Security Incidents & Data Breach Management Policy and Procedure

November 20, 2021                                 

a) Background

My Eco Best Friend as data controller and appropriate data processors so contracted are subject to the provisions of the General Data Protection Regulation 2016/679 (GDPR) and must exercise due care and attention in collecting, processing, and storing personal data and sensitive personal data provided by both staff, Sellers, Clients, and the public for defined use. Safeguarding such information and preventing its breach is essential to ensure My Eco Best Friend retains the trust of the above‐mentioned data subjects. My Eco Best Friend will thus make all reasonable efforts to protect information under My Eco Best Friend’s control from unauthorized access, use, disclosure, deletion, destruction, damage, or removal. Although best efforts are made to protect facilities, equipment, resources and data, some crisis can hardly be avoided. Indeed, data security breaches are increasingly common occurrences whether these are caused through human error or via malicious intent. My Eco Best Friend thus needs to have in place a robust and systematic process to address any reported security incident and protect its information assets as far as possible. As a result, this Policy sets out a procedure to be followed should security procedures in force not prevent a breach. The aim of this policy is to standardize the groupwide response to any reported security incident and ensure that they are appropriately logged and managed in accordance with best practice guidelines. By adopting a standardized consistent approach to all reported incidents, it aims to ensure that: incidents are reported in a timely manner and can be properly managed incidents are handled by appropriately authorized and skilled personnel incidents are kept confidential at all levels (relevant stakeholders will be kept informed at the discretion of the lead investigators). appropriate levels of management are involved in the response incidents are recorded and documented the impact of the incidents is understood, and action is taken to prevent further occurrences evidence is gathered, recorded, and maintained in a form that will withstand internal and external scrutiny external bodies or data subjects are informed as required incidents are dealt with in a timely manner and normal operations resumed swiftly incidents are reviewed to identify improvements in policies

b) Definition

For the purpose of this policy the term “data breach” includes the loss of control, compromise, unauthorized disclosure or unauthorized access or potential access to personally identifiable information, whether in physical (paper) or electronic form. A data security breach can happen for a number of reasons, including: Loss, alteration or theft of data or equipment on which data is stored (including break‐in to any of our premises) inappropriate/unauthorized access to confidential or highly confidential data equipment failure human error, including unintentional disclosures, lack of diligence and/or misuse of technological resources unforeseen circumstances such as flood or fire a hacking attacks access where information is obtained by deceiving the organization that holds it For the purpose of this policy these reasons will be referred to as “security incidents”. Not all security incidents will lead to a data breach.

c) Scope

This groupwide policy applies to all staff of My Eco Best Friend. This Policy is available on www.myecobestfriend.com and shall be advised to staff at induction and at periodic staff training. My Eco Best Friend expects any My Eco Best Friend contractors, suppliers or any other parties acting on My Eco Best Friend’s behalf (collectively, “External Parties”) to collect or manage personal information to follow this policy, whether they are utilizing My Eco Best Friend’s and/or their own systems and data management tools. My Eco Best Friend employees are responsible for ensuring that any External Parties they work with in support of My Eco Best Friend operations comply with this policy.

d) Responsibility

Staff are responsible for ensuring that appropriate and adequate protection and controls are in place and applied in each facility and resource under their control and identifying those that are not. Managers are responsible for ensuring that staff in their area follow this Policy and adhere to all related procedures. The Data Protection Officer (DPO) is responsible for overseeing the management of any breach.

My Eco Best Friend Data Protection Officer:

Gaëtan Bio Chemin du Creux-Bechet, 6, 1096, Villette (Switzerland) T: +41 (0)79 847 91 55 contact@myecobestfriend.com Periodic reviews of the measures and practices in place shall be carried out by the Legal Department.

e)  T MINUS 72 HOURS PROCEDURE

Report security incident – each staff member’s duty to report  Confirmed or suspected IT security incidents should always be reported promptly to IT Security as the primary point of contact by email contact@myecobestfriend.com In case any staff member becomes aware or suspects that personal data has been compromised for any other reason than an IT security incident (e.g. through loss of a portable device, misaddressing of labels, sensitive information left where unauthorized viewing could take place – i.e. photocopies not properly disposed of or left on copier), he/she shall immediately notify his/her Manager. When there is a potential conflict of interest or for any other reasons, in the interest of confidentiality, such a report may be made directly to the DPO. In both cases, the staff member reporting the security incident may be asked to complete the Data Security Breach Incident Report (See Appendix 1).

