The security of confidential information, including information relating to the Company products and property, as well as nonpublic personal information, is a high corporate priority. The timely and effective response to potential or actual breaches in the security of such information is critical to the ability to mitigate damage, correct system deficiencies and comply with applicable law.
The procedures prescribed in this Response and Reporting Plan are designed to increase the awareness of information security vulnerabilities and improve Company’s ability to respond appropriately to suspected data security breaches. They prescribe Company’s response and reporting protocols when a suspected or known data security incident occurs.
For purposes of this Plan, the following terms have a specific meaning.
“Company” or “the Company” means Ryan Business and Technology Solutions, LLC and its U.S. affiliates and subsidiaries.
Company Confidential Information (“CCI”) means information whose economic value depends on its confidentiality within the Company, including, without limitation:
The Company’s business records, oral or electronic communications, or any other information regarding the Company’s inventions, discoveries, ideas, concepts, designs, specifications, work product, improvements, criteria, plans, data, proposals, documents, materials, trade secrets, technology, know-how, patent information, disclosures or applications, formulae, structures, models, techniques, standard operating procedures, standard working procedures, studies, methods, processes, programs, software, hardware, configurations, compositions, compounds, assays, protocols, customer lists, research and development activities, products, clinical trials, tests, cost data, pricing, suppliers, business partners, policies, technology, software, marketing and sales objectives and strategies, finances and financial projections or plans, or other business matters or prospective business materials.
“Company Representative” means any employee, contractor, or temporary staff member of the Company to the extent such individual handles, processes, or has access to CCI or NPI.
“Nonpublic Personal Information” (“NPI”) means:
Information in any media or format that identifies or may be used to identify an individual and the protection of which is governed by applicable data privacy or security law (including statutes, regulations, orders, etc.) and does not consist solely of information that is lawfully obtained from public sources, publicly available information, or from federal, state, or local government records lawfully made available to the general public. NPI may include, but is not limited to: (1) an individual’s first name and last name or first initial and last name1 in combination with any one or more of the following data elements that relate to such individual: (a) Social Security number, (b) driver’s license number, (c) other government-issued identification number, (d) biometric identifier, (e) medical coverage number, or (f) financial account number or credit card/debit card number that would permit access to the individual’s financial account, and (2) health information together or in association with an identifier of an individual (such as initials, an e-mail address, a birth date, or any other identifying number or code).
NPI does not include anonymized data, such as aggregated data, as long as the aggregation is sufficient to prevent identification of an individual from that data either itself or in combination with publicly available data.
“Security Breach” means any incident that is deemed to constitute an information (data) security breach as defined by applicable federal, state, or local law, as well as any other incident involving a compromise in the security of CCI or NPI and may include incidents that result in such a compromise due to:
- the theft or loss of a technology asset (laptop computer, PC hard drive, USB or other external drive or storage device, iPad, iPhone, or other Company-issued device) or information asset (e.g., paper, disk, or other medium);
- unauthorized penetration of information technologies (e.g., computer intrusion, third- party threats);
- the misuse of any technology asset of the Company; and
- any other threat or compromise to the security or integrity of CCI or NPI.
“Security Incident” means an incident that involves or is suspected to involve a Security Breach and includes both incidents occurring within the Company or its technology systems and incidents occurring outside the Company (e.g., on the premises or systems of a service provider or business partner that collects, stores, uses, or transmits data provided to it by the Company).
“Third Party” means any person, company, or organization (e.g., a vendor or business partner), public authority/agency, or other entity outside of the Company that handles CCI or NPI provided by Company.
POLICIES AND PROCEDURES
1INCIDENT DETECTION AND REPORTING.
- 1.1Incident Awareness Training.
- All Company Representatives must be educated on their responsibilities under this Plan to detect, report, and mitigate Security Incidents.
- 1.2Incident Response Readiness.
