1.    Purpose

This Policy is designed to outline Acclinate’s process for responding to a Data Breach impacting Sensitive Personal Data, as defined herein. 

2.    Scope

This Policy applies to all employees, contractors, and other individuals working under contractual agreements with Acclinate who have access to Personal Data.

3.    Definitions

Data Breach – Unauthorized acquisition, access, use, or disclosure of Sensitive Personal Data within the possession, custody, or control of Acclinate or a third party supplier or other entity in a legal relationship with Acclinate.

Personal Data – Information Acclinate has collected or otherwise maintains that identifies or can be used to identify a unique individual, including, but not limited to:

• Name;
• Address;
• Telephone number;
• Email address;
• User identification and account access credentials, including username and password; or
• Test session recording.

Sensitive Personal Data – Personal Data that if lost, compromised, accessed, acquired, or improperly disclosed could result in harm (including identity theft and/or financial fraud), embarrassment, inconvenience, or unfairness to an individual. Examples of Sensitive Personal Data include, but are not limited to:

• An individual’s government-issued identification number, including a driver’s license number, passport number, or state-issued identification number.
• Biometric information.
• User name or email address, in combination with a password or security question and answer that would permit access to an online account.

Sensitive Personal Data also includes any other information that is regulated by applicable law (e.g., state data breach notification statutes, international privacy laws).

4. Procedure

Reporting a Possible Data Breach

1. Any individual within scope of this Policy who becomes aware of a possible Data Breach will immediately inform their supervisor/manager.
2. The supervisor/manager will verify the circumstances of the possible Data Breach and inform the Chief Executive Officer within twenty-four (24) hours of the initial report.
3. The supervisor/manager will work with the individual who reported the possible Data Breach and others, as necessary, to gather all relevant details about the incident, including when and how the incident was discovered, what systems/locations were affected, what information may have been impacted, and any steps taken to contain, investigate, or respond to the incident.
4. The Chief Executive Officer, in conjunction with the Company’s legal counsel, will work to confirm the existence of the Data Breach and decide whether to notify other senior officers, as appropriate, by taking into consideration the severity, nature, and scope of the Data Breach.

Containing the Data Breach

1. Acclinate will take reasonable steps to limit the scope and effect of the Data Breach, including the following, as appropriate:
2. Isolating affected technology systems from the network;
3. Eradicating any external threat to Acclinate’s information technology systems;
4. Recovering and/or restoring the confidentiality of impacted records, if possible; and
5. Engaging consultants and law enforcement.

Investigating the Data Breach

1. To determine what other steps are immediately necessary, the Chief Executive Officer, in collaboration with Acclinate’s information security team, legal counsel, affected department(s), and other relevant stakeholders will investigate the circumstances of the Data Breach.
2. The investigation will include an assessment of the following:
3. What systems, devices, and/or locations were impacted;
4. What information was impacted;
5. What individuals, institutions, entities, and others were affected; and
6. The root cause of the Data Breach.
7. Steps will be taken to preserve relevant evidence pertaining to the Data Breach (e.g., system logs, forensic images).

Evaluating the Risks Associated with the Data Breach

1. Acclinate’s incident response team will review the results of the investigation to evaluate the risks to impacted systems and data and to develop a remediation and response plan.
2. The Chief Executive Officer, in collaboration with the Company’s legal counsel, will evaluate Acclinate’s legal obligations in responding to the Data Breach, and whether the Data Breach warrants reporting to regulators and/or affected parties. Factors to be considered include:
3. Acclinate’s legal obligations
4. the Company’s legal counsel shall perform a privileged assessment of the potential Data Breach and provide the results of the assessment to the Chief Executive Officer.
5. the legal assessment shall take into account Acclinate’s contractual obligations and obligations under applicable laws, regulations, and regulatory guidance.
6. Extent of the compromise to affected records containing Sensitive Personal Data; and
7. Risk of identity theft, fraud, or other harm to impacted individuals.

Remediation

1. Once immediate steps are taken to mitigate the risks associated with the Data Breach, Acclinate will take reasonable steps to remediate the Data Breach and to prevent future similar incidents from occurring.
2. Acclinate shall perform a review of relevant physical, organizational, and technological controls and policies and procedures.
3. Acclinate shall perform a lessons learned analysis to evaluate any necessary changes to its information security program.
4. The Chief Exective Officer will provide guidance to relevant departments and stakeholders regarding any remedial measures to put into effect.
5. Any remedial measures will be reviewed and updated as necessary.

5.    Compliance and Enforcement

All managers and supervisors are responsible for enforcing these procedures. Employees who violate these procedures are subject to discipline up to and including termination.