CHELSEA LOGISTICS DOC CODE: IT

INFORMATION
AND IT-SECURITY-002A
SECURITY
INFRASTRUCTURE Effectivity:
GROUP
HOLDINGS CORP.
2024
Issue/Rev: 1
BREACH NOTIFICATION
Supersedes:
Prepared by: Reviewed by: Committee Approved by:
Maria Katherine A. Agbay Enrico P. Peralta
CHRYSS ALFONSUS V.
DAMUY
Efren M. Efren M. Bernardino Jr Reynaldo A. Phala President & CEO
Bernardino Jr.

Marie Gizelle D. Del Pozo Ma. Henedina V. San Juan

IT Head

Sherlyn R. Guerzon

I. Purpose

The purpose of this policy is to define for Chelsea Logistics Holdings Corp. (CLC) how to
respond to security and/or privacy incidents or suspected privacy and/or security incidents that
result in a breach of PERSONAL DATA and/or CONFIDENTIAL DATA.

II. Policy

CLC shall establish a process to notify individuals if their sensitive data has been breached and
it is believed such a breach will cause harm to the individual. This includes individual
notification, law enforcement notification, if applicable, and NPC notification and breach
notification documentation.

CLC shall require business associates to notify CLC timely if business associates are responsible
for a breach of personal records. This includes CLC notification, business associate
documentation requirements and business associate financial responsibility regarding the cost
to CLC to notify individuals, law enforcement, and any related damages, tangible and
intangible.

III. Procedure

General Breach Notification Requirements:

1
1. The Privacy and Security Incident Response Team (PSIRT) shall initiate breach notification if
warranted as part of the privacy and/or security incident response mitigation phase.
2. The communications officer shall initiate individual notification in the event of a breach of
unsecure PERSONAL DATA and/or CONFIDENTIAL DATA, electronic and non-electronic, if
required.
3. Electronic PERSONAL DATA and/or CONFIDENTIAL DATA is considered unsecure if it is not
encrypted in accordance with the CLC standards. Non-electronic PERSONAL DATA and/or
CONFIDENTIAL DATA is considered unsecure if it is not shredded or otherwise completely
destroyed.
4. The CLC Designee, shall review the PSIRT investigation findings and work with the privacy
and security officer to conduct a risk assessment to determine if the breach will cause
financial, emotional, physical, etc. harm to the individual(s) whose unsecure PERSONAL
DATA and/or CONFIDENTIAL DATA was breached.
5. If it is determined that harm will be caused to the individual(s) involved in the breach, the
Privacy and Security Officer shall initiate breach notification.

6. If it is determined that no harm will be caused by the breach, notification is not required
and the PSIRT shall document a risk assessment was conducted and it was determined that
the breach would not cause harm to individuals whose PERSONAL DATA and/or
CONFIDENTIAL DATA was breached.

7. The privacy and security officer may delay notification if law enforcement is notified and law
enforcement requests a delay in notification to assist with the investigation process.
8. If the PERSONAL DATA and/or CONFIDENTIAL DATA is considered secure, the PSIRT shall
document the breach following an investigation and document that breach notification is not
required.

9. Such documentation shall be retained for a minimum of six years.

Breach Notification Process:

Breach Notification Steps Shall Include –

1. If breach notification is required, IT & DPO will first be notified.

2. Law enforcement may, by written request ask that notification be delayed to assist with
conducting a criminal investigation. Privacy and Security Officer shall require law
enforcement to provide written notice requesting a delay in notification.

3. Notice shall be made as soon after the breach as is feasible but no later than 60 days from
the date the breach is discovered or from the date on which the CLC business associate
notified CLC of a breach discovered by the business associate.

Chelsea Logistics and Infrastructure Holdings Corp. Proprietary

18F, Udenna Tower Rizal Drive Cor., 4TH Avenue Bonifacio Global City,
Taguig City 1634 Philippines
4. Notification will be made to the individual or next of kin of the individual (if the individual is
deceased) by:

a. First class mail

b. E-mail (if that is considered the normal communication vehicle by the individual)

c. Substitute notice (if applicable)

5. Substitute notice will be made by CLC if CLC does not have current or complete contact
information for ten (10) or more individuals that need to be notified.

