Overview
This policy mandates that any individual who suspects that a theft, breach or exposure of CarePortal Protected or Sensitive information has occurred must immediately provide a description of what occurred via email to support@careportal.org. CarePortal will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the VP of Platform Operations (“VPO”) will be informed, and appropriate steps will be taken.
Included in This Article
Purpose
This policy clearly defines to whom it applies and under what circumstances, and includes the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve information privacy and security protection.
CarePortal’s intentions for publishing a Breach Response and Notification Policy are to focus significant attention on information security and information security breaches, and how CarePortal’s established culture of openness, trust and integrity should respond to such activity. CarePortal Information Security is committed to protecting CarePortal’s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Scope
This policy applies to all who collect, access (or have access to), maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle non-public (NPI) or personally identifiable (PII) of CarePortal and/or its clients/customers/users. This encompasses both accidental and intentional breaches, including but not limited to cyberattacks, physical theft, and insider threats. Any agreements with vendors, contractors, subcontractors or business partners will contain language similar to and/or reference this policy, with attestations as to have read, understand and agree to comply with the same.
Definitions
- Clients/customers/users include virtually all CarePortal stakeholders to the extent they have authorized access to information resources, and may include CarePortal partners, users, employees, contractors, consultants, interns, temporary employees and volunteers.
- The Incident Response Team shall be Senior Management and may include, but will not be limited to, the following departments or their representatives:
- Development/Infrastructure, Finance, Legal Marketing / Communications, Human Resources
Policy
-
Initial Report
- Upon receiving a report of potential theft, data breach, or exposure of non-public (NPI) or personally identifiable (PII) information of CarePortal and/or its clients/customers/users, immediate action will be taken.
-
Incident Response Team (IRT)
- The VPO must be informed of any confirmed theft, breach, or exposure.
- The VPO will chair an IRT to address the breach or exposure, including identifying the root cause.
- The IRT will comprise members from relevant departments, including but not limited to Development/Infrastructure, Finance, Legal, Marketing/Communications, Human Resources, and the affected unit or department. Additional departments may be involved based on the nature of the breach.
- If a breach or exposure involving CarePortal's protected or sensitive information is confirmed by the IRT, the process to revoke all access to the compromised resource will commence
-
Notification
- Notification by any third-party provider engaged by CarePortal who collects, accesses (or has access to), maintains, distributes, processes, protects, stores, uses, transmits, disposes of, or otherwise handles non-public (NPI) or personally identifiable (PII) to the VPO of the theft, breach or exposure is a requirement of doing business with CarePortal. The VPO will treat this the same as if it were a breach of CarePortal; effectively this is out-sourcing the work while in-sourcing the liability. All policies and procedures relating thereto will be followed.
-
Forensic Investigation
- If the incident is to be covered by the Organization’s cyber insurance policy, the insurance carrier may require the involvement of forensic investigators and/or experts. The VPO will approve access as needed to determine the breach specifics such as the information type involved; the number of internal/external individuals and/or organizations impacted, etc.
- Where CarePortal‘s insurance policies do not require the use of, or otherwise cover the cost of third-party forensics, unless same is deemed necessary by CarePortal‘s VPO, the person responsible for such a decision, or required by law, no additional forensics will be performed beyond that of the work done by the IRT.
-
Communication Plan
- The VPO will collaborate with CarePortal's communications, legal, and HR departments to strategize communication regarding the breach to internal employees, the public, and the affected parties.
- The VPO will work with Legal on notification of a breach, and the potential, or realized, exposure of NPI/PII, to clients/customers/users may be required as per relevant laws and regulations.
- In the event of a third-party provider breach, as required, will notify the VPO and like any breach to CarePortal will require a Communication Plan per this section. The responsibility for the third party provider is to notify CarePortal if they’ve suffered, or believed to have suffered, a data breach. CarePortal remains responsible for disclosing the breach to its clients/customers/users.
-
Delay of Notification
- Authorized for Law Enforcement Purposes. If a law enforcement official states that a notification, notice, or posting would impede a criminal investigation or cause damage to national security:
- If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or
- If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
- Authorized for Law Enforcement Purposes. If a law enforcement official states that a notification, notice, or posting would impede a criminal investigation or cause damage to national security:
Comments
0 comments
Please sign in to leave a comment.