DATA BREACH POLICY

 

In the event a data breach was to take place, your personal information and security is the highest priority to us. We ensure you that we will do our due diligence to follow Guidelines set by the Federal Trade Commission (FTC) to ensure we follow proper protocols in alerting our patients.

 

SECURE OPERATIONS

 

We will move quickly to secure our systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. We will take steps so it doesn’t happen again. We will mobilize our breach response team right away to prevent additional data loss.

 

WE WILL ASSEMBLE A TEAM OF EXPERTS

 

To conduct a comprehensive breach response, we will have investigators determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.

 

WE WILL SECURE PHYSICAL AREAS

 

To ensure our patient information and all areas surrounding the breach is secure, we will take the necessary steps to lock any securities and change access codes, if needed. We will work with experts and law enforcement to determine when it's reasonable to resume regular operations.

 

WE WILL STOP ADDITIONAL DATA LOSS

 

We will take all affected equipment offline immediately— won’t turn any machines off until the forensic experts arrive. We will closely monitor all entry and exit points, especially those involved in the breach. When possible, we will put clean machines online in place of affected ones. In addition, we will update credentials and passwords of authorized users.

 

WE WILL REMOVE IMPROPERLY POSTED INFORMATION FROM THE WEB.

 

Our website: If the data breach involved personal information improperly posted on our website, we will immediately remove it. We are aware that internet search engines store, or “cache,” information for a period of time. We will contact the search engines to ensure that they don’t archive personal information posted in error.

Other websites: We will search our company’s exposed data to make sure that no other websites have saved a copy. If we find any, we will contact those sites and ask them to remove it.

 

WE WILL INTERVIEW PEOPLE WHO DISCOVERED THE BREACH.

 

We will also talk with anyone else who may know about the breach. We will document our complete investigation.

 

FIX VULNERABILITIES

 

SERVICE PROVIDERS

 

If any our providers are involved, we will examine what personal information they can access and decide whether we need to change their access privileges. We will ensure those providers take the necessary steps to make sure another breach does not occur. We will follow up with those providers to ensure they have fixed things on their end.

 

NETWORK SEGMENTATION

 

We will have forensics experts analyze whether our segmentation plan is effective in containing the breach.

 

WORK WITH FORENSICS EXPERTS

 

We will look into whether encryptions are enabled there is a breach. We will analyze backup or preserved data, review logs to determine who had access to the data at the time of the breach, analyze who has access, and determine if that access is needed, and appropriately restrict such access if it isn't already. We will verify the types of information that was compromised, the number of individuals affected, and whether we have contact information for those individuals.

 

NOTIFY APPROPRIATE PARTIES

 

COMMUNICATIONS PLAN

 

We will reach out to all affected audiences - employees, customers, patients, investors, business partners, and providers by email, and letter.

 

NOTIFY LAW ENFORCEMENT

 

We will contact our local police department, Auburn Police Department, immediately. All reports of the situation and the potential risk for identity theft will be documented. If our local police department is unfamiliar with protocols involving such data breach, we will contact our local office of FBI or the U.S. Secret Service. For incidents involving mail theft, we will contact the U.S. Postal Inspection Service.

 

IF BREACH INVOLVES ELECTRONIC HEALTH INFORMATION

 

We will check if we’re covered by the Health Breach Notification Rule. If so, we will notify the FTC and in some cases, the media. We will comply with the FTC’s Health Breach Notification Rule explaining who we must notify, and when. We will also check if we’re covered by the HIPAA Breach Notification Rule. If so, you will notify the Secretary of the U.S. Department of Health and Human Services (HHS) and in some cases, the media. HHS’s Breach Notification Rule explains who we must notify, and when.

 

Health Breach Resources

HIPAA Breach Notification Rule

HHS HIPAA Breach Notification Form

Complying with the FTC’s Health Breach Notification Rule

 

NOTIFY AFFECTED BUSINESSES

 

If account access information—say, credit card or bank account numbers—has been stolen from us, but we don’t maintain the accounts, we will notify the institution that does so it can monitor the accounts for fraudulent activity.

 

If we collect or store personal information on behalf of other businesses, we will notify them of the data breach.

 

If names and Social Security numbers have been stolen, we will contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, we will advise the credit bureaus if we are recommending that people request fraud alerts and credit freezes for their files.

