Security Incidents & Data Breach Management Policy and Procedure
Security Incidents & Data Breach Management Policy and Procedure
November 20, 2021
My Eco Best Friend as data controller and appropriate data processors so contracted are subject to the provisions of the General Data Protection Regulation 2016/679 (GDPR) and must exercise due care and attention in collecting, processing, and storing personal data and sensitive personal data provided by both staff, Sellers, Clients, and the public for defined use.
Safeguarding such information and preventing its breach is essential to ensure My Eco Best Friend retains the trust of the above‐mentioned data subjects. My Eco Best Friend will thus make all reasonable efforts to protect information under My Eco Best Friend’s control from unauthorized access, use, disclosure, deletion, destruction, damage, or removal.
Although best efforts are made to protect facilities, equipment, resources and data, some crisis can hardly be avoided. Indeed, data security breaches are increasingly common occurrences whether these are caused through human error or via malicious intent. My Eco Best Friend thus needs to have in place a robust and systematic process to address any reported security incident and protect its information assets as far as possible.
As a result, this Policy sets out a procedure to be followed should security procedures in force not prevent a breach. The aim of this policy is to standardize the groupwide response to any reported security incident and ensure that they are appropriately logged and managed in accordance with best practice guidelines.
By adopting a standardized consistent approach to all reported incidents, it aims to ensure that:
incidents are reported in a timely manner and can be properly managed
incidents are handled by appropriately authorized and skilled personnel
incidents are kept confidential at all levels (relevant stakeholders will be kept informed at the discretion of the lead investigators).
appropriate levels of management are involved in the response
incidents are recorded and documented
the impact of the incidents is understood, and action is taken to prevent further occurrences
evidence is gathered, recorded, and maintained in a form that will withstand internal and external scrutiny
external bodies or data subjects are informed as required
incidents are dealt with in a timely manner and normal operations resumed swiftly
incidents are reviewed to identify improvements in policies
For the purpose of this policy the term “data breach” includes the loss of control, compromise, unauthorized disclosure or unauthorized access or potential access to personally identifiable information, whether in physical (paper) or electronic form.
A data security breach can happen for a number of reasons, including:
Loss, alteration or theft of data or equipment on which data is stored (including break‐in to any of our premises)
inappropriate/unauthorized access to confidential or highly confidential data
equipment failure
human error, including unintentional disclosures, lack of diligence and/or misuse of technological resources
unforeseen circumstances such as flood or fire
a hacking attacks
access where information is obtained by deceiving the organization that holds it
For the purpose of this policy these reasons will be referred to as “security incidents”. Not all security incidents will lead to a data breach.
This groupwide policy applies to all staff of My Eco Best Friend.
This Policy is available on www.myecobestfriend.com and shall be advised to staff at induction and at periodic staff training.
My Eco Best Friend expects any My Eco Best Friend contractors, suppliers or any other parties acting on My Eco Best Friend’s behalf (collectively, “External Parties”) to collect or manage personal information to follow this policy, whether they are utilizing My Eco Best Friend’s and/or their own systems and data management tools. My Eco Best Friend employees are responsible for ensuring that any External Parties they work with in support of My Eco Best Friend operations comply with this policy.
Staff are responsible for ensuring that appropriate and adequate protection and controls are in place and applied in each facility and resource under their control and identifying those that are not. Managers are responsible for ensuring that staff in their area follow this Policy and adhere to all related procedures.
The Data Protection Officer (DPO) is responsible for overseeing the management of any breach.
Gaëtan Bio
Chemin du Creux-Bechet, 6, 1096, Villette (Switzerland)
T: +41 (0)79 847 91 55
contact@myecobestfriend.com
Periodic reviews of the measures and practices in place shall be carried out by the Legal Department.
Report security incident – each staff member’s duty to report
Confirmed or suspected IT security incidents should always be reported promptly to IT Security as the primary point of contact by email contact@myecobestfriend.com
In case any staff member becomes aware or suspects that personal data has been compromised for any other reason than an IT security incident (e.g. through loss of a portable device, misaddressing of labels, sensitive information left where unauthorized viewing could take place – i.e. photocopies not properly disposed of or left on copier), he/she shall immediately notify his/her Manager.
When there is a potential conflict of interest or for any other reasons, in the interest of confidentiality, such a report may be made directly to the DPO.
In both cases, the staff member reporting the security incident may be asked to complete the Data Security Breach Incident Report (See Appendix 1).
Data security breaches should be contained and responded to immediately upon becoming aware of such a breach.
