Information Security Breach Policy
The following is a public summary of our response to a potential data breach.
If you suspect there has been a data security breach, please contact us via our Contact Us on our web site to intiate an investigation.
In the event of a suspect data breach, we will notify affected customers. This notification will include the following information, where available:
- Extent of the data breach
- Type and volume of personal data involved
- Cause or suspected cause of the breach
- Whether the breach has been rectified
- Measures and processes that we implemented at the time of the breach
- Information on whether affected individuals of the data breach were notified and if not
- Contact details at Hosted in Canada Surveys with whom your organization can liaise for further information or clarification
Where specific information of the data breach is not yet available, we will send an interim notification comprising a brief description of the incident.
DATA BREACH MANAGEMENT PLAN
Upon being notified of a (suspected or confirmed) data breach either by a customer or via our automated systems, we activate our data breach & response plan.
Our data breach management and response plan is:
- Confirm the Breach
- Contain the Breach
- Assess Risks and Impact
- Report the Incident
- Evaluate the Response & Recovery to Prevent Future Breaches
CONFIRM THE BREACH
Immediately upon suspicion or a report of a data breach, we will confirm that the data breach has occurred. At this point, we may proceed to Contain the Breach on the basis of an unconfirmed reported data breach, depending on the likelihood of the severity of risk.
CONTAIN THE BREACH
We consider the following measures to Contain the Breach, where applicable:
- Shut down the compromised system that led to the data breach.
- Establish whether steps can be taken to recover lost data and limit any damage caused by the breach.
- Prevent further unauthorized access to the system.
- Reset passwords and public/private keys if accounts and / or passwords have been compromised.
- Isolate the causes of the data breach, and where applicable, change the access rights to the compromised system and remove external connections to the system.
ASSESS RISKS AND IMPACT
Knowing the risks and impact of data breaches helps us determine whether there could be serious consequences to affected individuals, as well as the steps necessary to notify the individuals affected.
Risk and Impact on Customers
- How many custtomers were affected?
A higher number may not mean a higher risk, but assessing this helps overall risk assessment.
- Whose personal data had been breached?
Iddentify which accounts have been affected, and what data has been compromised.
- What types of personal data were involved?
This will help to ascertain if there are risk to reputation, identity theft, safety and/or financial loss of affected individuals.
- Any additional measures in place to minimize the impact of a data breach? eg: a lost device protected by a strong password or encryption could reduce the impact of a data breach.
Risk and Impact on organizations
- What caused the data breach?
Determining how the breach occurred (through theft, accident, unauthorized access, etc.) will help identify immediate steps to take to contain the breach and restore service.
- When and how often did the breach occur?
Examining this will help us better understand the nature of the breach (e.g. malicious or accidental).
- Who might gain access to the compromised personal data?
This will ascertain how the compromised data could be used. In particular, affected customers must be notified if personal data is acquired by an unauthorized person.
REPORT THE INCIDENT
We will notify affected customers if their data has been breached. This encourages individuals to take preventive measures to reduce the impact of the data breach.
Who to Notify:
- Notify customers whose personal data have been compromised.
- Notify other third parties such as banks, credit card companies or the police, where relevant.
- The relevant authorities (eg: police) should be notified if criminal activity is suspected and evidence for investigation should be preserved (eg: hacking, theft or unauthorized system access by an employee.)
When to Notify:
- Notify affected customers within 24 hours if a data breach involves sensitive personal data. This allows them to take necessary actions early to avoid potential abuse of the compromised data.
- Notify affected customers when the data breach is resolved
How to Notify:
- Use the most effective ways to reach out to affected individuals, taking into consideration the urgency of the situation and number of individuals affected (e.g. media releases, social media, mobile messaging, SMS, e-mails, telephone calls).
- Notifications will be simple to understand, specific, and provide clear instructions on what customers can do to protect themselves.
What to Notify:
- How and when the data breach occurred, and the types of personal data involved in the data breach.
- What we have done or will be doing in response to the risks brought about by the data breach.
- Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused.
- Contact details and how affected individuals can reach the organization for further information or assistance (e.g. support phone numbers, e-mail addresses or website).
EVALUATE THE RESPONSE & RECOVERY TO PREVENT FUTURE BREACHES
After steps have been taken to resolve the data breach, we will review the cause of the breach and evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring, and where applicable put a stop to practices which led to the data breach.
Operational and Policy Related Issues:
- Were there issues with our regular audits of both physical and IT-related security measures?
- Are there processes that can be streamlined or introduced to limit the damage if future breaches happen or to prevent a relapse?
- Were there weaknesses in existing security measures such as the use of outdated software and protection measures, or weaknesses in the use of portable storage devices, networking, or connectivity to the Internet?
- Were the methods for accessing and transmitting personal data sufficiently secure, eg: access limited to authorized personnel only?
- Should support services from external parties be enhanced, such as vendors and partners, to better protect personal data?
- Were the responsibilities of vendors and partners clearly defined in relation to the handling of personal data?
- Is there a need to develop new data-breach scenarios?
Resource Related Issues:
- Were sufficient resources allocated to manage the data breach?
- Should external resources be engaged to better manage such incidents?
- Were key personnel given sufficient resources to manage the incident?
Employee Related Issues:
- Were employees aware of security related issues?
- Was training provided on personal data protection matters and incident management skills?
- Were employees informed of the data breach and the learning points from the incident?
Management Related Issues:
- How was management involved in the management of the data breach?
- Was there a clear line of responsibility and communication during the management of the data breach?