 

Equifax: equifax.com or 1-800-685-1111

Experian: experian.com or 1-888-397-3742

TransUnion: transunion.com or 1-888-909-8872

 

NOTIFY INDIVIDUALS

 

We will quickly notify individuals that their personal information has been compromised, so that they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, we will consider:

 

  • state laws
  • the nature of the compromise
  • the type of information taken
  • the likelihood of misuse
  • the potential damage if the information is misused

 

We will ensure that we:

  • Consult with our law enforcement contact about the timing of the notification so it doesn’t impede the investigation.
  • Designate a point person within our organization for releasing information. We will give the contact person the latest information about the breach, responses, and how individuals should respond. We will contact individuals by letters, websites, and toll-free numbers to communicate with people whose information may have been compromised. If we don’t have contact information for all of the affected individuals, we will build an extensive public relations campaign into your communications plan, including press releases or other news media notification.
  • Clearly communicate what we know about the compromise. We will include the following:
    • How it happened
    • What information was taken
    • How the thieves have used the information (if we are aware)
    • What actions we have taken to remedy the situation
    • What actions we are taking to protect individuals, such as offering free credit monitoring services.
    • How to reach the relevant contacts within our company.
    • Inform Individuals as to what steps they can taken, given the type of information was exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports and contact the IRS Identity Protection Specialized Unit at 1-800-908-4490. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed.
  • Include current information about how to recover from identity theft. For a list of recovery steps, refer consumers to IdentityTheft.gov.
  • Will provide information about the law enforcement agency working on the case, if the law enforcement agency agrees that would help. Identity theft victims often can provide important information to law enforcement.
  • Encourage individuals who discover that your information has been misused to file a complaint with the FTC, using IdentityTheft.gov. This information is entered into the Consumer Sentinel Network, a secure, online database available to civil and criminal law enforcement agencies.
  • Describe how we will contact consumers in the future. 

OUR LETTER

 

In the event of a data breach, we will send out the following letter to notify individuals whose names and Social Security numbers have been stolen. When Social Security numbers have been stolen, it’s important to us that we advise our customers and patients to place a free fraud alert on their credit reports. A fraud alert may hinder identity thieves from getting credit with stolen information because it’s a signal to creditors to contact the consumer before opening new accounts or changing existing accounts. If a breach is to take place, we advise consumers to consider placing a credit freeze on their file.

 

WATTSWERKS

Date: [Insert Date]

 

NOTICE OF DATA BREACH

 

Dear [Insert Name]:

We are contacting you about a data breach that has occurred at WATTSWERKS, LLC.

 

What Happened?

[We will describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if we know)].

 

What Information Was Involved?

This incident involved your [we will describe the type of personal information that may have been exposed due to the breach].

 

What We Are Doing

[We will describe how we are responding to the data breach, including: what actions we’ve taken to remedy the situation; what steps we are taking to protect individuals whose information has been breached; and what services we are offering (like credit monitoring or identity theft restoration services).]

 

What You Can Do

We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. The initial fraud alert stays on your credit report for one year. You can renew it after one year.

 

Equifax: equifax.com or 1-800-685-1111

Experian: experian.com or 1-888-397-3742

TransUnion: transunion.com or 1-888-909-8872

 

Request that all three credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Thieves may hold stolen information to use at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

 

If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to get recovery steps and to file an identity theft complaint. Your complaint will be added to the FTC’s Consumer Sentinel Network, where it will be accessible to law enforcers for their investigations.

 

You also may want to consider contacting the major credit bureaus at the telephone numbers above to place a free credit freeze on your credit file. A credit freeze means potential creditors cannot get your credit report. That makes it less likely that an identify thief can open new accounts in your name.

 

We have enclosed a copy of Identity Theft: A Recovery Plan, a comprehensive guide from the FTC to help you guard against and deal with identity theft. We’ve also attached information from IdentityTheft.gov about steps you can take to help protect yourself from identity theft, depending on the type of information exposed.

 

Other Important Information

[We will provide other important information here.]

 

For More Information

Email us or go to wattswerks.com. We will provide updates via Google Posts, Facebook, Email, and by Mail.

 

Sincerely,

 

WATTSWERKS INC