Cyber CNS

Data Breach Policy

1. Background

Data security breaches are increasingly common occurrences whether caused through human error or via malicious intent. As the amount of data and information grows and technology develops, there are new ways by which data can be breached. CyberCNS needs to have in place a robust and systematic process for responding to any reported data security breach, to ensure it can act responsibly and protect personal data which it holds.

2. Aim

The aim of this policy is to standardize the Company’s response to any data breach and ensure that they are appropriately logged and managed in accordance with the law and best practice, so that:

  • incidents are reported swiftly and can be properly investigated
  • incidents are dealt with in a timely manner and normal operations restored
  • incidents are recorded and documented
  • the impact of the incident is understood, and action is taken to prevent further damage
  • the ICO and data subjects are informed as required in more serious cases
  • incidents are reviewed, and lessons learned

3. Definition

Article 4 (12) of the General data protection Regulation (“GDPR”) defines a data breach as:

“a breach of security leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

CyberCNS (‘the Company’) is obliged to act in respect of such data breaches. This procedure sets out how the Company will manage a report of a suspected data security breach.

The aim is to ensure that where data is misdirected, lost, hacked or stolen, inappropriately accessed or damaged, the incident is properly investigated and reported, and any necessary action is taken to rectify the situation.

A data security breach can come in many forms, but the most common are as follows:

  • Loss or theft of paper or other hard copy
  • Data posted, e mailed or faxed to the incorrect recipient
  • Loss or theft of equipment on which data is stored
  • inappropriate sharing or dissemination-Staff accessing information to which they are not entitled
  • Hacking, malware, data corruption
  • Information is obtained by deception or “blagging”
  • Equipment failure, fire or flood
  • Unescorted visitors accessing data
  • Non-secure disposal of data

In any situation where Customers (includes MSPs, end-customers and other Channel partners) are uncertain whether an incident constitutes a breach of security, please report it to contact@cybercns.com.

4. Scope

This policy applies to all users of CyberCNS’s products and services.

5. Reporting a Breach

Internal Suspected data security breaches should be reported promptly to contact@cybercns.com. The report must contain full and accurate details of the incident including who is reporting the incident [and what classification of data is involved].

External

Such a breach also must be communicated to the data subject (with certain exceptions). Notification must be made “without undue delay” and within 72 hours of becoming aware of it. If the Company fails to do this, it must explain the reason for the delay.

The Company must maintain documentation on data breaches, their nature and remedial action taken.

6. Data Breach Management Plan

The Company’s response to any reported data security breach will involve the following four elements.

A. Containment and Recovery B. Assessment of Risks C. Consideration of Further Notification D. Evaluation and Response

Each of these four elements will need to be conducted in accordance with the checklist. An activity log recording the timeline of the incident management should also be completed.

7. Disciplinary

Officers, members, contractors, visitors or partner organizations who act in breach of this policy may be subject to disciplinary procedures or other appropriate action.