Breach Incident Response Plan

Anatomy IT, LLC – INFORMATION SECURITY

INCIDENT RESPONSE PLAN

This Information Security Incident Response Plan as part of Anatomy IT, LLC’s comprehensive effort to protect the sensitive, personal of Anatomy IT, LLC’s customers and employees as well as the Anatomy IT, LLC’s own confidential data. The purpose of this plan is to secure and to maintain the integrity of this data during any information security incident (an “Incident”).

This plan includes Incident notification process, establishes a team to address Incidents, provides a common definition for determining the significance of an Incident, and outlines a method to assess and investigate Incidents.

This plan will be updated on an annual basis in the last month of each of Anatomy IT, LLC’s fiscal years or otherwise at the direction of Anatomy IT, LLC.

PHASE I – REPORT INCIDENT

Any employee who becomes aware of an actual, imminent or potential Incident – an unauthorized disclosure of personal data – should provide notice as set forth below.

Types of Data and Unauthorized Disclosure

Personal Data. Personal data is information that is, or can be, about or related to an identifiable individual. Most of the information Anatomy IT, LLC collects about its customers and employees is likely to be considered personal data. Some examples of personal data include, but are not limited to:

  • Name
  • Contact information (address, phone number, e-mail address)
  • Social security number or government identifier
  • Other identification numbers, including customer or account numbers
  • Financial account information
  • Driver’s license
  • Date of birth, mother’s maiden name
  • Information that could lead to identity theft
  • Personnel records
  • Racial or ethnic origin
  • Medical information (including Protected Health Information (PHI), as defined by federal regulations),Gender or Physical Characteristics
  • Other information that an individual would not expect to be disclosed without his or her authorization

Type of Disclosure. Incidents can result from any of the following, if personal data is potentially involved:

  • Intentional and unintentional acts
  • Actions of Anatomy IT, LLC employees
  • Actions of Anatomy IT, LLC vendors or customers
  • Actions of other, third parties
  • External or internal acts
  • Credit card fraud
  • Potential violations of Anatomy IT, LLC’s Privacy Policy
  • Natural disasters and power failures
  • Acts related to violence, warfare or terrorism

Incident Reporting

If an employee becomes aware of an Incident, he or she must provide immediate notice to his or her direct supervisor and to the following Incident Team representative:

Name: insert

Title: insert

Address: insert

Phone: insert

Fax: insert

E-mail: insert

PHASE II – TEAM ASSEMBLY AND ORGANIZATION

The Incident Team is responsible for coordinating Anatomy IT, LLC’s response to an Incident.

Team Roles and Contacts

The following roles, to be filled by the persons whose contact information appears below, comprise the Incident Team:

Management. An officer or director of Anatomy IT, LLC. Has the ultimate responsibility for the decision or action plans to be implemented. Determines the strategy for resolution

Name: insert

Title: insert

Address: insert

Phone: insert

Fax: insert

E-mail: insert

Legal. Anatomy IT, LLC’s corporate counsel. Among other duties, determines and remains cognizant of the extent to which Incident Team activities are subject to the attorney-client privilege.

Name: Robert J. Scott

Title: Outside Counsel

Address: Scott & Scott, LLP

550 Reserve Street, Suite 200

Southlake, TX 76092

Phone: (214) 999-0080

E-mail: rjscott@scottandscottllp.com

Human Resources. Anatomy IT, LLC’s human resources officer. This individual is to serve as the primary point-of-contact for Anatomy IT, LLC employees to report an Incident and also is to alert the remainder of the Incident Team following the occurrence of an Incident.

Name: insert

Title: insert

Address: insert

Phone: insert

Fax: insert

E-mail: insert

HIPAA Officer. The individual at Anatomy IT, LLC most familiar with HIPAA and/or other applicable privacy laws and regulations. (This role may be filled by one of the other Incident Team members.)

Name: insert

Title: insert

Address: insert

Phone: insert

Fax: insert

E-mail: insert

Response Times

After the occurrence of an Incident, the Incident Team is to assemble for a preliminary meeting within the following response times:

Alert Level 1

Definition – A breach of sensitive personal data has occurred

Example – A file containing information subject to HIPAA or other privacy laws or regulations is disclosed.

Time for Initial Team Meeting – Within 1 hour

Alert Level 2

Definition – A breach of n-sensitive personal data has occurred

Example – A Anatomy IT, LLC customer number has been disclosed.

