Data Breach Reporting Policy

A. In the Event of a Breach:

1. Assess whether there has been a breach of the organization’s security safeguards including the loss of, unauthorized access to, or unauthorized disclosure of personal information due to:
   • the breach of its physical, organizational, or technological security safeguards; or
   • the failure to establish security safeguards (a "Breach").
2. Prioritize containment of the Breach.
3. Comply with applicable jurisdiction's privacy authority (the "Authority") Data Breach Notification Requirements;
   • Report to the appropriate governing body about any Breach that:
     • involves personal information under the organization’s control; and
     • the organization reasonably believes creates a real risk of significant harm to an individual
4. Notify the Authority and affected individuals as soon as feasible after determining the Breach involves a real risk of significant harm to an individual.
5. Determine whether to provide direct or indirect notice to affected individuals
6. Identify any other organizations to notify about the Breach
7. Keep all Breach records

B. Assess Risk of Significant Harm

1. Understand that significant harm includes:
   • humiliation;
   • bodily harm;
   • damage to reputation or relationships;
   • loss of employment, business, or professional opportunities;
   • financial loss;
   • identity theft;
   • negative credit record effects;
   • property damage or loss.
2. Consider these factors when determining whether a Breach creates a real risk of significant harm:
   • the sensitivity of the applicable personal information;
   • the probability of past, current, or future misuse of the personal information.
3. To determine the personal information’s sensitivity, consider:
   • the Breach’s circumstances;
   • the personal information type;
   • whether the personal information is overtly sensitive, for example, medical or financial information.
4. To determine the probability of misuse, consider criteria including:
   • the length of personal information exposure;
   • whether there is evidence of malicious intent;
   • whether the personal information has been recovered;
   • whether the personal information is encrypted;
   • who accessed or could have accessed the personal information.

C. Follow Form and Content Requirements When Reporting to the Authority:

1. Ensure that the report is in writing.
2. Understand that organizations can use their own form if it includes all required reporting content in its jurisdiction.
3. At minimum, ensure that the notice contains:
   • a description of the Breach’s circumstances and its cause, if known;
   • the Breach date or time period of occurrence, or an approximation if neither is known;
   • a description of the affected personal information;
   • the number of affected individuals, if known, or an approximation;
   • any steps the organization took to reduce or mitigate harm;
   • any steps the organization took or intends to take to notify individuals; and
   • contact information for a person that can answer questions about the Breach on the organization’s behalf.
   • Supplement the initial notice with further information as it arises.

D. Follow Form and Content Requirements When Notifying Affected Individuals

1. Ensure that the notice contains:
   • a description of the Breach’s circumstances;
   • the Breach date or time period of occurrence, or an approximation if neither is known;
   • a description of the affected personal information;
   • steps the organization took to reduce or mitigate harm;
   • steps affected individuals can take to reduce or mitigate harm; and
   • contact information affected individuals can use to obtain more information.

E. Determine the Best Way to Notify Affected Individuals

1. Unless the organization must provide indirect notice, directly notify all affected individuals by:
   • in-person contact;
   • telephone;
   • mail;
   • email; or
   • any other form of communication reasonably appropriate in the circumstances.
2. Understand that affected individuals must receive indirect notice if:
   • direct notice is likely to further harm them;
   • direct notice is likely to cause undue hardship for the organization; or
   • the organization does not have the affected individual’s contact information.
3. If indirect notice is appropriate, organizations must provide it by public communication or a similar method that is likely to reach affected individuals, for example:
   • public announcements in online or offline newspapers;
   • prominent messaging on the organization’s website.

F. Determine Whether to Notify Additional Organizations

1. Notify any other organization or government institution that can help mitigate or reduce the risk of harm, for example:
   • law enforcement if the Breach involves a stolen device containing personal information;
   • payment card processors if the Breach involves individuals’ credit card data; and
   • Provide notice as soon as feasible after determining the existence of the Breach.

G. Maintain Appropriate Breach Records

1. Keep a record of all Breaches, whether reportable or not, for two years after the day the organization determines the occurrence of the Breach.
2. Ensure the records contain enough information for the governing body to verify the organization’s compliance with reporting and notice requirements, including at a minimum:
   • the date or approximate date of the Breach;
   • a general description of the Breach’s circumstances;
   • the kind of information involved;
   • whether affected individuals received notice of the Breach; and
   • whether the organization reported the Breach to a governing body/Authority (as applicable in Canada or the EU).
3. Understand that the records should describe the type of personal information affected but need not include personal details.
4. Consider whether other legal requirements exist that require the organization to keep Breach records beyond two years.