The company considers the unwanted and/or unauthorized release and exposure of personal information collected through the course of its business and operations a serious issue. While it has implemented and maintains policies and procedures to protect this data, the company recognizes the potential risks associated with security breaches. Under certain circumstances, and in accordance with federal and state laws, the company is required to provide notice about data security breaches of protected personal information to affected individuals and appropriate state agencies. In the event that sensitive and/or protected personal information collected by the company is exposed as a result of a Data Security Breach, as defined below, the following procedures MUST and will be followed.
Definition - What does Data Security Breach mean?
A Data Security Breach is an incident that involves the unauthorized or illegal viewing, use, access or retrieval of data by an individual, application, or service. It may be a breach specifically designed to steal and/or to publish data to an unsecured or illegal location but can also involve the intentional or inadvertent release of or unauthorized access to data which may compromise the security, confidentiality or integrity of personal information. Data Security Breaches are typically targeted at digital data and conducted over the Internet or a network connection.
A Data Security Breach may result in data loss or release, including financial, personal and health information. A hacker also may use stolen data to impersonate another individual to gain access to a more secure location. For example, a hacker's Data Security Breach of a network administrator's login credentials can result in access to an entire network.
A Data Security Breach may also be known or referred to as a “data spill” or a “data leak”.
Definition - What does Personal Information mean?
OOC collects the following non-personal data when you visit the OOC website: Internet domain and IP address from which you access our website, the browser and operating system used to access the website, the date and time you accessed our website, the pages you visited. We use this information to improve our website to meet the needs of our visitors.
Your Access to and Control Over Your Information
For purposes of this policy, Personal Information is defined as an individual’s first name or first initial and last name, in combination with any of the following data:
- Social Security number*
- Driver’s license number or government-issued Identification Card number
- Financial account number, credit or debit card number with or without any personal identification number such as an access code, security codes or password that would permit access to an individual’s financial account*
- Account passwords or personal identification numbers or other access code
- Home address or email address
- Medical or health information*
- Biometric data, meaning data generated by electronic measurements of an individual’s unique physical characteristics that may be used to authenticate or ascertain the individual’s identity, or
- A username or email address in combination with a password or security question that would permit access to an online account.
* Any breach that involves the compromise of data that by itself, and not in combination of any other data, may result in identity theft of an individual will also qualify as Personal Information.
Also note that Personal Information does not include information that is lawfully made available to the general public from federal, state or local government records.
Breach Notification Team
The company has assembled a Breach Notification Team which, in the event of a possible or actual Data Security Breach, is responsible for communicating, investigating and reporting on the Data Security Breach. This Breach Notification Team consists of the following staff members:
- Michael Treadwell, Executive Director (Human Resources)
- Austin Wheelock, Deputy Director and Property Manager/Director of Loss Prevention (Operations and Loss Prevention)
- Evelyn LiVoti, Marketing & Development Manager/Data Security Coordinator (Management Information Systems and Public Relations)
- Barclay Damon, Legal Team
Utilizing the members of its Breach Notification Team, the company will investigate every possible and actual Data Security Breach and report on relevant facts to determine whether it has a duty to notify the public, affected individuals and state agencies of the Data Security Breach, as required by applicable law.
Types of Breaches
There are many types of computer incidents that may require notice to and action by the Breach Notification Team. Some examples include:
- Data Security Breach of Personal Information – either via physical or electronic form
- Excessive Port Scans
- Firewall Breach
- Virus Outbreak
- Ransomware attack
Personal Information Data Security Breach
The following incidents may require notification to individuals under applicable laws and regulations:
- A user (company associate, contractor, or third-party provider) has, without authorization, used or obtained access to Personal Information maintained in either paper or electronic form.
- An intruder has broken into database(s) that contain Personal Information on any individual or information that is capable of compromising the security, confidentiality, or integrity of Personal Information.
- Computer equipment such as a workstation, laptop, CD-ROM, or other electronic media containing Personal Information on an individual or information that is capable of compromising the security, confidentiality, or integrity of Personal Information has been lost or stolen.
- Paper records containing Personal Information or information that is capable of compromising the security, confidentiality, or integrity of Personal Information, have not been properly disposed of or have been lost or stolen.
- A third party service provider has experienced any of the incidents above, affecting the company’s data containing Personal Information.
The following incidents may NOT require individual notification under applicable laws and regulations as long as the company can reasonably conclude after an investigation that misuse of the Personal Information is unlikely to occur and appropriate steps are taken to safeguard the interests of affected individuals:
- The company is able to retrieve Personal Information on an individual that was stolen, and based on its investigation, reasonably conclude that the retrieval took place before the Personal Information was copied, misused, or transferred to another person who could misuse it.
- The company determines that Personal Information on an individual was improperly disposed of, but can establish that the Personal Information was not retrieved or used before it was properly destroyed.
- An intruder accessed files that contain only individuals’ names and addresses.
- A laptop computer is lost or stolen, but the data is encrypted and may only be accessed with a secure token or similar access device which has not been compromised.
In the event that an associate (i) detects or otherwise learns of a Data Security Breach of either electronic or paper files, (ii) suspects that a Data Security Breach has occurred, or (iii) has any information that may relate in any way to a possible Data Security Breach, all members of the Breach Notification Team should immediately be alerted. If the potential breach is electronic in nature, the Data Security Coordinator will begin the investigation to determine where the Data Security Breach occurred, the overall extent of the Data Security Breach and how much data, computers and/or electronic files were affected. This investigation will include, but not be limited to, reviewing firewall, network security application review and server security application review.
