Data Breach Prevention and Response Protocol

Risk Assessment and Incident Prevention

We recognize that preventing data security incidents is less costly than reacting to them after they occur.  Thus, in addition to automated detection capabilities, as part of the Fourth Estate’s incident prevention policy, the security team will conduct routine risk assessments under the direction of the Technology Director. 

The assessment will include a review of baseline activity logs and the security of all data repositories, ports, anti-virus products, application activity, usage data, email security, and intrusion detection.

Based on the outcome of the risk assessment, the organization will determine the presence of incident precursors and the need for security enhancements or reversal to a clean OS image. 

If indicators of a breach are discovered, the risk assessment and the supporting documentation shall be fact specific and address:

  • Assess the accuracy of the indicators discovered and the presence of a breach
  • Consideration of who impermissibly used or to whom the information was impermissibly disclosed;
  • The type and amount of data involved;
  • The cause of the breach, and the entity responsible for the breach, either User, Fourth Estate, or Partner.

 

Discovery of Breach

A breach shall be treated as “discovered” as of the first day on which such a breach is known to Fourth Estate, or, by exercising reasonable diligence would have been known to the organization (includes breaches by the organization’s users, partners, or subcontractors). Fourth Estate shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or partner of the organization.

For an acquisition, access, use or disclosure of data to constitute a breach, it must constitute a violation of the data privacy policy. A use or disclosure of data that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper procedures would not be a violation of the Privacy Policy and would not qualify as a potential breach.   The organization has the burden of proof for demonstrating that all notifications to appropriate users or that the use or disclosure did not constitute a breach.

 

Breach Investigation and Containment

Following the discovery of a potential breach, including unauthorized access to user data or unauthorized access to the technology stack, the organization shall:

  • Apply containment measures immediately
  • In conjunction, launch an investigation and risk assessment
  • Begin the process to notify users affected by the breach.
  • Determine what external notifications are required or should be made.

The Incident Response Team, constituted by the Technology Director and the Executive Director, shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others within or outside the organization as appropriate to contain, eradicate, and recover from the breach.  They will identify other staff and departments within the organization who may need to participate in the investigation or its resulting response, including relationship managers and communication managers.  They will also assess whether outside consultation with specialized expertise is required to complete the investigation, assess the breach, or provide the necessary security measures. 

Incident prioritization is done by the Technology Director and the Executive Director.  Prioritization is done on the basis of safety and security of users, confidentiality and integrity of user data, and impact on organizational function.

 

Timeliness of Notification

Upon discovery of a breach, notice shall be made to the affected members and users no later than 72 hours after the discovery of the breach.  Incidents will also be reported to relevant stakeholders, including donors and board members, and to the relevant authorities.

 

Content of the Notice

The notice shall be written in plain language and must contain the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of protected information that were involved in the breach, if known;
  • Any steps the user should take to protect user data from potential harm resulting from the breach.
  • A brief description of what Fourth Estate is doing to investigate the breach, to mitigate harm to individuals and users, and to protect against further breaches.
  • Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address.

 

Methods of Notification

Fourth Estate users will be notified via email within the time frame for reporting breaches as outlined above.

 

Maintenance of Breach Information Log

If any organizational or user data is compromised, the following information will be collected and logged for each breach:

  • The current status of the incident
  • A summary of the incident
  • Indicators related to the incident
  • Other incidents related to this incident
  • Actions taken by all incident handlers on this incident
  • Impact assessments related to the incident
  • Contact information for other involved parties (e.g., system owners, system administrators)
  • A list of evidence gathered during the incident investigation
  • Comments from incident handlers
  • Next steps to be taken

 

Recovery

The security team will determine the best course of action for recovery.  These include restoring systems to normal operation, confirming that the systems are functioning normally, and remediating vulnerabilities to prevent similar incidents. Recovery may involve restoring systems from clean OS backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, or hardening network perimeter security

 

Post-Incident Activity

A thorough analysis of each breach incident and handling process will be conducted by the security team in conjunction with Fourth Estate leadership. Lessons learned will be shared with relevant staff and organizational departments, and used to build more robust security systems.