6. Substitute notice in the event of incomplete contact information shall include prominently
posting information about the breach and contact information (including a toll free number)
on CLC’s public web site for a minimum of 90 days or notification of major media in the
geograpersonal data area where individuals where data was breached reside.

7. The toll free number must be active for a minimum of 90 days.

8. Substitute notice will also be made if the breach involved 500 individuals or more.

9. If the breach involves 500 or more individuals, affected individuals shall also be notified by:

a. First class mail

b. E-mail (if that is considered the normal communication vehicle by the individual)

10. Notification shall include the following information:

a. A description of the incident in general terms

b. The approximate date of the breach of security

c. The type of PERSONAL DATA and/or CONFIDENTIAL DATA breached

d. CLC contact information, including a toll free number to contact CLC

e. Advice to the individual to report suspected identity theft to law enforcement,

including the Federal Trade Commission and other related information to assist the
individual in mitigating damages and avoid identity or medical identity theft

f. Brief description of what CLC is doing to investigate the incident, mitigate damages
and protect against like breaches in the future

Chelsea Logistics and Infrastructure Holdings Corp. Proprietary

18F, Udenna Tower Rizal Drive Cor., 4TH Avenue Bonifacio Global City,
Taguig City 1634 Philippines
11. Substitute notice for a breach involving 500 or more members consists of notification of
major media in the geograpersonal data area where individuals where data was breached
reside, including a toll free number.

12. If the breach involved the breach of unsecure PERSONAL DATA and/or CONFIDENTIAL
DATA of 500 individuals or more in more than one geograpersonal data area or state,
Privacy and Security Officer shall notify major media in the different geograpersonal data
areas or states.

13. Such notification (individual, Web and/or major media) is the responsibility of CLC even if
the business associate was responsible for the breach.

14. If the breach involved 500 individuals or more, Privacy and Security Officer will notify OCR
as soon as feasible following the breach.

15. If the breach involved less than 500 individuals, Privacy and Security Officer will maintain a
breach log including all of the information related to the breach and the name of individuals
involved in the breach.

16. The breach log will be reported to OCR annually within 60 days from the end of the
calendar year.

17. The individual’s disclosure accounting will be updated to reflect a breach occurred resulting
in inappropriate disclosure of PERSONAL DATA and/or CONFIDENTIAL DATA.

18. All documentation related to appropriate breach notification shall be retained for a minimum
of six years.

Business Associate Requirements:

1. The business associate is required to report any breach involving unsecured PERSONAL
DATA and/or CONFIDENTIAL DATA to CLC within five business days of the breach.

2. The business associate is required to include in the report to CLC:

a. Individual names

b. Individual or individual’s next of kin’s (if the individual is deceased) contact

information (if known)

c. A description of the incident in general terms

d. The approximate date of the breach of security

Chelsea Logistics and Infrastructure Holdings Corp. Proprietary

18F, Udenna Tower Rizal Drive Cor., 4TH Avenue Bonifacio Global City,
Taguig City 1634 Philippines
 e. The type of PERSONAL DATA and/or CONFIDENTIAL DATA breached

f. Brief description of what the business associate is doing to investigate the incident,
mitigate damages and protect against like breaches in the future.

3. The business associate is responsible for reimbursing CLC for any costs associated with the
breach including but not limited to:

a. Staff time to prepare notification

b. Mailing costs

c. Substitute notice costs (including costs to modify CLC’s web site)

d. The cost of the toll free line

e. Associated legal costs and/or fees

f. Staffing costs associated with addressing individual’s questions and concerns

g. Any intangible costs associated with damage to CLC’s reputation, erosion of trust,
business losses associated with erosion of trust, etc.

APPLIES TO:

Privacy and Security Officer

Designee
Privacy and Security Incident Response Team
Communications officer
Legal counsel
Workforce members
Business Associates

Chelsea Logistics and Infrastructure Holdings Corp. Proprietary

18F, Udenna Tower Rizal Drive Cor., 4TH Avenue Bonifacio Global City,
Taguig City 1634 Philippines