- The Core Incident Response Contact List contained in Appendix C should be completed and updated at least annually to ensure that the list includes current key internal contacts and external legal counsel. The completed list should be securely stored with Company’s Legal counsel and access to it should be limited to Company’s Legal counsel and management-level employees involved in executing this Plan.
- 1.3Incident Discovery Reporting.
- All Company Representatives must report any suspected or confirmed Security Incident immediately upon discovery, including upon notice of such an incident from a Third Party.
- 1.3.1Initial Incident Report
- Early detection and reporting of a Security Incident is critical. Company Representatives must email the RBTS support email address immediately if they detect or suspect the occurrence of a Security Incident. The support team will request the information called for in the Incident Reporting Form attached hereto as Appendix A. Company Representatives should provide any additional information that may facilitate an effective investigative response.
- 1.3.2Report to the Chief Privacy Officer (CPO)2
- All Security Incidents must be reported to the CPO, either immediately upon discovery of an incident involving a serious information risk or by Support personnel upon completion of an Incident Reporting Form. Initial reports should include all of the following to the full extent known:
- Contact information for the person making the report and any other persons who were involved in identifying the incident;
- Names and locations of persons, databases, systems, or other data involved with the incident;
- Nature and description of the incident;
- Approximate date and time of the incident;
- Date and time that the person making the report initially learned of the incident or otherwise when an Company Representative first learned of the incident;
- Any tracking or other identification numbers assigned to the incident or data, either by Company or by a vendor; and
- Any mitigation or remediation steps taken; and
- Any evidence (e.g., log files, physical evidence, etc.) that could help the investigation.
2INITIAL ASSESSMENT AND COORDINATION
- 2.1Initial Assessment
- Upon receipt of an incident report, the CPO shall assess the reported information and make a preliminary determination regarding follow-up action. Except where the incident clearly poses no ongoing threat, the CPO should consult with the Company’s Legal counsel and, as appropriate, other members of the RBTS team.
- Based on the report of the incident and any additional supporting information, the CPO will make an initial determination as to whether additional investigation is warranted.
- 2.2Collection and Preservation of Evidence
- All evidence concerning a Security Incident should be collected and, to the extent possible, preserved in its original form.
- 2.3Involving Law Enforcement
- If criminal activity is suspected, the CPO shall notify senior management and, in conjunction with Company’s Legal counsel, a determination should be made as to whether it is necessary and appropriate to report the incident to law enforcement officials.
- 2.4Coordination; Incident Lead and Security Officer
- The CPO will coordinate the incident investigation with Company’s Legal counsel and the CPO shall designate an individual to lead the investigation and response effort (the “Incident Lead”) (the CPO may be the Incident Lead).
- The Incident Lead will take the lead role in handling the day-to-day follow-up response activities and in regularly updating management. The Incident Lead will:
- Form an Incident Response Team, using those listed on the Core Incident Response Contact List and, as necessary, other appropriate personnel who are available to act immediately;
- Coordinate efforts among all groups involved;
- Identify key tasks;
- Create a timeline for each step in the response process;
- Notify all appropriate Company personnel, including, as warranted, senior management, as well as, subject to direction from senior management and Company’s Legal counsel, Company vendors, government authorities, media, and public relations firms; and
- Document all steps taken to cure and mitigate harm resulting from the Security Incident.
- 3.1Securing Networks, Systems, and Data
- The Director of Systems shall ensure that all necessary steps have been or are taken to close any security gaps.
- 3.2Identifying Affected Data Elements and Securing Hard Copy Documents
- The Incident Lead shall prepare an inventory of exposed data elements and shall ensure that appropriate personnel have taken steps needed to secure hard copy documents or electronic information in compliance with legal requirements as well as with Company’s document retention policies and document hold requirements.
- 3.3Forensics Experts
- If the nature of the incident cannot be fully determined using internal Company resources, the Incident Lead shall engage professional forensic experts to assist with the investigation.
