Incident Response Plan
zBuys is committed to appropriately protecting all information relating to its members and affiliates, as well as protecting its confidential business information (including information relating to its employees, affiliates, and members). To achieve this goal and to minimize the risk of loss, theft, or compromise of business or customer-related information, appropriate systems, operating procedures, and policies are in effect and are regularly reviewed and updated.
The purpose of this Privacy and Security Incident Response Standard Operating Procedure (SOP) is to provide a well-defined and organized approach for handling actual or potential threats to zBuys’s business or customer information maintained electronically (on computers and/or networks), or maintained physically in any other format. This SOP is intended to be durable, living document that may be amended in order to improve or clarify response processes.
The plan also identifies and describes the roles and responsibilities of the Privacy/Security Incident Response Team who will put the plan into action.
This response plan is meant to address privacy/security incidents involving any and all zBuys data, including zBuys data under the control or responsibility of a Business Associate or other third party.
In the event of a privacy/security incident, the goals of zBuys’s Privacy/ Incident Response Team are to:
While the major goals described above are common to all privacy or security incidents, every privacy or security incident involves different degrees of potential risk and different potential for magnitude of harm to zBuys. For instance, a minor incident may involve a low risk but inappropriate verbal disclosure of information that is non-sensitive in nature, while a major incident may involve loss or disclosure of sensitive information of multiple affected parties.
For the purposes of this response plan, a privacy incident is any attempt at, or occurrence of, unauthorized acquisition, exposure, disclosure, use, modification or destruction of sensitive data that compromises the security, confidentiality, or integrity of:
A Security Incident is any known or suspected event or condition which may put the confidentiality, integrity, or available of sensitive data at risk.
Appropriate members of the Incident Response Team will be determined by the nature of the incident, but may include a representative(s) from any/all of the following:
Incidents have a timeline that generally contains an Initial Response phase and a Continuing Response phase. Initial Response begins as soon as an incident is discovered or reported and includes time-sensitive first response actions to limit damage while a more organized response is being planned. Continuing Response includes all activities that are conducted necessary to close an incident case and include investigation, correcting processes, notifying affected individuals, and reporting to regulatory agencies as required by law. Generally, the activities within each phase are ongoing and may occur simultaneously, and there may be some overlap between Immediate Response activities and Continuing Response Activities. For instance, Investigation may uncover the need for additional Analysis, Containment, Communication, and activation of additional members of the Incident Response Team.
Immediate Response (0--1 Business Day)
Continuing Response (0-15+ days)
Information relating to privacy/security incidents may be reported or discovered in numerous ways. Some of them are listed below.
1. Customers/members, and others may report (or complain of) a privacy/security incident to any member of the zBuys workforce to include employees and contractors, to include call center agents.
2. Employees may report an incident to local management.
3. Workforce members may submit a report by email (Outlook) using their @qualitybrandco.com email address.
4. Employees may report Security Incidents by submitting IT tickets or by contacting staff in the Information Technology Department.
5. Employees may report directly to the Compliance Department in person, by email, or by phone to any member of the Compliance Department or by using the specified department email address (firstname.lastname@example.org).
6. The Compliance function may observe an incident (for instance, while a member is conducting a staff training or during walkthroughs designed to detect risks or spot improper use, disclosure, storage, transmittal, or disposal of information).
7. Business Associates and/or Third Party Vendors may notify a department with whom they conduct business, a member of senior or executive management, or the Compliance Department.
8. Employees may call the zBuys Compliance Hotline at 1-406-599-6697.
Incidents that should be reported may include but are not be limited to:
a. Customer Privacy Complaints relating to:
i. Customer Privacy Rights
iii. Inappropriate use, access or disclosure of health information
b. Employee-related Privacy Concerns relating to:
i. Inappropriate use, access or disclosure of health information
ii. Inappropriate use, access or disclosure of confidential (non-health) information
iii. Inappropriate modification, deletion or destruction of health information
c. Other Concerns relating to:
i. Loss or deletion of stored data; loss or theft of laptops, handheld devices, portable media storage containing confidential business or individually identifiable information.
d. Theft or Loss of zBuys Computer Equipment, including:
i. Desktop computers,
ii. Laptop computers,
iii. External hard drives
iv. Compact disks/DVDs
vi. Thumb drives,
e. Computer/Network Intrusions, Data Losses, or other Compromises, including:
i. The unauthorized access, viewing, copying, forwarding, or removal of electronically stored data; or
ii. Any other incidents that result/may result in unauthorized acquisition or release of any potential compromise of electronically stored business or customer information.
f. Data Transmission Incidents, including:
i. Inadvertent e-mail releases
ii. Unsecured data transmission
Determining that an Incident has Occurred
The Compliance Officer and/or designee(s) have final determination as to whether an incident has occurred that requires an incident response according to this Incident Response Plan. An incident is defined in the section titled “Defining a Privacy/Security Incident.”
