole or part; credit card expiration dates; cardholder names; cardholder addresses)
Tax identification information numbers (Social Security numbers; business identification numbers; employer identification numbers)
Biometric records (fingerprints; DNA; or retinal patterns and other measurements of physical characteristics for use in verifying the identity of individuals)
Payroll information (paychecks; paystubs)
Medical information for any employee or customer (doctor names and claims; insurance claims; prescriptions; any related personal medical information)
Other personal information of a customer, employee or contractor (dates of birth; addresses; phone numbers; maiden names; names; customer numbers)

Breach – any situation where PII is accessed by someone other than an authorized user, for anything other than an authorized purpose.

Protocol Guidelines

Upon learning of a possible breach immediate investigation by high-level technical team members.

Attempt to establish date and time of breach(es)
Determine cause
Determine any PII that was obtained?
Determine customers/users that were affected
Document findings

Upon confirming of a breach perform risk assessment.

Sensitivity of the PII lost (Customer contact information alone may present much less of a threat than financial information)
Amount of PII lost and number of individuals affected
Likelihood PII is usable or may cause harm
Likelihood the PII was intentionally targeted (increases chance for fraudulent use)
Strength and effectiveness of security technologies protecting PII (e.g. encrypted PII on a stolen laptop. Technically stolen PII but with a greatly decreased chance of access.)
Ability of AIM to mitigate the risk of harm
Prepare report and analyze with management

Notifying affected parties

Responsibility to notify is based both on the number of individuals affected and the nature of the PII that was accessed. Any information found in the initial risk assessment will be turned over to the legal counsel of who will review the situation to determine if, and to what extent, notification is required. Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Notification will be made in a timely manner, but not so soon so as to unnecessary compound the initial incident with incomplete facts or to make identity theft more likely through the notice. In the case that notification must be made:

Only those that are legally required to be notified will be informed of the breach. Notifying a broad base when it is not required could cause raise unnecessary concern in those who have not been affected.
A physical copy will always be mailed to the affected parties no matter what other notification methods are used (e.g. phone or email).
A contact email and phone number will be established for those who have additional questions about how the breach with affect them.

Notifications will include:

A brief description of the incident. The nature of the breach and the approximate date it occurred.
A description of the type(s) of PII that were involved in the breach. (The general types of PII, not an individual's specific information.)
Explanation of what is doing to investigate the breach, mitigate its negative effects and prevent future incidences.
Steps the individual can take to mitigate any potential side effects from the breach.
Contact information for additional questions the recipient may have.

Mitigating Risks

Based off the findings of the risk assessment, a plan will be developed to mitigate risk involved with the breach.
The exact course of action will be based on the type of PII that was involved in the data breach.
The course of action will aim to minimize the effect of the initial breach and to prevent similar breaches from taking place.
Affected individuals will be notified as soon as possible so they can take their own steps to mitigate potential risk.
If there is a substantial concern for fraudulent use of PII, will offer affected individuals free access to a credit monitoring service.
AIM will also provide steps to mitigate risks that can be taken by affected individuals. The steps provided to affected individuals will depend on the nature of the data breach. If the breach has created a high risk for fraudulent use of financial information, customers may be advised to:
- Monitor their financial accounts and immediately report any suspicious or fraudulent activity.
- Contact the three major credit bureaus and place an initial fraud alert on their credit reports. This can be extremely helpful in situations where PII that can be used to open new accounts, such as social security numbers, has been taken.
- Avoid attempts from criminals that may see the breach as an opportunity to pose as employees in an attempt to deceive affected individuals into divulging personal information.
- File a report with local police or in the community where the breach took place.