Breach Notification Procedure

The Breach Notification Procedures provides guidelines to manage security incidents, minimize the impact of data breaches, and maintain trust with affected parties and regulatory authorities.

Step 1: Identify the breach

• This detects the occurrence of a breach through log management, user reports, and other threat management reports.

Step 2: Verify the Incident

• This confirms the breach by assessing the following: incident category, severity level, impacted stakeholders, and other information about the incident.

Step 3: Follow the incident response process

• This contains the breach while assessing the impact of the incident. Please read the Incident Management Policy for more detailed information.

Step 4: Notify the Incident Management Team

• This notifies relevant internal stakeholders, including IT, legal, compliance, and executive teams, about the breach. This also provides the team with all the findings and planned actions about the incident. Please read the Incident Management Policy for more detailed information.

Step 5: Review the legal and regulatory requirements and conditions.

• This determines applicable legal and regulatory obligations regarding breach notification. This also covers the process of consulting legal counsel to reference relevant data protection laws.

Step 6: Prepare and review notification materials.

• This creates the materials for notifying impacted stakeholders about the breach. The team may prepare but is not limited to the following: updated status page, email notification, in-app notification, FAQs, or Help Center article. This also covers the feedback and assistance of legal counsel to ensure compliance with legal requirements.

Step 7: Notification to impacted stakeholders.

• This informs impacted stakeholders based on the timeline required with relevant data protection laws. The notification must provide accurate information.
• The notification must include this information but nis ot limited to the following: nature of the breach, types of compromised data, potential risks, and steps individuals can take to protect themselves. The team will offer assistance if applicable.

Step 8: Notify to external authorities.

• This requires the team to report the incident to the regulators if applicable.
• The team must notify relevant regulatory authorities as required by law. The notification must provide detailed information about the breach, actions taken, and planned remediation efforts.
• This requires the team to Inform business partners and other third-party vendors. The team must coordinate with them to address any potential impacts and ensure a unified response.

Step 9: Conduct a post-incident review.

• This requires the team to conduct a Root Cause Analysis or RCA. The RCA investigates the root cause of the breach and identifies vulnerabilities.
• The team must document the findings, and develop corrective actions to address vulnerabilities and prevent future breaches. 
• The team must review current policies and measures in place and update them based on findings and corrective actions.