Staff member and/or IT Security will seek to contain the matter and mitigate any further exposure of the personal data held having regard to the “Incident Response DOs and DON’Ts for IT systems” advice set out at Appendix 2. Depending on the nature of the threat to the personal data, this may involve a quarantine of some or all PCs, networks etc. and requesting that staff do not access PCs, networks etc. Similarly, it may involve a quarantine of manual records storage area/s and other areas as may be appropriate. By way of a preliminary step, an audit of the records held or backup server/s should be undertaken to ascertain the nature of what personal data may potentially have been exposed.
In parallel of/following immediate containment, the risks must be assessed which may be associated with the breach, potential adverse consequences to the individuals, as well as My Eco Best Friend itself.
Where the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorized to access it, My Eco Best Friend may conclude that there is no risk to the data and therefore no need to inform the DPO. However, such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard. Moreover, any security incident which affects more than 100 data subjects or include sensitive personal data or personal data of a financial nature must always be escalated to the DPO.
Where no notification is made to the DPO, My Eco Best Friend shall keep a summary record of the security incident as all data security incidents must be centrally logged in the IT Service Management system (ITSM system) to ensure appropriate oversight in the types and frequency of incidents for management and reporting purposes.
Unless, My Eco Best Friend may conclude that there is no risk to the data and therefore no need to inform the DPO, the latter will be informed without delay by the IT Security Team (the Information and Security Officer (CISO) where relevant) in order to gather a small team of persons together to assess the potential exposure/loss. This team will assist the CISO, the DPO (and the Manager where relevant) with the practical matters associated with this Policy and Procedures. Action shall be undertaken in accordance with the dedicated team’s direction/advice. Each team member shall have a backup member to cover holidays, sick leave etc.
During the investigation, the team should attempt to gather information that would be useful in assessing whether My Eco Best Friend is required to notify supervisory authorities and affected individuals.
The type of data involved;The following must be considered in order to assess the potential exposure/loss:
The team may also have regard to the “Privacy risk rating overview” advice set out at Appendix 3.
Since the trigger for the 72‐hour deadline for regulator notification is fundamentally legal in nature, lawyers and other compliance personnel should be responsible for making the ultimate call as to whether an incident constitutes a personal data breach requiring regulator notification.
Notification must contain (1) Nature, extent and impact of the breach; (2) Personal data possibly involved; (3) Measures taken to address the breach; (4) Details of the DPO or contact person designated by the DPO to provide additional information; and (5) Any assistance to be provided to the data subject.
When required by law, the team will, under the direction of the DPO, give immediate consideration to informing those affected1. In particular the team shall:
Contact the individuals concerned (whether by phone/email etc.) to advise that an unauthorised disclosure/loss/destruction or alteration of the individual’s personal data has occurred
Where possible and as soon as is feasible, the data subjects (i.e. individuals whom the data is about) should be advised of:
the nature of the data that has been potentially exposed/compromised;
the level of sensitivity of this data, and
an outline of the steps My Eco Best Friend intends to take by way of containment or remediation
Individuals should be advised as to whether My Eco Best Friend intends to contact other Supervisory Authorities
Specific and clear advice should finally be given to individuals on the steps they can take to protect themselves and what My Eco Best Friend can do to assist them.
Security of the medium used for notifying individuals of a breach and urgency of situation should be borne in mind.
Media enquiries about the breach shall always be dealt with by the Head of Communication.
My Eco Best Friend shall also consider whether police, insurers, data processors or for instance banks should be notified.
It is important that any security incidents and actual data breaches are documented and investigated, and the response to the breach is evaluated in terms of its effectiveness.
All data security breaches will thus be centrally logged in the ITSM system to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes.[1] Except where Supervisory Authorities have requested a delay for investigative purposes. Where My Eco Best Friend receives such a direction from Supervisory Authorities, it should make careful notes of the advice they receive (including the date and the time of the conversation and the name and rank of the person to whom they spoke). Where possible, My Eco Best Friend should ask for the directions to be given to them in writing on letter‐headed notepaper from the Supervisory Authorities, or where this is not possible, My Eco Best Friend should write to the relevant law enforcement agency to the effect that “we note your instructions given to us by your officer [insert officer’s name] on XX day of XX at XX pm that we were to delay for a period of XXX/until further notified by you that we are permitted to inform those affected by the data breach.”
A full review should be undertaken. Staff should be apprised of any changes to this Policy and of upgraded security measures. Staff should receive refresher training where necessary.