If a determination is made that no incident has occurred, responding staff will take appropriate steps to close the response and document the non-incident facts and finding that no incident occurred. This may include communications to staff, keeping in mind that some findings may be restricted.
Involving Management and/or the IT/Compliance Departments
Upon discovery of an incident or receipt of a report that an incident has occurred by any member of the zBuys workforce:
a. The name and contact information of the reporting individual (if applicable)
b. The location of the incident
c. The circumstances of the incident to include involved parties
Timeline Note: Timeliness in reporting to the Compliance Department is critical to ensure timeframes are compliant with law. By law, privacy/security breaches are considered “discovered” when any member of zBuys’s workforce knows of it or should have known of it in the exercise of due diligence. This discovery date starts the clock that requires investigation and notification within specified timeframes.
zBuys’s initial response to an incident can make the difference between a situation that is handled properly and a catastrophe. For instance, if a Security Incident is discovered involving hacking of a zBuys system or network, the immediate steps taken to stop unauthorized access and secure data could make a huge difference in the amount of damage that could be inflicted to individuals and to zBuys.
Depending on the nature of an incident, its scale, potential impact, risk to the organization, or other factors, zBuys staff may respond in a variety of ways to include:
When a breach is discovered, the Incident Response Team may determine the need to conduct containment activities to stop additional information from being lost or disclosed, or to reduce the number of persons to whom information may reach. Incident Response Teams members may, over their areas of responsibility or collaboratively, take steps to attempt having lost/stolen/inappropriately disclosed information returned or destroyed. For instance, area managers may attempt to contain and control an incident by suspending certain activities or locking and securing areas of record storage; Human Resources may suspend employees as appropriate to prevent compromising behavior; and the Information Technology Department may shut down particular applications or third party connections, reconfigure firewalls, change computer access codes, or change physical access codes.
The Help Desk must still be notified of the incident to insure proper notification, resolution and follow up by the appropriate members of the Incident Response Team.
If applicable, staff members closest to the incident will determine the extent of the incident by identifying all information (and systems) affected, and take action to stop the exposure. This may include:
This would most typically occur in instances of electronic system intrusion, exposed physical files or records or similar situations.
If the incident occurred at/by a third party, the Incident Response Team will determine if a legal contract and business associate agreement exist. The Compliance Officer and/or designee will work with the Legal Department and the department holding the contract/business associate agreement to review the contract terms and determine the next course of action.
Cyber-insurance and Breach Response Vendors
If an active cyber-insurance policy exists or the need is otherwise determined, the Incident Response Team may contact contracted third party vendors (cyber-insurance vendors, others) for breach response services and resources to include forensics, investigation and response consulting, notification and call center services, etc. Though recommended to occur as soon as possible after discovery, this can occur at any point as more information is obtained or the need is otherwise determined.
Documentation/Opening Incident Case Files
Compliance will document all actions taken regarding an incident to include all steps taken in accordance with this plan. This may be done using Compliance generated forms (see Appendix B – Investigation Activities Log) incident logs, or systems designated for this purpose. Compliance will begin to establish this documentation as soon as possible, at which point the incident response will considered an open case file.
Generally speaking, documentation, at a minimum, needs to provide thorough, complete documentation of an incident that can be used to fulfill reporting requirements to government agencies and to organizational senior leadership, as well as serve as legal documentation in the case of a future legal or regulatory proceeding. This documentation will include notations of analyses, notification, reporting, communication, meetings, and all other actions. All documentation related to privacy/security incidents must be maintained and kept confidential according to the zBuys Document Retention Policy.
Escalation/Activation of the Incident Response Team and/or Alternate Plans
As more information is gathered, responsible staff will assess each privacy/security incident to determine appropriate handling. This may involve the development and use of internal procedures by individual departments. For instance, while a minor and low risk incident may be assigned to and investigated by competent technicians within a department, the department may require that technician to escalate to management any incident that may damage the organization. The manager, in turn, may escalate the incident to the director, VP, or other level.
This may also involve activating alternate plans – for instance, the Disaster Recovery/Business Continuity Plans as appropriate.