- 3.4Incident Classification
- The Incident Lead, in consultation with the CPO and Company’s Legal counsel, as appropriate, and based on all information gathered regarding the incident, shall classify the incident according to the following five categories (see Appendix B for a detailed explanation of each classification):
- No Impact
4INCIDENT CONTAINMENT AND DOCUMENTATION
- 4.1Containment Action Plan
- The Incident Lead is responsible for assigning personnel to undertake corrective actions to contain the impact of and risks posed by the Security Incident. For incidents with High or Severe impact, Company’s Legal counsel, and Director of Systems will provide input into and approve the containment action plans.
- Depending on the incident nature and scope, such corrective actions may include:
- Physically isolating the affected host(s);
- Changing all passwords or disabling systems to which the attacker may have had access;
- Disabling access to compromised file or data systems that are shared with other computers;
- Continued monitoring of system and network activities;
- Changing business or administrative processes or systems;
- Educating and alerting Company Representatives of exposure risks;
- Revising vendor contracts or statements of work;
- Conducting vendor site reviews, audits, or other assessments or requiring vendor certification of changes or corrections to business or administrative processes or systems; and
- Conducting audits, reviews, or other self-assessments of Company processes or systems.
- The CPO is responsible for reviewing and finalizing the following documentation for incidents with low, medium, high, and severe impact:
- Incident report(s);
- Investigative reports, which should include a summary of the incident, a root cause analysis, and recommended corrective action, if any; and
- Documentation regarding any corrective action taken.
- Documentation of each Security Incident should be made either by preparing a written report containing substantially the same information as would be included in such logs.
- 5.1Assessing the Need for Notifications
- Based on the CPO’s initial classification of each Security Incident, the Company’s Legal counsel, in consultation with the Incident Lead, will determine if the incident involves a “breach” of information security within the meaning of applicable breach notification laws and whether notification therefore must or should be provided to any of the following and/or others:
- Individuals whose personal information apparently was involved in a security breach (as defined by law);/li>
- Law enforcement agencies;/li>
- State or federal agencies; and/li>
- The media
- 5.2Identifying Individuals to Notify
- If notifications to individuals are required by applicable law, the CPO and the Incident Lead shall:
- Prepare a list of apparently affected individuals, to the best of Company’s knowledge; and
- Use public sources to seek current contact information for individuals if needed for notification letters.
- 5.3Preparing Notification Letters
- The CPO and the Company’s Legal counsel shall coordinate to prepare the text of notification letters in accordance with applicable law, which generally shall include statements regarding:
- The nature of the incident;
- The categories of personal information that were compromised;
- The types of risks that the individual may be exposed to or a statement that harm is not likely as a result of the breach;
- The actions being taken by Company to mitigate any possible harm;
- Steps individuals can take to mitigate any possible harm, such as how to obtain free credit reports and how to file fraud alerts with nationwide credit reporting agencies;
- The need for individuals to remain vigilant over the next 12 to 24 months and to promptly report incidents of suspected identity theft; and
- The availability of online guidance from the Federal Trade Commission (“FTC”) regarding measures to protect against identity theft, with directions for the individual to report any suspected incidents of identity theft to the FTC.
- 5.4Notifications to Others
- Notification letters to federal, state, and local authorities must be addressed to appropriate agencies and contain the specific information required by applicable law. Company’s Legal counsel will advise on the content and specific recipients of such letters based on the scope of the incident and an analysis of applicable law.
- The Incident Lead and the Company’s Legal counsel shall also address and ensure compliance with any other legal requirements related to breach notification, including notification to consumer reporting agencies, credit/debit card companies, and the media.
- 6.1Implement Communications Plan
- For any incident that is classified as a High or Severe event under the classifications described in Appendix B, the Incident Lead, the CPO, the Company’s Legal counsel , and senior management shall establish a communications plan in order to control the flow of information and help prevent false or misleading reports about the incident. The following steps should be taken when developing the communications plan:
- Create communications outlining:
- Basic facts (what happened, what data was exposed, to whom)
- Steps Company is taking to prevent reoccurrence
- Steps Company is taking to mitigate harm;
- Determine the executive(s) who will deliver messages and obtain media training for the them if necessary; and
- Create FAQs to support the communications plan.