Time for Initial Team Meeting – Within 5 hours

Alert Level 3

Definition – A breach of personal data (sensitive or non-sensitive) is imminent

Example – A disk containing non-encrypted account information is missing

Time for Initial Team Meeting – Within 24 Hours

Alert Level 4

Definition – A breach of personal data (sensitive or non-sensitive) is threatened

Example – A former employee threatens to disclose Anatomy IT, LLC financial information.

Time for Initial Team Meeting – Within 72 hours

Considerations for Initial Incident Team Meeting

The purpose of the initial Incident Team meeting is to assess of the information already available regarding the Incident at issue and to identify real or potential internal and external stakeholders that affect or are or may be affected by the Incident. Among the evaluation criteria that should be considered are:

  • Is the information involved in the Incident really personal data?
  • If the information already available is accurate, would notice to data subjects or the government be required by law?
  • What would be the potential damage to data subjects and/or Anatomy IT, LLC arising from the misuse of disclosed data and the likelihood of misuse?
  • How was the personal data compromised, or how might it be or have been subject to compromise?

In addition, at the initial meeting following the occurrence of an Incident, the Incident Team is to assign responsibility for creation and maintenance of a log to track the progress of the Incident Team’s response to the Incident. (This responsibility is best assigned to Legal, whenever possible.)

PHASE III – CONDUCT INITIAL ASSESSMENT

Following the initial meeting, the Incident Team should proceed to conduct an initial assessment of the Incident.

Collect Relevant Information

The Incident Team should search internal information and media sources (if any) and should engage stakeholders to collect the information needed to prepare an appropriate response to an Incident.

Appropriate Questions. Examples of the sorts of questions that the Incident Team should ask in order to gather information are as follow:

  • What data/content was breached?
  • What data subjects are affected?
  • Where are the affected data subjects located?
  • What are the potential risks to Anatomy IT, LLC & to the data subjects?
  • Where else are the data/system/supplier used?
  • Are there any business continuity implications?
  • When did the privacy/data protection breach occur and where?
  • Was it reported to law enforcement? If not, should it be reported?
  • Is it ongoing?
  • Who was the custodian of the information (Anatomy IT, LLC vs. service provider)?
  • Who in Anatomy IT, LLC is the data owner?
  • Which system was compromised?
  • Which systems interface with that system?
  • Where is the service provider (if any) located?
  • Where is the data housed?
  • Can the asset/information compromised lead to another breach?
  • Is the offender internal or external?
  • Was the breach malicious (organized attack or a “mistake”)?

Primary Objectives. The primary objectives of the Incident Team’s information gathering activities are as follow:

  • Determine for each potentially affected individual the specific personal data that may be at risk.
  • Determine type of incident. What is the worst possible outcome for Anatomy IT, LLC and data subjects? What is the best possible outcome?
  • Is notice to the data subjects warranted or recommended?

Notification. The Incident Team is to carefully assess a number of legal considerations concerning notification to data subjects regarding an Incident, including the following:

  • Is there a statutory legal obligation to notify?
  • Are there other substantive legal considerations regarding notification (e.g., contractual or other liability)?
  • Even if there appear to be no statutory or regulatory requirements for notification, consider:

– The nature of the breach and its potential impact on the data subject

– The type of personal data

*Could it lead to identity theft?

*Consider other personal data that an individual may want to be notified if it is accessed (e.g., medical records (including PHI), personnel files, etc.)

*The likelihood of misuse (the extent to which an unauthorized person has had an opportunity to use, access, or further disclose the personal data for illicit purposes)

*The potential damage arising from the misuse

*The tools available to both the company and its customers to identify and address the unauthorized use of customer personal data

*Whether a data subject receiving that notification can take steps to protect himself against identity theft or other fraud (e.g., notifying credit bureau or issuer of driver’s license)

*Whether notification to data subjects can be deemed a part of damage mitigation efforts (both the HIPAA Privacy Rule and Security Rule require covered entities to mitigate the known harmful effects of any Privacy/Data Protection incidents)

*Whether notification might result in unnecessary alarm or confusion

*Whether over-notification might result in credit bureaus not being able to promptly respond to affected individuals

Decisions Regarding Next Steps

With the information gathered, the Incident Team is to determine what factors may affect Anatomy IT, LLC’s response to an Incident. Those factors may include the following:

  • Review and re-visit stakeholder identification.
  • Determine whether notice to the government is required or recommended.
  • Determine whether contact with credit bureaus is required or recommended.
  • Determine what possible actions could be taken by affected data subjects and the extent to which Anatomy IT, LLC may be able to mitigate the risk.
  • Assess resource needs (e.g., communications to data subjects, media statements, call centers, targeted web sites (public or private)).
  • Develop concise, initial statement regarding the incident.
  • Determine whether any early warning signals overlooked or ignored.