Additionally, responsible departments will assess each privacy/security incident to determine which parties should be included in communications. For instance, the Compliance Department may grant view access to cases to responsible management to include area managers, directors, and vice-presidents unless circumstances exist that would preclude sharing information – for instance, if a conflict of interest exists, if sharing this information could compromise an investigation, or if the responsible manager (or a friend or family member of the responsible manager) is involved as an affected party, as a subject, or in other ways.
Some factors to consider when deciding whether to escalate:
Once analysis determines the need for escalation, the Compliance Officer will activate the Incident Response Team to an extent appropriate to each incident. The Compliance Officer will provide an initial overview of the situation as it pertains to each Incident Response Team member’s area of responsibility. For instance, the Director may engage the Legal Department when necessary as legal concerns arise or when invoking Attorney-client may be appropriate. The Compliance Director will also identify which Incident Response Team members will play an active role in the investigation and communicate with them accordingly.
Escalation: as scale, risk or impact increases, involvement increases*
Technician (IT team member, Privacy and Security Analyst), Management (Area Manager , etc)
Department Management (Compliance Officer, Security Officer, IT Director, etc), Incident Response Team
Department Management (Compliance Officer, Security Officer, IT Director, etc), Incident Response Team, Senior/Executive Management
Impact/Risk to Individuals/Organization
zBuys must continue to take action on a breach in order to understand what has happened, to reduce potential for damages resulting (both to affected individuals and to the organization), to correct what happened, to prevent future recurrence, to inform parties as appropriate, and to fulfill requirements of law.
To do so, the following steps must be carried out in response to privacy/security incidents:
Analysis and Planning
Upon notification of a real or potential privacy/security incident, the Compliance Officer or designee will perform a preliminary analysis of the facts and assess the situation to determine the nature and extent of the incident. Such analysis may include contacting the individual who reported the problem.
Analysis will also include research into any potential legal concerns beyond the more familiar federal regulations. For instance, if information is breached for a member who resides in California, analysis will include reviewing California’s privacy, security, and breach notification laws to determine reporting and other requirements of the laws of that state.
The Compliance Officer or designee, with guidance as necessary from Incident Response team members, will establish a specific incident response plan to investigate the incident, mitigate the damages associated with the exposure or disclosure of personal information, and communicate as necessary with staff, law enforcement, the media, and others. Timeliness of establishing and carrying out the plan may be critical to the public’s image of zBuys. As needed, any/all members of the Incident Response Team may be involved in carrying out the activities of the Incident Response Plan. The plan will address the following:
Thorough investigation, and documentation of that investigation, is a critical component of incident response. Thorough investigation and documentation needs to be timely, accurate, and professional, and serves several purposes as listed below.
Purposes of thorough Investigation:
Investigation needs to be timely to insure the most accurate information and to comply with required timeframes. Even so, internal investigations and gathering of data may take several days or even weeks. In the event that law enforcement is involved, this can stretch into months.
Investigation may involve:
Mitigation and Correction
zBuys has a legal and ethical obligation to mitigate (reduce) any harmful effects that result from privacy and security incidents. Though this is only legally required if zBuys “has actual knowledge of harm,” zBuys will also take reasonable and appropriate steps to prevent harm from occurring either to individuals or to the zBuys organization. Actual privacy/security incidents may result in negative outcomes for the affected parties several months or years later - zBuys must acknowledge and be prepared to handle this risk appropriately.
Examples of Mitigation:
Closely tied to mitigation, Correction should occur after any privacy or security incident in order to prevent future recurrence and to comply with organizational policy.
Examples of Correction:
The Incident Response Team will determine what notifications are required and will make those notifications in a timely manner in accordance with federal law, state law, and organizational policy (for instance, the zBuys Policy titled “zBuys Data Breach Notification Policy” allocates the responsibility for notification of individuals affected by a privacy breach to its Privacy Official, who is typically the Compliance Officer). The Incident Response Team will:
Closing the Incident Case File
Before an incident case file can be closed, zBuys must have met the goals of incident response. To recap, those goals are to:
All information relating to the incident and activities to meet these goals will be documented in the incident case file before it can be closed. A closed incident case file will be retained according to the zBuys Document Retention Policy.
zBuys will fulfill all reporting requirements under state and federal law.
In the event that a breach involves more than 500 individuals, the Incident Response Team (Public Relations in particular) will prepare for fallout that may occur once the covered entity conducts notification of the media.
Additionally, for the purpose of organizational improvement, information from investigation case files may be used to report to staff and management of various levels in the form of trainings, reports, or other means. Identifying information (both of customers and of staff), customer specific information, and other sensitive information will be redacted as appropriate.