- 6.2Standby Media Statements
- Messages should be prepared to be ready to provide to the media, even if there is no current plan or requirement to report a particular incident to the media.
- 6.3Responding to Individuals
- The content and timing of any responsive communications with individuals should be coordinated with any formal notifications being provided under applicable breach notification laws. The CPO and Incident Lead, with input from the Company’s Legal counsel and local IT as appropriate, shall determine how questions from affected individuals will be managed. This could be done by:
- Establishing a designated e-mail address to which inquiries should be sent;
- Posting FAQs on the Company website; or
- Establishing a call center to receive inquiries.
- If a call center is established, obtain a toll-free number and train personnel on messages.
7REMEDIATION FOR INDIVIDUALS
- 7.1Offering Remedial Assistance to Affected Individuals
- 7.1.1Additional Corrective Action as Warranted
- The CPO will participate in additional discussions around corrective action as warranted by the Security Incident.
8POST-INCIDENT REVIEW; CLOSING DOCUMENTATION
- The CPO and Incident Lead shall conduct a post-incident review to determine what steps can be taken to prevent reoccurrence. They shall obtain input from all involved with the incident’s occurrence, discovery, investigation, containment, notification, and remediation. The CPO and Incident Lead shall document and distribute an analysis of the incident and the response to it as a means to facilitate organizational learning. The CPO may also recommend additional specific controls or improvements to the Information Security Program, including additional training, enhanced call center services, etc.
1 A person’s first and last name or first initial and last name in an e-mail address would qualify as NPI if combined with any of the other data elements listed.
2 For purposes of this Plan, the Chief Privacy Officer is the VP of Corporate Ethics and Compliance or his/her designee.
INCIDENT DISCOVERY REPORTING FORM
SECURITY INCIDENT CLASSIFICATIONS
The nature and severity of a security incident will determine the appropriate response strategy. The Incident Lead, together with CPO and Legal, will classify the severity of the incident based on the definitions below. The classification of an incident may be escalated or downgraded based on changes in circumstances and the discovery of additional information.
Classification levels are defined as follows:
No impact. A report and investigation determined that no unauthorized access to, acquisition of, or other disclosure of Company Confidential Information (“CCI”) or Nonpublic Personal Information (“NPI”) occurred.
Low. A low-level event is an event that causes inconvenience, aggravation, and/or minor costs associated with recovery, unintentional actions at the user or administrator level, or unintentional damage or minor loss of recoverable information. The event will have little, if any, material impact on Company’s operations or reputation. Examples: policy or procedural violations, confirmed virus infections, unusual system performance or behavior, system crashes, installation of unauthorized software, and scans of systems.
Medium. A medium-level event is an event that may cause damage, corruption, or loss of replaceable information without compromise or may have a moderate impact on Company’s operations or reputation. Examples: misuse or abuse of authorized access, accidental intrusion, sharing of passwords, unexplained access-privilege changes, or unusual after-hour activities.
High. A high-level event is an event that can cause significant damage, corruption, compromise, or loss of CCI. The event can result in potential damage and liability to Company and to its public image and may degrade customer confidence concerning products and services. Examples: computer intrusions, compromise of critical information, widespread virus infection, attacks against the IT infrastructure (e.g., domain name servers, firewalls, and backup systems) and denial-of-service attacks that disable a critical service or impede business performance.
Severe. A severe event is determined to involve unauthorized access to or acquisition of NPI, with the exception of access to information of less than ten Company Representatives by other Company Representatives, with no further unauthorized access to the NPI by other persons.
INCIDENT RESPONSE CONTACT LIST
Incident response contact list available. Please call 1 (347) 759 0105.