This Data Breach Response Policy (“Policy”) has been developed to ensure an effective and consistent response to security breach incidents involving personally identifiable information. The goal of this Policy is to ensure that ViewBomb LLC ( “the Company”) responds appropriately to breaches of personal data in compliance with applicable laws, regulations and guidelines.
This Policy is applicable to all Company directors, officers, employees, and agents, and any other individual or entity acting for or on Company’s behalf, whether operating inside or outside the United States. Relevant third parties, including but not limited to consultants, agents, intermediaries, and joint-venture partners handling or processing personally identifiable information on the Company’s behalf, must be informed about this Policy and agree to comply with its tenets. Compliance with this Policy is mandatory.
3.1 A “Data Breach” is any instance in which an entity that owns, possesses or licenses personally identifiable information (“PII”) determines or reasonably believes that an unauthorized person or entity may have accessed or acquired such information, or where such information has been unintentionally lost.
3.2 For purposes of this Policy, PII is defined by most statutory authorities as follows: Any information relating to an identified or identifiable natural person, including any information that can be linked to an individual or used to directly or indirectly identify an individual. PII subject to breach notification requirements can include any PII from which an individual is reasonably identifiable. In most cases, this includes an individual’s first name or first initial and last name, in combination with any of the following data elements, when the data elements are not encrypted, pseudonymized, redacted, or secured by any other method rendering the name or the element unreadable or unusable: Social security or national identification number (In some cases, a Social Security 1 “Agents” includes independent contractors who are employees of third party companies and are performing work for the Company on a regular basis, whether on or off site. 1 number (“SSN”) alone triggers notification requirements); Driver's license number or identification card number (some authorities include passport numbers); Account number or credit or debit card number ; Home address or email address; Medical or health information.
3.3 PII does not include information that is lawfully made available to the general public. PII stored in encrypted or pseudonymized format typically does not trigger notification obligations unless the party gaining unauthorized access to the information would also have access to the encryption/pseudonym password or key.
3.4 While most authorities limit the definition of Data Breach to the unauthorized acquisition of computerized or electronic data, some consider unauthorized acquisition of unredacted PII in hardcopy format to be a data breach subject to the same legal requirements.
4.1 Any individual who suspects that PII held by the Company has been compromised must immediately notify the Company of the potential breach by providing a full description of the incident to firstname.lastname@example.org.
4.2 If a customer or other third party contacts the Company to report a potential breach via other means (such as by contacting a Company representative via telephone), the Company representative receiving the report must immediately inform the Chief Executive Officer.
5.1 When a potential breach of PII has been reported or otherwise identified, the Chief Executive Officer, in consultation with external legal counsel, will make an initial determination as to whether any PII of a customer, employee, or other individual has been acquired or may likey have been acquired by an unauthorized person or entity. Several U.S. states include other data elements in the definition of personal information, including medical information (California and Arkansas), health insurance information (California), the employer’s taxpayer identification number (Maryland and North Carolina), unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account (Iowa), a person’s employee ID number (North Dakota), unique biometric data (Iowa, Nebraska, North Carolina, and Wisconsin), a person’s fingerprints (North Carolina), a person’s digital signature (North Carolina and North Dakota), a person’s date of birth (North Dakota), mother’s maiden name (North Dakota), and DNA profile (Wisconsin). 2
5.2 Upon a determination that an unauthorized person or entity has acquired or is likely to have acquired PII of a customer, employee, or other individual (a “Data Breach Incident”), the Chief Executive Officer will mobilize an Incident Response Team. The Incident Response Team will be responsible for investigating, and managing the Company’s response and actions subsequent to, the Data Breach Incident.
5.3 The Incident Response Team will be chaired by the Chief Executive Officer and as necessary depending on the scope and character of the Data Breach Incident, will include members from the Company’s [list functions/departments, or other responsible persons], in consultation with external legal counsel, on a case by case basis.
The Incident Response Team will undertake the following actions, as reasonable and appropriate depending on the nature of the incident: Assess and document the scope and character of the incident, and document the date the incident was discovered; Ascertain and document the scope, content and extent of the PII believed to have been acquired by an unauthorized person or entity, including whether the PII breached belongs to a customer, employee or other individual, and the country(ies) of location of affected individuals; Determine whether law enforcement authorities should be notified; Implement and document all necessary measures to restore the integrity of the impacted system(s) and remedy any associated security vulnerabilities; Identify all affected data, machines, and devices; interview key personnel and document facts, preserve evidence (backups, images, hardware, logs and records) for potential forensic examination; Determine whether there is a reasonable likelihood that the PII breached has been or is likely to be misused; Determine whether the PII breached included critical information such as medical or health information, credit or debit card information, or social security/passport/national identification number; Advise Company employees and other individuals working for or on behalf of the Company, who are informed of the breach to keep details in confidence until notified otherwise; and Report investigation results and breach response actions to Company leadership.
7.1 When the Incident Response Team has identified the type and scope of the PII acquired by an unauthorized person or entity, the Incident Response Team will consult with external legal counsel to determine whether notification of any third parties (such as government authorities, law enforcement, affected individuals, credit reporting agencies, banks/credit card companies, and/or other entities) is required under applicable law. If so, the Incident Response Team will coordinate with external counsel to ensure that the Company makes any required notifications, and fulfills any other legal/regulatory requirements, in compliance with applicable law. If affected individuals are not required to be notified of the breach under applicable law, the Incident Response Team will determine whether the Company will make this notification anyway.
7.2 The Company will investigate potential and/or reported Data Breaches in a timely manner. Special attention will be paid to statutory breach notification deadlines, including applicable U.S. state notification deadlines and the seventy-two hour breach notitification deadline in the European Union.
7.3 In cases in which breach notifications are communicated to affected individuals, the Incident Response Team will consider whether additional internal resources are needed to respond to inquiries from affected individuals, including establishing a temporary call center, and/or developing training and communication tools for personnel tasked with responding to such inquiries.
7.4 Any third parties seeking information about a potential breach (e.g., media contacts, law enforcement, regulatory agencies) should be referred without comment directly to the Chief Executive Officer Affected individuals seeking information about a potential breach will be referred to Company employees tasked by the Incident Response Team with reviewing and responding to such requests.
8.1 Following the completion of the Data Breach response plan, the Incident Response Team will assess the Data Breach to determine the probable cause(s), and implement and document processes to mitigate those cause(s) and minimize the risk of recurrence. The Incident Response Team will review breach response activities and feedback from involved parties to determine response effectiveness, and make any necessary modifications to improve the breach response process, including, where relevant, modified or enhanced information security and training processes.
8.2 All notifications and other records and evidence relating to the Breach Incident and the Company’s response process will be documented and maintained by Chief Executive Officer
The requirements and obligations of this Policy will be communicated to Company employees and individuals working for or on behalf of the Company in the context of periodic training and/or awareness notifications provided by the Chief Executive Officer
Data Breach Incidents that are not quickly and properly addressed can result in grave harm to the Company’s reputation, as well as substantive financial, civil, and criminal legal penalties. The Company is relying on directors, officers, employees and agents to report any and all potential Data Breach Incidents in accordance with this Policy, and any violation of the requirements of this Policy, including failure to report a potential Data Breach Incident, may result in discipline, up to and including termination and referral for prosecution.
11.1 This Policy will be made available to employees and contractors (where appropriate) via email.
11.2 This Policy may be revised at any time but will be reviewed for accuracy and completeness at least annually by the Chief Executive Officer.
Effective Date: September 1, 2020