2) Breach containment

Data security breaches should be contained and responded to immediately upon becoming aware of such a breach. Staff member and/or IT Security will seek to contain the matter and mitigate any further exposure of the personal data held having regard to the “Incident Response DOs and DON’Ts for IT systems” advice set out at Appendix 2. Depending on the nature of the threat to the personal data, this may involve a quarantine of some or all PCs, networks etc. and requesting that staff do not access PCs, networks etc. Similarly, it may involve a quarantine of manual records storage area/s and other areas as may be appropriate. By way of a preliminary step, an audit of the records held or backup server/s should be undertaken to ascertain the nature of what personal data may potentially have been exposed.

3) Impact assessment

In parallel of/following immediate containment, the risks must be assessed which may be associated with the breach, potential adverse consequences to the individuals, as well as My Eco Best Friend itself. Where the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorized to access it, My Eco Best Friend may conclude that there is no risk to the data and therefore no need to inform the DPO. However, such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard. Moreover, any security incident which affects more than 100 data subjects or include sensitive personal data or personal data of a financial nature must always be escalated to the DPO. Where no notification is made to the DPO, My Eco Best Friend shall keep a summary record of the security incident as all data security incidents must be centrally logged in the IT Service Management system (ITSM system) to ensure appropriate oversight in the types and frequency of incidents for management and reporting purposes. Unless, My Eco Best Friend may conclude that there is no risk to the data and therefore no need to inform the DPO, the latter will be informed without delay by the IT Security Team (the Information and Security Officer (CISO) where relevant) in order to gather a small team of persons together to assess the potential exposure/loss. This team will assist the CISO, the DPO (and the Manager where relevant) with the practical matters associated with this Policy and Procedures. Action shall be undertaken in accordance with the dedicated team’s direction/advice. Each team member shall have a backup member to cover holidays, sick leave etc. During the investigation, the team should attempt to gather information that would be useful in assessing whether My Eco Best Friend is required to notify supervisory authorities and affected individuals. The type of data involved;The following must be considered in order to assess the potential exposure/loss:

1. Whether the data is sensitive or may be used for identity fraud
2. Whether it involves lots of individuals
3. If data has been lost or stolen, whether encryption protections are in place;
4. What has happened to the data, such as the possibility that it may be used to cause harm to the individual(s) etc…

The team may also have regard to the “Privacy risk rating overview” advice set out at Appendix 3.

4) Notifications 

1. Supervisory Authority

Since the trigger for the 72‐hour deadline for regulator notification is fundamentally legal in nature, lawyers and other compliance personnel should be responsible for making the ultimate call as to whether an incident constitutes a personal data breach requiring regulator notification. Notification must contain (1) Nature, extent and impact of the breach; (2) Personal data possibly involved; (3) Measures taken to address the breach; (4) Details of the DPO or contact person designated by the DPO to provide additional information; and (5) Any assistance to be provided to the data subject.

ii.  Data subject

When required by law, the team will, under the direction of the DPO, give immediate consideration to informing those affected¹. In particular the team shall: Contact the individuals concerned (whether by phone/email etc.) to advise that an unauthorised disclosure/loss/destruction or alteration of the individual’s personal data has occurred Where possible and as soon as is feasible, the data subjects (i.e. individuals whom the data is about) should be advised of: the nature of the data that has been potentially exposed/compromised; the level of sensitivity of this data, and an outline of the steps My Eco Best Friend intends to take by way of containment or remediation Individuals should be advised as to whether My Eco Best Friend intends to contact other Supervisory Authorities Specific and clear advice should finally be given to individuals on the steps they can take to protect themselves and what My Eco Best Friend can do to assist them. Security of the medium used for notifying individuals of a breach and urgency of situation should be borne in mind.

