Data Breach Procedure and Response Plan

Data Breach Procedure and Response Plan

Data Breach Procedure and Response Plan
Data Breach Procedure and Response Plan

This Procedure sets out the processes to be followed by VedicStore.com staff in the event that VedicStore.com experiences a data breach or suspects that a data breach has occurred.

A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.

1. Policy

This Procedure is governed by the Vedicstore.com Privacy Policy.

2. Introduction

VedicStore.com is committed to managing personal information in accordance with the GDPR (for EU customers)  and all others as per Data Protection Act, 2011 of Trinidad and Tobago.

This document sets out the processes to be followed by VedicStore.com staff in the event that VedicStore.com experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.

VedicStore.com needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm.

Adherence to this Procedure and Response Plan will ensure that VedicStore.com can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.

3. Process where a breach occurs or is suspected

3.1 Alert

Where a privacy data breach is known to have occurred (or is suspected) any member of VedicStore.com staff who becomes aware of this must, within 24 hours, alert a Member of the Executive in the first instance.

Note: the term ‘Member of the Executive’ is defined in VedicStore.com’s Delegation of Authority Policy.

The Information that should be provided (if known) at this point includes:

When the breach occurred (time and date)

Description of the breach (type of personal information involved)

Cause of the breach (if known) otherwise how it was discovered

Which system(s) if any are affected?

Which directorate/faculty/institute is involved?

Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)

3.2 Assess and determine the potential impact

Once notified of the information above, the Member of the Executive must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Coordinator should be contacted for advice.

3.2.1 Criteria for determining whether a privacy data breach has occurred

Is personal information involved?

Is the personal information of a sensitive nature?

Has there been unauthorized access to personal information, or unauthorized disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?

For the purposes of this assessment the following terms are looked into: personal information, sensitive information, unauthorized access, unauthorized disclosure and loss.

3.2.2 Criteria for determining severity

The type and extent of personal information involved

Whether multiple individuals have been affected

Whether the information is protected by any security measures (password protection or encryption)

The person or kinds of people who now have access

Whether there is (or could there be) a real risk of serious harm to the affected individuals

Whether there could be media or stakeholder attention as a result of the breach or suspect breach

With respect to 3.2.2(e) above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation.

Having considered the matters in 3.2.1 and 3.2.2, the Member of the Executive must notify the Privacy Officer within 24 hours of being alerted under 3.1.

3.3 Privacy Officer to issue pre-emptive instructions

On receipt of the communication by the relevant member of the Executive under 3.2, the Privacy Officer will take a preliminary view as to whether the breach (or suspected breach) may have been constituted. Accordingly, the Privacy Officer will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team). This will depend on the nature and severity of the breach.

3.3.1 Data breach managed at the Directorate/Faculty/Institute level

Where the Privacy Officer instructs that the data breach is to be managed at the local level, the relevant Member of the Executive must:

ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and

submit a report via the Privacy Coordinator within 48 hours of receiving instructions under 3.3. The report must contain the following:

Description of breach or suspected breach

Action taken

Outcome of action

Processes that have been implemented to prevent a repeat of the situation.

Recommendation that no further action is necessary

The Privacy Officer will be provided with a copy of the report and will sign-off that no further action is required.

The report will be logged by the Privacy Coordinator.

3.3.2 Data breach managed by the Response Team

Where the Privacy Officer instructs that the data breach must be escalated to the Response team, the Privacy Officer will convene the Response Team and notify the Vice-Chancellor and President.

The Response team will consist of:

Privacy Coordinator
General Counsel (or nominee)
Director of Human Resources (or nominee)
Academic Registrar (or nominee)
Director of Information Technology (or nominee)
Director of Marketing and External Relations (or nominee)

3.4 Primary role of the Response Team

There is no single method of responding to a data breach and each incident must be dealt with on a case by case basis by assessing the circumstances and associated risks to inform the appropriate course of action.

The following steps may be undertaken by the Response Team (as appropriate):

Immediately contain the breach (if this has not already occurred). Corrective action may include: retrieval or recovery of the personal information, ceasing unauthorized access, shutting down or isolating the affected system.
evaluate the risks associated with the breach, including collecting and documenting all available evidence of the breach having regard for the information outlined in sections 3.2.1 and 3.2.2 above.

Call upon the expertise of, or consult with, relevant staff in the particular circumstances.

Engage an independent cyber security or forensic expert as appropriate.

Assess whether serious harm is likely (with reference to section 3.2.2 above.

Make a recommendation to the Privacy Officer and the practicality of notifying affected individuals.

Consider developing a communication or media strategy including the timing, content and method of any announcements to students, staff or the media.
The Response Team must undertake its assessment within 48 hours of being convened.

The Privacy Officer will provide periodic updates to the CEO as deemed appropriate.

3.5 Notification

Having regard to the Response team’s recommendation in 3.4 above, the Privacy Officer will determine whether there are reasonable grounds to suspect that an NDB has occurred.

If there are reasonable grounds, the Privacy Officer must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).

If practicable, VedicStore.com must also notify each individual to whom the relevant personal information relates. Where impracticable, VedicStore.com must take reasonable steps to publicize the statement (including publishing on the website.

The prescribed statement will be logged by the Privacy Coordinator.

3.6 Secondary Role of the Response Team

Once the matters referred to in 3.4 and 3.5 have been dealt with, the Response team should turn attention to the following:

Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.

Prepare a report for submission to Senate.

Consider the option of an audit to ensure necessary outcomes are effected and effective.

4. Updates to this Procedure

In line with VedicStore.com’s Policy on Development of Policy, this procedure is scheduled for review every five years or more frequently if appropriate.

5. Revisions made to this Procedure

Date

Major or Minor Revision

Description of Revision(s)

6. Contact details

Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:

Privacy Coordinator
VedicStore.com
311 S M Road, Montrose, Chaguanas 500811
Trinidad and Tobago, West Indies

Email: [email protected]
Telephone, Text, SMS & WhatsApp: +1 972 514 7080
Instant Messaging (see bottom right corner of your browser).
Use the Contact Us form at this link, click here.

 

Summary
Data Breach Procedure and Response Plan
Article Name
Data Breach Procedure and Response Plan
Description
This Procedure sets out the processes to be followed by VedicStore.com staff in the event that VedicStore.com experiences a data breach or suspects that a data breach has occurred.
Author
Publisher Name
VedicStore.com
Publisher Logo