Data Breach Process This policy outlines the process that ActiveClass will use in the event of a data breach.
Data security and safeguarding users’ privacy are paramount concerns for ActiveClass, that's why we have implemented a comprehensive set of security technologies, management and review policies, monitoring operations, and enforcement procedures to ensure that our platform and data security meets or exceeds governmental regulations, industry standards, and institutional requirements.
Data Breach Policy
Supporting these preventative measures, ActiveClass has established a set of prescriptive responses to be executed in the event of unauthorized data exposure. Data exposure occurs when restricted or confidential information is disclosed, exposed, or reasonably believed to have been disclosed or exposed to an unauthorized person, process, or system. ActiveClass' data exposure policy has been designed to ensure the following:
Earliest possible detection of a system or data security breach;
Rapid securing of the system and data to prevent further unauthorized exposure;
Responsive notification to users and other affected parties that confidential or personal information has been or may have been exposed or compromised by a breach in system security.
Data Breach Plan
In the event of a breach of security and potential unauthorized data exposure, the information security officer will oversee and execute a plan of action that conforms to the guidelines described in below. The exact plan of action to be executed and the sequence of the actions taken will depend on the type and scope of the breach in security, and will be determined by our development team.
Determine Scope of Security Breach
In all cases, the information security officer and support staff will quickly assess the status of the breach to determine whether the activity is ongoing. If the activity is ongoing, the security staff will take immediate requisite measures to stop the unauthorized activity in order to prevent any further data loss. Once the breach is isolated and stopped, the information security officer and support staff will begin to assess the extent of the breach, source and type of data involved, the amount of data, and affected organizations and system resources.
Assign an Incident Response Team
The information security officer will assemble an incident response team. The composition and charge of the team will depend upon the type of breach and resulting data exposure. The team will conduct a preliminary assessment and risk assessment and help develop a tailored incident response plan. Once the incident is contained, this team will also evaluate changes in processes, systems and/or policies to prevent a repeat event.
Manage Dissemination of Information
In order to ensure that only accurate, timely information that will not interfere with the ongoing investigation is released, only the information security officer will be authorized to provide information to any party outside of the incident response team.
Alert Administrative Team
The information security officer will alert the appropriate senior administrators including the ActiveClass executive team, client institution officials, system engineers, and other key players as warranted.
Identify Affected Institutions
The information security officer will work with institution officials, ActiveClass' Chief Technical Officer, ActiveClass' Director of Operations, and the incident response team to determine the identities of affected individuals and determine the extent of the data exposure.
Notify Affected Institutions
The information security officer will work with the Director of Engineering, Legal team, Head of Operations, and the incident response team to draft and execute a notification plan. The purpose of the plan is to provide a full, accurate, and timely notification that meets or exceeds all statutory requirements. In the case of high severity security issues, affected parties will be alerted immediately while indirectly affected parties will be alerted within twenty-four (24) hours. These legal requirements will vary on a state-by-state basis. Working with the appropriate parties, The information security officer and the incident response team notify all affected individuals and develop remediation strategies as appropriate and sufficient to the situation.
Maintain the Incident Resolution and Aftermath
The information security officer and the incident response team will continue to update and communicate response status, determine next steps, and develop a postmortem plan to review the efficiency and effectiveness of the response and develop future prevention and/or mitigation processes and procedures.