Breach Incident Response Plan
ANATOMY_IT, LLC – INFORMATION SECURITY
INCIDENT RESPONSE PLAN
This Information Security Incident Response Plan as part of ANATOMY_IT, LLC’s comprehensive effort to protect the sensitive, personal of ANATOMY_IT, LLC’s customers and employees as well as the ANATOMY_IT, LLC’s own confidential data. The purpose of this plan is to secure and to maintain the integrity of this data during any information security incident (an “Incident”).
This plan includes Incident notification process, establishes a team to address Incidents, provides a common definition for determining the significance of an Incident, and outlines a method to assess and investigate Incidents.
This plan will be updated on an annual basis in the last month of each of ANATOMY_IT, LLC’s fiscal years or otherwise at the direction of ANATOMY_IT, LLC.
PHASE I – REPORT INCIDENT
Any employee who becomes aware of an actual, imminent or potential Incident – an unauthorized disclosure of personal data – should provide notice as set forth below.
Types of Data and Unauthorized Disclosure
Personal Data. Personal data is information that is, or can be, about or related to an identifiable individual. Most of the information ANATOMY_IT, LLC collects about its customers and employees is likely to be considered personal data. Some examples of personal data include, but are not limited to:
- Contact information (address, phone number, e-mail address)
- Social security number or government identifier
- Other identification numbers, including customer or account numbers
- Financial account information
- Driver’s license
- Date of birth, mother’s maiden name
- Information that could lead to identity theft
- Personnel records
- Racial or ethnic origin
- Medical information (including Protected Health Information (PHI), as defined by federal regulations),Gender or Physical Characteristics
- Other information that an individual would not expect to be disclosed without his or her authorization
Type of Disclosure. Incidents can result from any of the following, if personal data is potentially involved:
- Intentional and unintentional acts
- Actions of ANATOMY_IT, LLC employees
- Actions of ANATOMY_IT, LLC vendors or customers
- Actions of other, third parties
- External or internal acts
- Credit card fraud
- Natural disasters and power failures
- Acts related to violence, warfare or terrorism
If an employee becomes aware of an Incident, he or she must provide immediate notice to his or her direct supervisor and to the following Incident Team representative:
PHASE II – TEAM ASSEMBLY AND ORGANIZATION
The Incident Team is responsible for coordinating ANATOMY_IT, LLC’s response to an Incident.
Team Roles and Contacts
The following roles, to be filled by the persons whose contact information appears below, comprise the Incident Team:
Management. An officer or director of ANATOMY_IT, LLC. Has the ultimate responsibility for the decision or action plans to be implemented. Determines the strategy for resolution
Legal. ANATOMY_IT, LLC’s corporate counsel. Among other duties, determines and remains cognizant of the extent to which Incident Team activities are subject to the attorney-client privilege.
Name: Robert J. Scott
Title: Outside Counsel
Address: Scott & Scott, LLP
550 Reserve Street, Suite 200
Southlake, TX 76092
Phone: (214) 999-0080
Human Resources. ANATOMY_IT, LLC’s human resources officer. This individual is to serve as the primary point-of-contact for ANATOMY_IT, LLC employees to report an Incident and also is to alert the remainder of the Incident Team following the occurrence of an Incident.
HIPAA Officer. The individual at ANATOMY_IT, LLC most familiar with HIPAA and/or other applicable privacy laws and regulations. (This role may be filled by one of the other Incident Team members.)
After the occurrence of an Incident, the Incident Team is to assemble for a preliminary meeting within the following response times:
Alert Level 1
Definition – A breach of sensitive personal data has occurred
Example – A file containing information subject to HIPAA or other privacy laws or regulations is disclosed.
Time for Initial Team Meeting – Within 1 hour
Alert Level 2
Definition – A breach of n-sensitive personal data has occurred
Example – A ANATOMY_IT, LLC customer number has been disclosed.
Time for Initial Team Meeting – Within 5 hours
Alert Level 3
Definition – A breach of personal data (sensitive or non-sensitive) is imminent
Example – A disk containing non-encrypted account information is missing
Time for Initial Team Meeting – Within 24 Hours
Alert Level 4
Definition – A breach of personal data (sensitive or non-sensitive) is threatened
Example – A former employee threatens to disclose ANATOMY_IT, LLC financial information.