This policy may be reviewed in light of changes in legislation, legal advice and as relevant new technologies emerge.
Email this form to IT Security contact@myecobestfriend.com
|
Please provide as much information/detail as possible: |
|
|
Description of the Security incident/Data Breach |
|
|
Confirmed or suspected breach? |
|
|
Who is reporting the breach: Name/Dept |
|
|
Time and Date the security incident/breach was identified and by whom |
|
|
Were there any other witnesses? If Yes, state Names. |
|
|
Cause of the breach? · Accident or oversight, · Technical error, · Intentional theft or wrongdoing, · Unauthorized browsing, · Other (describe), · Unknown |
|
|
First Classification of data breached · Public Data · Internal Data · Personal Data · Sensitive Data |
|
Volume of data involved Very few (less than 20) Identified and limited group (>20 and <100) Large number of individuals affected (>100) Numbers are not known |
|
|
Are the individuals affected by the breach students/sponsor, staff, or both? |
|
|
Are you aware of the individuals affected (attach a list)? |
|
|
Does data pertain to vulnerable groups? |
|
|
Whom was the data released to/or accessed by, if known? |
|
|
Types of harm that may result from the breach · Identify theft · Physical harm · Hurt, humiliation, damage to reputation · Loss of business or employment opportunities · Breach of contractual obligations |
|
|
Is the breach contained or ongoing? |
|
|
If ongoing what actions are being taken to recover the data? |
|
Were any IT systems involved? If so please list them. |
|
|
Were encryption protections in place at the time of the breach? |
|
|
Has a breach of this nature occurred before? |
|
|
Are there others who might advise on risks/courses of action? |
|
|
Any other relevant information |
E.g. If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use but also where relevant police, insurers, trade unions, data processors etc… |
|
Received by: |
|
|
Date/Time: |
|
|
Breach ID: |
immediately isolate the affected system to prevent further intrusion, release of data, damage etc.
use the telephone as the Attacker may be capable of monitoring e‐mail traffic
preserve all pertinent logs, g. firewall, router and intrusion detection system
make back‐up copies of damaged or altered files and keep these backups in a secure location
identify where the affected system resides within the network topology
identify all systems and agencies that connect to the affected system
identify the programs and processes that operate on the affected system(s), the impact of the disruption and the maximum allowable outage time
in the event the affected system is collected as evidence, make arrangements to provide for the continuity of services i.e. prepare redundant system and obtain data back‐ups
communicate the issue with anyone else other than your line manager and the recipients listed in section 3
delete, move or alter files on the affected systems
contact the suspected perpetrator
conduct a forensic analysis
|
Factor |
RISK RATING |
||
|
LOW |
MEDIUM |
HIGH |
|
|
Nature of personal information |
Publicly available personal information not associated with any other information |
Personal information unique to the organization that is not medical or financial information |
Medical, psychological, counselling, or financial information or unique public body identification number |
|
Relationships |
Accidental disclosure to contractor who reported breach and confirmed destruction or return of the information |
Accidental disclosure to a stranger who reported the breach and confirmed destruction or return of the information |
Disclosure to an individual with some relationship to or knowledge of the affected individual(s), particularly disclosures to motivated family members, neighbours or co‐ workers |
|
Theft |
|||
|
Cause of the breach |
Technical error that has been resolved |
Accidental loss or disclosure |
Intentional breach. Cause unknown Technical error – if not resolved |
|
Scope |
Very few affected individuals |
Identified and limited group of affected individuals |
Large group or entire scope of group not identified (over 100) |
|
Containment efforts |
Data was adequately encrypted
Portable storage device was remotely wiped and there is evidence that the device was not accessed prior to wiping
Hard copy files or device were recovered almost immediately and all files appear intact and/or unread |
Portable storage device was remotely wiped within hours of loss but there is no evidence to confirm that the device was not accessed prior to wiping
Hard copy files or device were recovered but sufficient time passed between the loss and recovery that the data could have been accessed |
Data was not encrypted
Data, files or device have not been recovered
Data at risk of further disclosure particularly through mass media or online |
|
Foreseeable harm from the breach |
No foreseeable harm from the breach |
Loss of business or employment opportunities, hurt, humiliation, damage to reputation or relationships, social/relational harm Loss of trust in My Eco Best Friend Loss of My Eco Best Friend assets Loss of My Eco Best Friend contracts or business Financial exposure |
Security risk (e.g. physical safety) Identify theft or fraud risk Hurt, humiliation, damage to reputation may also be a high risk depending on the circumstances |
EN 
FR 
IT 
DE