To the extent possible, all efforts will be made by the Data Security Coordinator to detect any potential future exposures and prevent further unauthorized access to company data and Personal Information.
Upon isolating where a Data Security Breach of physical records took place, the Director of Loss Prevention should be reviewing surveillance records to determine who had the last access to the area where the Data Security Breach occurred. Security measures such as changed locks and or changed passwords should take place to prevent further unauthorized access to the files and to Personal Information.
Accurate Record Keeping Required
Accurate record keeping will assist in documenting the reasonable and immediate response steps that the company took following notification of a Data Security Breach. Therefore, upon being notified of a potential or actual Data Security Breach, all Breach Notification Team members must keep accurate and contemporaneous notes of all actions taken, by whom, and the exact time and date. Each member of the Breach Notification Team involved in the investigation must record his or her own actions and observations.
The following information, in particular, should be reviewed and recorded:
- Date, time, duration, and location of the Data Security Breach.
- How the Data Security Breach was discovered: by whom, and any known details surrounding the Data Security Breach (e.g., method of intrusion, entry or exit points, paths taken, compromised systems, whether data was deleted, modified or viewed, whether any physical assets are missing).
- Details about the compromised data, including a list of affected individuals and their relationship with the company (associate, vendor, customer, etc.), data fields (including all fields of Personal Information maintained), number of records affected; whether any data was encrypted (if so, which fields). If the data was unencrypted and included an individual’s name plus social security number, driver’s license or state ID, credit card or bank account information, biometric information, or any username/email address and password/security question that would permit access to an online account, all members of the Breach Notification Team should be notified as soon as possible.
Steps Relating to the Notification of a Data Security Breach Involving Personal Information:
If the Breach Notification Team concludes that the information associated with the Data Security Breach involves Personal Information that was not encrypted or otherwise secured, the following steps are to be followed:
- If the Data Security Breach relates to electronic records, the Data Security Coordinator should provide a detailed analysis of the nature and extent of the Data Security Breach and the Personal Information compromised in the Data Security Breach. This analysis should determine exactly what Personal Information was breached (i.e. social security numbers) and whether there is a high likelihood that the type of Personal Information compromised could lead to identity theft. The analysis should also, when possible, detail who may have been party to or aware of the disclosure of the Personal Information. This analysis must be in writing.
- If the Data Security Breach relates to physical records, the Director of Loss Prevention should provide a detailed analysis of the nature and extent of the Data Security Breach and the Personal Information which was compromised in the physical breach. This analysis should include, but not be limited to, which department the physical Personal Information data is/was stored in, who had access to the physical Personal Information data and by what means and the extent to which the physical Personal Information data was protected. The analysis, when possible, should also detail any investigation that has occurred in determining how the physical Data Security Breach took place and to whom the Personal Information may have been disclosed. This analysis must be in writing.
- Legal Team will need to analyze the legal implications of the Data Security Breach. If necessary, based on the size and/or scope of the Data Security Breach, appropriate authorities (e.g., Attorney General’s Office, etc.) may need to be notified per state and federal law. Any notification to individuals may be delayed if law enforcement determines such notification will impede a criminal investigation. Notification will take place after law enforcement determines that it will not compromise the investigation.
- If the public and/or individuals need to be notified of the Data Security Breach, the Marketing & Development Manager should be notified immediately to allow them time to prepare to answer questions or issue statements, as authorized by the Officers of the company. Notification to media, customer, and/or associates should be prepared, but not sent until first provided to the Legal Team, the Executive Director and at least one Officer of the company for review and authorization to publish.
- If Notification to individuals is required, it should be timely, conspicuous and delivered in a manner that will ensure the individual receives it. Notice should be consistent with state and federal laws and regulations in content, delivery and timing (generally as soon as practicable).
- Written notice
- Email notice
- Substitute Notice - Depending on Size and Scope of the Data Security Breach
- Conspicuous posting of the notice on the company website
- Notification to major media – subject to prior consent and approval of Executive Director and at least one Officer of the company
- A general description only (no specifics) of the incident and information to assist individuals in mitigating potential harm, including the company’s customer service number. An outline of steps individuals can take to obtain and review their credit reports and to file security freeze requests and if necessary, fraud alerts, with nationwide credit reporting agencies, and sources of information designed to assist individuals in protecting against identity theft.
- Remind individuals of the need to remain vigilant over the next 12 to 24 months and to promptly report incidents of suspected identity theft.
- Inform each individual about the availability of the Federal Trade Commission’s (FTC’s) online guidance regarding measures to protect against identity theft, and encourage the individual to report any suspected incidents of identity theft to the FTC. Provide the FTC’s website address and telephone number for the purposes of obtaining the guidance and reporting suspected incidents of identity theft. Visit the FTC website to report identity theft. The toll-free number for the identity theft hotline is 1-877-IDTHEFT.
Appropriate delivery methods include:
Items to consider including in notification to individuals:
Failure to adhere to this policy and procedure may result in disciplinary action up to and including termination. If an associate has any questions or concerns regarding a Data Security Breach, Personal Information or his or her obligations relating to this policy, please contact the Legal Team, the Executive Director, the Deputy Director, the Marketing & Development Manager or an Officer of the company.
This policy was adopted on the 9th day of March, 2020, by action of the Board of Directors.
This Policy was reviewed and reaffirmed on the 22nd day of March, 2021, by action of the Board of Directors.