To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of customer data occurs. Breach notification will be carried out in compliance with all applicable federal or state notification law.
In the case of a breach, JupiterOne shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.
JupiterOne policy requires that:
(a) Breach notification procedures are invoked upon confirmation of security breach that results in unauthorized disclosure of unprotected/unencrypted sensitive data.
(b) Individuals impacted by a confirmed data breach must be notified within 60 days of discovery of such breach.
Discovery of Breach: A breach of Customer data shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to JupiterOne (includes breaches by the organization’s Customers, Partners, or subcontractors). JupiterOne shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. JupiterOne shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)
Breach Investigation: The JupiterOne Security Officer shall name an individual to act as the investigator of the breach (e.g. Security Officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of seven years. A breach log is kept and maintained by the Security Officer.
Risk Assessment: For an acquisition, access, use or disclosure of Customer data to constitute a breach, it must be demonstrably in violation of permissible use and/or disclosure, and occur despite reasonable safeguards and proper minimum necessary procedures. To determine if an impermissible use or disclosure of Customer data constitutes a breach and requires further notification, JupiterOne will need to perform a risk assessment to determine if there is significant risk of harm to the Customer as a result of the impermissible use or disclosure. JupiterOne shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. JupiterOne has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, JupiterOne will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact-specific and address:
Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected JupiterOne Customers, usually within 24-48 hours but no later than 10 calendar days after the discovery of the breach. It is the responsibility of the JupiterOne organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, JupiterOne shall:
Content of the Notice: The notice shall be written in plain language and must contain the following information:
Methods of Notification: JupiterOne Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.
Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, JupiterOne shall maintain a process to record or log all breaches of unsecured Customer data regardless of the number of records and Customers affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):
Workforce Training: JupiterOne shall train all members of its workforce on the policies and procedures with respect to Customer data as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization.
Complaints: JupiterOne must provide a process for individuals to make complaints concerning the organization’s privacy policies and procedures or its compliance with such policies and procedures.
Sanctions: The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.
Retaliation/Waiver: JupiterOne may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. The organization may not require individuals to waive their privacy rights as a condition of employment, payment, enrollment in a health plan, or eligibility for benefits.
[Name] [Name of Customer] [Address 1] [Address 2] [City, State Zip Code]
Dear [Name of Customer]:
I am writing to you from JupiterOne, Inc., with important information about a recent breach that affects your account with us. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows:
Describe event and include the following information:
Other Optional Considerations:
We will assist you in remedying the situation.