PHASE IV – CONTAIN RISK AND EXPOSURE

Following information gathering activities, the Incident Team is to develop and implement a plan to contain and mitigate the risk of exposure to Anatomy IT, LLC and affected stakeholders.

Identify Specific Actions

The Incident Team is to develop specific plans for data subjects, Anatomy IT, LLC, and other affected parties.

  • Develop a set of interim containment actions prior to attempting a permanent resolution (focus on protecting our customers and employees)
  • Determine whether there is an immediate risk of a third party taking action that would disrupt intended actions
  • Determine whether there is an immediate risk of commercial damage (financial, legal, and/or reputation) to the business
  • Determine whether there are any actions to be taken now to avoid missing an opportunity

Determine Anatomy IT, LLC’s Initial Response

The Incident Team is to develop and implement Anatomy IT, LLC’s global response to an Incident.

  • Contact affected individuals, credit bureaus, governmental entities, if determined to be appropriate during Phase III
  • Set up call center, if appropriate

Develop and Summarize the Ongoing Strategy

In addition to any initial, global response, the Incident Team is to develop Anatomy IT, LLC’s ongoing strategy to mitigate any exposure resulting from an Incident.

  • Initial response sets the tone for ongoing response
  • Develop a one-two sentence summary of the overarching strategy for all team members to understand
  • Determine whether additional actions needed for other activities performed by the suppliers or service providers involved (if any)
  • Develop a communications plan that includes:

-Details of key messages tracked in the incident log

-A holding statement to respond to inquiries

-Consideration of external stakeholders that should be involved or notified

-Consideration of the messages needed to be communicated to every stakeholder (consider media, Anatomy IT, LLC leadership, Anatomy IT, LLC employees, Anatomy IT, LLC call centers, and external stakeholders (including dealers))

-Assurance that messages are consistent

PHASE V – TOWARD THE ROOT CAUSE AND RESOLUTION

In addition to implementation of Anatomy IT, LLC’s response to an Incident, the Incident Team also is to evaluate and to develop an appropriate plan to address the root cause of an Incident and to continue to work toward resolution, with the following considerations.

Team Expansion

The Incident Team should determine whether additional resources may be required for diagnosis and further activities going forward, and it also should re-visit and decisions made during earlier phases regarding use of external resources, such as crisis management companies, to assist Anatomy IT, LLC efforts.

Evaluate Causes

The Incident Team should:

  • Review and improve the information from the initial diagnosis and add any new information that is relevant
  • Identify the likely causes and test each for validity
  • Focus on key assumptions that are uncertain and could affect the outcome of the incident

Understand Effects

The Incident Team should analyze the Incident from the perspective of other stakeholders and should continually update the stakeholder analysis to capture any changing attitudes.

Understand Resulting Harm

The Incident Team should determine what actions, if any, should be taken to compensate the affected data subjects (e.g., buying credit reports, indemnification, etc.) and should develop mitigation plan, if appropriate (e.g., pursuant to HIPAA).

Develop Specific Actions to Resolve the Incident

The Incident Team should determine whether there any unintended consequences that may result from its action plan, with special consideration of the effects on key stakeholders (internal and external). With that information in mind, it should prepare a list of final actions to resolve an Incident, with responsibility for each action assigned to a specific, accountable individual. In addition, Human Resources is to review any appropriate employee actions, if applicable.

Final Reporting

The Incident Team should identify what final reports are to be issued, to whom they are to be delivered, and who will be responsible for their timely preparation.

PHASE VI – INCIDENT CLOSING

Following the delivery of any final reports, the Incident Team should assess the effectiveness of its strategy and processes.

Verify Effectiveness of Response Plan

The Incident Team should closely monitor progress of the resolution plan and re-evaluate the resolution plan if necessary.

Document Lessons Learned

The Incident Team should assign responsibility for documentation and include lessons learned in the incident log.

Recommend Changes

The Incident Team should:

  • Determine what, if anything, Anatomy IT, LLC could have done to prevent the Incident from happening
  • Assess changes required to Anatomy IT, LLC business models, systems, and processes (administration, technology, and/or physical safeguards) to reduce the likelihood of similar instances in the future
  • Ensure recommended changes are implemented

Continued Monitoring

Following resolution, the Incident Team should designate at least one team member to have responsibility for monitoring ongoing events and activity and for keeping a close watch on media sources.