To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the data occurs.
In the case of a breach, Ambassify shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.
Ambassify Breach Policy
- Discovery of Breach: A breach shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to Ambassify (includes breaches by the organization’s Customers, Partners, or subcontractors). Ambassify shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Ambassify shall also begin the process of determining what external notifications are required or should be made.
- Breach Investigation: The Ambassify Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities. All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of six years. Ambassify breach log is located on our Google Drive (private link).
- Risk Assessment: For an acquisition, access, use or disclosure of data to constitute a breach, it must constitute a violation of the Ambassify Privacy Rules. A use or disclosure of data that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. To determine if an impermissible use or disclosure of data constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual as a result of the impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address:
- Consideration of who impermissibly used or to whom the information was impermissibly disclosed;
- The type and amount of data involved;
- The cause of the breach, and the entity responsible for the breach, either Customer, Ambassify, or Partner.
- The potential for significant risk of financial, reputational, or other harm.
- It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay. Timeliness of Notification: Upon discovery of a breach:
- notice shall be made to the affected Ambassify Customers no later than 24 hours after the discovery of the breach
- notice shall be made to he supervisory authority (GBA) in case of a personal data breach no later than 72 hours
- Content of the Notice: The notice shall be written in plain language and must contain the following information:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured data that were involved in the breach (such as whether full name, password hashes, date of birth, home address, account number or other types of information were involved), if known;
- Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
- A brief description of what Ambassify is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which may include a telephone number, an e-mail address, a web site, or postal address.
- Methods of Notification: Ambassify Customers will be notified via email within the timeframe for reporting breaches, as outlined above.
- Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Ambassify shall maintain a process to record or log all breaches of unsecured data regardless of the number of records and Customers affected. The following information should be collected/logged for each breach:
- A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of Customers affected, if known.
- A description of the types of data that were involved in the breach (such as full name, password hashes, date of birth, home address, e-mail address, etc.), if known.
- Resolution steps taken to mitigate the breach and prevent future occurrences.
- Workforce Training: Ambassify shall train all members of its workforce on the policies and procedures. Workforce members shall also be trained as to how to identify and report breaches within the organization.
- Complaints: Ambassify must provide a process for individuals to make complaints concerning the organization’s Customers privacy policies and procedures or its compliance with such policies and procedures.
- Sanctions: The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.
Ambassify Platform Customer Responsibilities
- The Ambassify Customer that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured data shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify Ambassify of such breach. The Customer shall provide Ambassify with the following information:
- A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
- A description of the types of data that were involved in the breach (such as full name, password hashes, e-mail addresses, etc.), if known.
- A description of the action taken with regard to notification of users regarding the breach.
- Resolution steps taken to mitigate the breach and prevent future occurrences.
- Notice to Media: Ambassify Customers are responsible for providing notice to prominent media outlets at the Customer’s discretion.
Sample e-mail to Customers in Case of Breach
Dear [Name of Customer]: I am writing to you from Ambassify NV, with important information about a recent breach that affects your account with us. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows: Describe event and include the following information: * A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. * A description of the types of unsecured data that were involved in the breach (such as whether full name, password hashes, e-mail addresses or other types of information were involved), if known. * Any steps the Customer should take to protect themselves from potential harm resulting from the breach. * A brief description of what Ambassify is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. * Contact procedures for individuals to ask questions or learn additional information, which includes atelephone number, an e-mail address, web site, or postal address. Other Optional Considerations: * Recommendations to assist customer in remedying the breach. We will assist you in remedying the situation. Sincerely,