Time for Initial Team Meeting – Within 72 hours
Considerations for Initial Incident Team Meeting
The purpose of the initial Incident Team meeting is to assess of the information already available regarding the Incident at issue and to identify real or potential internal and external stakeholders that affect or are or may be affected by the Incident. Among the evaluation criteria that should be considered are:
- Is the information involved in the Incident really personal data?
- If the information already available is accurate, would notice to data subjects or the government be required by law?
- What would be the potential damage to data subjects and/or ANATOMY_IT, LLC arising from the misuse of disclosed data and the likelihood of misuse?
- How was the personal data compromised, or how might it be or have been subject to compromise?
In addition, at the initial meeting following the occurrence of an Incident, the Incident Team is to assign responsibility for creation and maintenance of a log to track the progress of the Incident Team’s response to the Incident. (This responsibility is best assigned to Legal, whenever possible.)
PHASE III – CONDUCT INITIAL ASSESSMENT
Following the initial meeting, the Incident Team should proceed to conduct an initial assessment of the Incident.
Collect Relevant Information
The Incident Team should search internal information and media sources (if any) and should engage stakeholders to collect the information needed to prepare an appropriate response to an Incident.
Appropriate Questions. Examples of the sorts of questions that the Incident Team should ask in order to gather information are as follow:
- What data/content was breached?
- What data subjects are affected?
- Where are the affected data subjects located?
- What are the potential risks to ANATOMY_IT, LLC & to the data subjects?
- Where else are the data/system/supplier used?
- Are there any business continuity implications?
- When did the privacy/data protection breach occur and where?
- Was it reported to law enforcement? If not, should it be reported?
- Is it ongoing?
- Who was the custodian of the information (ANATOMY_IT, LLC vs. service provider)?
- Who in ANATOMY_IT, LLC is the data owner?
- Which system was compromised?
- Which systems interface with that system?
- Where is the service provider (if any) located?
- Where is the data housed?
- Can the asset/information compromised lead to another breach?
- Is the offender internal or external?
- Was the breach malicious (organized attack or a “mistake”)?
Primary Objectives. The primary objectives of the Incident Team’s information gathering activities are as follow:
- Determine for each potentially affected individual the specific personal data that may be at risk.
- Determine type of incident. What is the worst possible outcome for ANATOMY_IT, LLC and data subjects? What is the best possible outcome?
- Is notice to the data subjects warranted or recommended?
Notification. The Incident Team is to carefully assess a number of legal considerations concerning notification to data subjects regarding an Incident, including the following:
- Is there a statutory legal obligation to notify?
- Are there other substantive legal considerations regarding notification (e.g., contractual or other liability)?
- Even if there appear to be no statutory or regulatory requirements for notification, consider:
– The nature of the breach and its potential impact on the data subject
– The type of personal data
*Could it lead to identity theft?
*Consider other personal data that an individual may want to be notified if it is accessed (e.g., medical records (including PHI), personnel files, etc.)
*The likelihood of misuse (the extent to which an unauthorized person has had an opportunity to use, access, or further disclose the personal data for illicit purposes)
*The potential damage arising from the misuse
*The tools available to both the company and its customers to identify and address the unauthorized use of customer personal data
*Whether a data subject receiving that notification can take steps to protect himself against identity theft or other fraud (e.g., notifying credit bureau or issuer of driver’s license)
*Whether notification to data subjects can be deemed a part of damage mitigation efforts (both the HIPAA Privacy Rule and Security Rule require covered entities to mitigate the known harmful effects of any Privacy/Data Protection incidents)
*Whether notification might result in unnecessary alarm or confusion
*Whether over-notification might result in credit bureaus not being able to promptly respond to affected individuals
Decisions Regarding Next Steps
With the information gathered, the Incident Team is to determine what factors may affect ANATOMY_IT, LLC’s response to an Incident. Those factors may include the following:
- Review and re-visit stakeholder identification.
- Determine whether notice to the government is required or recommended.
- Determine whether contact with credit bureaus is required or recommended.
- Determine what possible actions could be taken by affected data subjects and the extent to which ANATOMY_IT, LLC may be able to mitigate the risk.
- Assess resource needs (e.g., communications to data subjects, media statements, call centers, targeted web sites (public or private)).
- Develop concise, initial statement regarding the incident.
