Data Breach Response Policy
Last modified: 10/19/2022
PURPOSE
This policy establishes how Construction Management Enterprises will respond in the event of a data breach and outlines an action plan to investigate potential breaches and to mitigate damage if a breach occurs. This policy is in place to both minimize potential damages that could result from a data breach and to ensure Construction Management Enterprises property informs parties affected by a data breach of how to protect themselves.
SCOPE
This policy applies to all incidents where Construction Management Enterprises could reasonably suspect, or confirm, a breach of customer or employee personal identifying information.
DEFINITIONS
Personal Identifying Information (PII): information that one could use to distinguish or trace an individual’s identity. PII may include:
- Social Security numbers;
- Credit card information (credit card numbers, whole or part; credit card expiration dates; cardholder names; cardholder addresses);
- Tax identification information numbers (Social Security numbers; business identification numbers; employer identification numbers);
- Biometric records (fingerprints; DNA; or retinal patterns and other measurements of physical characteristics for verifying the identity of individuals);
- Payroll information (paychecks; paystubs);
- Medical information for any employee or customer (doctor's names and claims; insurance claims; prescriptions; any related personal medical information);
- Other personal information of a customer, employee or contractor (dates of birth; addresses; phone numbers; maiden names; names; customer numbers).
Breach: Any situation where PII is accessed by someone other than an authorized user, for anything other than an authorized purpose.
POLICY GUIDELINES
UPON LEARNING OF A BREACH
Construction Management Enterprises will immediately investigate a breach or a suspected breach of PII. Since all PII is of a highly confidential nature, Construction Management Enterprises will only inform necessary personnel for the data breach investigation. Construction Management Enterprises will report the following information:
- When (date and time) the breach happened;
- How did the breach happened;
- What types of PII were obtained with as detail as possible (e.g., name; name and social security; name, account and password);
- How many customers were affected.
Management will then make a record of events, people involved, and any discoveries made over the course of the investigation and determine whether a breach has occurred.
PERFORM A RISK ASSESSMENT
If Construction Management Enterprises verifies and contains a breach, our team will perform a risk assessment that rates:
- Sensitivity of the PII lost (customer contact information alone may present much less of a threat than financial information);
- Amount of PII lost and number of individuals affected;
- Likelihood PII is usable or may cause harm;
- Likelihood an attacker intentionally targeted the PII (increasing the chance of fraudulent use);
- Strength and effectiveness of security technologies protecting PII (e.g., encrypted PII on a stolen laptop. Technically stolen PII but with a decreased chance of access);
- Ability of Construction Management Enterprises to mitigate the risk of harm.
The risk assessment team will compile a report and analyze all information collected during the risk assessment. The team will then provide management the risk assessment report and summarize their findings.
NOTIFYING AFFECTED PARTIES
Responsibility to notify is based both on the number of individuals affected and the nature of the PII that was accessed. Management will turn over any information found in the initial risk assessment to the legal counsel of Construction Management Enterprises who will review the situation to determine if, and to what extent, notification is required. Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Management will notify those affected by the incident in a timely manner. However, Management may postpone disclosure to avoid unnecessarily compounding the initial incident with incomplete facts or to make identity theft more likely through the notice.
We will make if notification under these conditions:
- We will inform only those that are legally required to be notified of the breach. Notifying a broad base when it is not required could cause raise unnecessary concern in those who have not been affected.
- We will always mail a physical copy to the affected parties no matter what other notification methods we use (e.g., phone or email).
- We will establish a help line as a resource for those who have additional questions about how the breach with affect them.
The notification letter will include:
- A brief description of the incident. The nature of the breach and the approximate date it occurred.
- A description of the type(s) of PII that were involved in the breach (general types of PII, not an individual’s specific information).
- Explanation of what Construction Management Enterprises is doing to investigate the breach, mitigate its negative effects and prevent future incidences.
- Steps the individual can take to mitigate any potential side effects from the breach.
- Contact information for a Construction Management Enterprises representative who can answer additional questions.
MITIGATING RISKS
Based on the findings of the risk assessment, we will develop a plan to mitigate the risk involved with the breach. The exact course of action will be based on the type of PII that was involved in the data breach. The course of action will aim to minimize the effect of the initial breach and to prevent similar breaches from taking place.
- We will notify affected individuals as soon as possible so they can take their own steps to mitigate potential risk.
- If there is a substantial concern for fraudulent use of PII, Construction Management Enterprises will offer affected individuals’ free access to a credit monitoring service.
Construction Management Enterprises will also provide steps to mitigate risks that affected individuals can take. The steps provided to affected individuals will depend on the data breach. If the breach has created a high risk for fraudulent use of financial information, we may advise customers to:
- Monitor their financial accounts and immediately report any suspicious or fraudulent activity.
- Contact the three major credit bureaus and place an initial fraud alert on their credit reports. This can be extremely helpful in situations where PII that can open new accounts, such as social security numbers, has been taken.
- Avoid attempts from criminals that may see the breach as an opportunity to pose as Construction Management Enterprises employees to deceive affected individuals into divulging personal information.
- File a report with local police or in the community where the breach took place.
- Complete a Federal Trade Commission Threat Affidavit, available at https://ftc.gov/opa/2002/02/idtheft.shtm. This form will allow the affected individual to notify their creditors that an attack has compromised their identity and will minimize their liability for fraudulent use of their identity.
We will include instructions on what steps a customer can take to reduce their risk in the notification letter. Besides the information listed above, appropriate Construction Management Enterprises personnel, when possible, will provide additional information tailored to the individual breach.