Data Breach Notification Policy

Terms

Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information. Because many different types of information can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified using information that is linked or linkable to said individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other information to identify a specific individual, could be used to identify an individual (e.g. SSNs, name, DOB, home address, home email).

Breach

A breach is an unauthorized disclosure, unauthorized acquisition, unauthorized access, and/or any similar occurrence where a person other than an authorized user accesses PII or an authorized user accesses PII for other than an authorized purpose.

Monitoring

Users and Systems are tested to determine their incident response capability and incident response effectiveness. Antera Software staff meets for tabletop exercises, designed to test the breach response procedure and to help ensure members of the Response Team are familiar with the plan and understand their specific roles.

Reporting

Antera Software employees and contractors with access to data and information systems must report all concerns, suspected breaches, or confirmed breaches. Core event information must be collected and reported: date of the incident, location of the incident, breached data, nature of the breach (loss of control, compromise, unauthorized access or use, other), and the suspected number of impacted individuals, if known.

A breach involving personally identifiable information (PII) in electronic or physical form must be reported to the CTO and CEO within one hour of discovering the incident. In terms of reporting, there should be no distinction between suspected and confirmed PII breach incidents.

Response Team

A Response Team will be formed to determine the level of risk to the impacted individuals with the appropriate remedy and form a Breach Response Plan.

The Response Team will respond to all breaches and will perform an initial assessment of the risk of harm to individuals potentially affected.

This team will analyze reported breaches to determine whether a breach occurred, the scope of the information breached, the potential impact the breached information may have on individuals, and the potential impact on Antera Software.

This team consists of the manager of the area experiencing or responsible for the breach, the head of development, the head of systems, and the Executive leadership team.

Notification

Notification Delays

Within the confines of the law, a notification may be delayed if a notification would potentially cause harm, including further breaches. Notification to affected parties may not occur or may be delayed if a national security or law enforcement agency determines that the notification will impede a criminal investigation.

Determination of Notification to Impacted Parties

The Response Team will determine whether a notification is necessary for all breaches under their purview. To determine whether notification of a breach is necessary, the respective team will determine the scope of the breach, to include the types of information exposed, the number of people impacted, and whether the information could potentially be used for identity theft. The team will also assess the likely risk of harm caused by the breach. Finally, the team will assess the level of risk and consider a wide range of harms that include harm to reputation and potential risk of harassment, especially when personal records such as health or financial records are involved.

Communication to Impacted Parties

In the event the decision to notify is made, every effort will be made to notify impacted parties as soon as possible unless otherwise precluded above. The notification shall contain details about the breach, including what information was compromised and whether credit monitoring will be offered. Initial notification shall be completed without undue delay from the time the incident was determined to be a breach.

Breach Response Plan Reviews

Antera Software will review reports, if any, from the Response Team detailing the status of each breach reported and consider whether it is necessary to take any action, which may include but is not limited to:

  • Developing or revising documentation
  • Updating the Data Breach Notification Policy
  • Updating the Data Breach Response Plan
  • Revising existing and/or implementing new policies to protect PII holdings
  • Improving Training
  • Modifying information-sharing arrangements

Changes to this Data Breach Notification Policy

Antera reserves the right to update this Data Breach Notification Policy at any time. We will publish any changes to our Policy so that you are always aware of the information within it.