- Determine whether any early warning signals overlooked or ignored.
PHASE IV – CONTAIN RISK AND EXPOSURE
Following information gathering activities, the Incident Team is to develop and implement a plan to contain and mitigate the risk of exposure to ANATOMY_IT, LLC and affected stakeholders.
Identify Specific Actions
The Incident Team is to develop specific plans for data subjects, ANATOMY_IT, LLC, and other affected parties.
- Develop a set of interim containment actions prior to attempting a permanent resolution (focus on protecting our customers and employees)
- Determine whether there is an immediate risk of a third party taking action that would disrupt intended actions
- Determine whether there is an immediate risk of commercial damage (financial, legal, and/or reputation) to the business
- Determine whether there are any actions to be taken now to avoid missing an opportunity
Determine ANATOMY_IT, LLC’s Initial Response
The Incident Team is to develop and implement ANATOMY_IT, LLC’s global response to an Incident.
- Contact affected individuals, credit bureaus, governmental entities, if determined to be appropriate during Phase III
- Set up call center, if appropriate
Develop and Summarize the Ongoing Strategy
In addition to any initial, global response, the Incident Team is to develop ANATOMY_IT, LLC’s ongoing strategy to mitigate any exposure resulting from an Incident.
- Initial response sets the tone for ongoing response
- Develop a one-two sentence summary of the overarching strategy for all team members to understand
- Determine whether additional actions needed for other activities performed by the suppliers or service providers involved (if any)
- Develop a communications plan that includes:
-Details of key messages tracked in the incident log
-A holding statement to respond to inquiries
-Consideration of external stakeholders that should be involved or notified
-Consideration of the messages needed to be communicated to every stakeholder (consider media, ANATOMY_IT, LLC leadership, ANATOMY_IT, LLC employees, ANATOMY_IT, LLC call centers, and external stakeholders (including dealers))
-Assurance that messages are consistent
PHASE V – TOWARD THE ROOT CAUSE AND RESOLUTION
In addition to implementation of ANATOMY_IT, LLC’s response to an Incident, the Incident Team also is to evaluate and to develop an appropriate plan to address the root cause of an Incident and to continue to work toward resolution, with the following considerations.
The Incident Team should determine whether additional resources may be required for diagnosis and further activities going forward, and it also should re-visit and decisions made during earlier phases regarding use of external resources, such as crisis management companies, to assist ANATOMY_IT, LLC efforts.
The Incident Team should:
- Review and improve the information from the initial diagnosis and add any new information that is relevant
- Identify the likely causes and test each for validity
- Focus on key assumptions that are uncertain and could affect the outcome of the incident
The Incident Team should analyze the Incident from the perspective of other stakeholders and should continually update the stakeholder analysis to capture any changing attitudes.
Understand Resulting Harm
The Incident Team should determine what actions, if any, should be taken to compensate the affected data subjects (e.g., buying credit reports, indemnification, etc.) and should develop mitigation plan, if appropriate (e.g., pursuant to HIPAA).
Develop Specific Actions to Resolve the Incident
The Incident Team should determine whether there any unintended consequences that may result from its action plan, with special consideration of the effects on key stakeholders (internal and external). With that information in mind, it should prepare a list of final actions to resolve an Incident, with responsibility for each action assigned to a specific, accountable individual. In addition, Human Resources is to review any appropriate employee actions, if applicable.
The Incident Team should identify what final reports are to be issued, to whom they are to be delivered, and who will be responsible for their timely preparation.
PHASE VI – INCIDENT CLOSING
Following the delivery of any final reports, the Incident Team should assess the effectiveness of its strategy and processes.
Verify Effectiveness of Response Plan
The Incident Team should closely monitor progress of the resolution plan and re-evaluate the resolution plan if necessary.
Document Lessons Learned
The Incident Team should assign responsibility for documentation and include lessons learned in the incident log.
The Incident Team should:
- Determine what, if anything, ANATOMY_IT, LLC could have done to prevent the Incident from happening
- Assess changes required to ANATOMY_IT, LLC business models, systems, and processes (administration, technology, and/or physical safeguards) to reduce the likelihood of similar instances in the future
- Ensure recommended changes are implemented
Following resolution, the Incident Team should designate at least one team member to have responsibility for monitoring ongoing events and activity and for keeping a close watch on media sources.