5) Media Enquiries and other third‐parties 

Media enquiries about the breach shall always be dealt with by the Head of Communication. My Eco Best Friend shall also consider whether police, insurers, data processors or for instance banks should be notified.

f) Document, investigate and implement change

It is important that any security incidents and actual data breaches are documented and investigated, and the response to the breach is evaluated in terms of its effectiveness. All data security breaches will thus be centrally logged in the ITSM system to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes.[1] Except where Supervisory Authorities have requested a delay for investigative purposes. Where My Eco Best Friend receives such a direction from Supervisory Authorities, it should make careful notes of the advice they receive (including the date and the time of the conversation and the name and rank of the person to whom they spoke). Where possible, My Eco Best Friend should ask for the directions to be given to them in writing on letter‐headed notepaper from the Supervisory Authorities, or where this is not possible, My Eco Best Friend should write to the relevant law enforcement agency to the effect that “we note your instructions given to us by your officer [insert officer’s name] on XX day of XX at XX pm that we were to delay for a period of XXX/until further notified by you that we are permitted to inform those affected by the data breach.” A full review should be undertaken. Staff should be apprised of any changes to this Policy and of upgraded security measures. Staff should receive refresher training where necessary.

g)  Implementation & Review

This policy may be reviewed in light of changes in legislation, legal advice and as relevant new technologies emerge.

Appendix 1- Data Security Breach – Incident Report

Email this form to IT Security contact@myecobestfriend.com

Always call the CISO or the IT Incident Manager to make them aware of the breach prior to sending this form.

 

	Please provide as much information/detail as possible:
Description of the Security incident/Data Breach
Confirmed or suspected breach?
Who is reporting the breach: Name/Dept
Time and Date the security incident/breach was identified and by whom
Were there any other witnesses? If Yes, state Names.
Cause of the breach? ·       Accident or oversight, ·       Technical error, ·       Intentional theft or wrongdoing, ·       Unauthorized browsing, ·       Other (describe), ·       Unknown
First Classification of data breached ·       Public Data ·       Internal Data ·       Personal Data ·       Sensitive Data

 

Volume of data involved  Very few (less than 20) Identified and limited group (>20 and <100) Large number of individuals affected (>100) Numbers are not known
Are the individuals affected by the breach students/sponsor, staff, or both?
Are you aware of the individuals affected (attach a list)?
Does data pertain to vulnerable groups?
Whom was the data released to/or accessed by, if known?
Types of harm that may result from the breach ·       Identify theft ·       Physical harm ·       Hurt, humiliation, damage to reputation ·       Loss of business or employment opportunities ·       Breach of contractual obligations
Is the breach contained or ongoing?
If ongoing what actions are being taken to recover the data?

Were any IT systems involved? If so please list them.
Were encryption protections in place at the time of the breach?
Has a breach of this nature occurred before?
Are there others who might advise on risks/courses of action?
Any other relevant information	E.g. If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use but also where relevant police, insurers, trade unions, data processors etc…

 

Received by:
Date/Time:
Breach ID:

 

Appendix 2 – Incident Response DOs and DON’Ts for IT systems

DOs

immediately isolate the affected system to prevent further intrusion, release of data, damage etc. use the telephone as the Attacker may be capable of monitoring e‐mail traffic preserve all pertinent logs, g. firewall, router and intrusion detection system make back‐up copies of damaged or altered files and keep these backups in a secure location identify where the affected system resides within the network topology identify all systems and agencies that connect to the affected system identify the programs and processes that operate on the affected system(s), the impact of the disruption and the maximum allowable outage time in the event the affected system is collected as evidence, make arrangements to provide for the continuity of services i.e. prepare redundant system and obtain data back‐ups

DON’Ts

communicate the issue with anyone else other than your line manager and the recipients listed in section 3 delete, move or alter files on the affected systems contact the suspected perpetrator conduct a forensic analysis    

Appendix 3 – Privacy Risk Rating Overview