This Procedure provides general principles and an approach model to respond to and mitigate breaches of any type of personal data (a “personal data breach”) in one or both of the following circumstances:
This procedure is also applicable to any other type of security incident.
The Procedure lays out the general principles and actions for successfully managing the response to a data breach as well as fulfilling the obligations surrounding the notification to Supervisory Authorities and individuals as required by the EU GDPR.
All employees, contractors, temporary employees, and third parties working for or acting on behalf of Resolver Inc. (“Company”) must be aware of and follow this procedure in case of a personal data breach, security weakness, or an incident.
The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation (GDPR):
A Data Breach Response Team must be a multi-disciplinary team comprised of knowledgeable and skilled individuals from the IT Department, IT Security, Legal, Legal and Public Affairs. The team may be a physical (local) or virtual (multiple locations) team that responds to any suspected/alleged data breach, security weakness, or a security incident (further in text collectively referred to as “data breach”).
Chief Information Security Officer (CISO) appoints the Data Breach Response Team members. The Team must be appointed regardless of whether or not a breach has occurred.
The team must ensure that necessary readiness for a data breach response exists, along with the needed resources and preparation such as call lists, the substitution of key roles, desktop exercises, plus a required review of company policies, procedures, and practices.
The team’s mission is to provide an immediate, effective, and skillful response to any suspected/alleged data breaches affecting the Company.
If required, the team members may also involve external parties (e.g., an information security vendor) for digital forensics tasks or an external communications agency to assist the Company in crisis communications needs.
The Data Breach Response Team Leader (CISO) can choose to add additional personnel to the team to deal with a specific data breach.
The Data Breach Response Team may deal with more than one suspected/alleged or actual data breach at a time. Although the core team may be the same for each suspected/alleged or actual data breach, this is not required.
The Data Breach Response Team must be prepared to respond to a suspected/alleged or actual data breach 24/7, year-round. Therefore, the contact details for each member of the Data Breach Response Team, including personal contact details, shall be stored in a central location and shall be used to assemble the team whenever notification of a suspected/alleged or actual data breach is received.
Once a data breach is reported to the Data Breach Response team leader, the team must implement the following:
The Data Breach Response Team will convene for each reported (and alleged) data breach and will be headed by the Data Breach Response Team Leader.
If it is determined that breach notification must be sent to affected parties, the Company’s standard breach notification letter (as modified for the specific breach) will be sent out to all affected individuals. Notice to affected parties shall be written in plain language and must contain the following information, which elements are included in the Company’s standard breach notification letter:
Notice to affected parties shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.
Since GDPR requirements are more restrictive and require notification within 72 hours, Resolver will be following the GDPR requirement.
If the Company determines that notification requires urgency because of possible imminent misuse of unsecured PHI, a notification may be provided by telephone or other means, as appropriate, in addition to the methods noted above. It is the responsibility of the Company to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of any delay.
If a law enforcement official states to the Company or a business associate that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the Company shall:
The Data Breach Response Process is initiated when anyone notices that a suspected/alleged or actual data breach occurs, and any Data Breach Response team member is notified. The team is responsible for determining if the breach should be considered a breach affecting personal data.
The Data Breach Team leader is responsible for documenting all decisions of the core team. Since the supervisory authorities might review these documents, they need to be written precisely and thoroughly to ensure traceability and accountability.
When the personal data breach or suspected data breach affects personal data that is being processed on behalf of a third party, the Data Protection Officer of the Company acting as a data processor must report any personal data breach to the respective data controller/controllers without undue delay.
The Data Protection Officer will send a notification to the controller that will include the following:
The Information Security Analyst will record the data breach into the Data Breach Register.
When the personal data breach or suspected data breach affects personal data that is being processed by the Company as a data controller, the following actions are performed by the Data Protection Officer (DPO):
CISO will send Notifications to the Supervisory Authority that will include the following:
CISO must assess if the personal data breach will likely result in a high risk to the rights and freedoms of the data subject. If yes, the Data Protection Officer of the Company must notify with undue delay the affected data subjects.
The Notification to the data subjects must be written in clear and plain language and must contain the same information listed in Section 7.
If, due to the number of affected data subjects, it is disproportionately difficult to notify each affected data subject, the CISO must take the necessary measures to ensure that the affected data subjects are notified by using appropriate, publicly available channels.
Any individual who breaches this Procedure may be subject to internal disciplinary action (up to and including termination of their employment), and may also face civil or criminal liability if their action violates the law.
Record name | Storage location | The person responsible for the storage | Controls for record protection | Retention time |
Call lists & substitution | External (Regulatory): Emergency Contact Information– Publicly not available (dedicated for internal resources) External (Customer): Salesforce – https://resolver.my.salesforce.com | CISO
| Only authorized persons can edit the files. | Permanently |
Contact details | External (Regulatory): Emergency Contact Information– Publicly not available (dedicated for internal resource) External (Customer): Salesforce – https://resolver.my.salesforce.com | CISO
| Only authorized persons can edit the files. | Permanently |
Documented decisions of the Data Breach Response Team | https://resolver.box.com/s/uthz3biaw9ydqj80z89x73ob95app46c
| CISO
| CISO or VP
| 5 years |
Data breach notifications | https://resolver.box.com/s/uthz3biaw9ydqj80z89x73ob95app46c
| CISO
| CISO or VP | 5 years |
https://resolver.box.com/s/uthz3biaw9ydqj80z89x73ob95app46c
| Information Security Analyst | Information Security Analyst | Permanently |
This document is valid as of August 2023.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: August 2023
REVIEW CYCLE: Annual at least and as needed