Professional Documents
Culture Documents
IT-007 Breach Notification (Updated Version)
IT-007 Breach Notification (Updated Version)
INFORMATION
AND IT-SECURITY-002A
SECURITY
INFRASTRUCTURE Effectivity:
GROUP
HOLDINGS CORP.
2024
Issue/Rev: 1
BREACH NOTIFICATION
Supersedes:
Prepared by: Reviewed by: Committee Approved by:
Maria Katherine A. Agbay Enrico P. Peralta
CHRYSS ALFONSUS V.
DAMUY
Efren M. Efren M. Bernardino Jr Reynaldo A. Phala President & CEO
Bernardino Jr.
Sherlyn R. Guerzon
I. Purpose
The purpose of this policy is to define for Chelsea Logistics Holdings Corp. (CLC) how to
respond to security and/or privacy incidents or suspected privacy and/or security incidents that
result in a breach of PERSONAL DATA and/or CONFIDENTIAL DATA.
II. Policy
CLC shall establish a process to notify individuals if their sensitive data has been breached and
it is believed such a breach will cause harm to the individual. This includes individual
notification, law enforcement notification, if applicable, and NPC notification and breach
notification documentation.
CLC shall require business associates to notify CLC timely if business associates are responsible
for a breach of personal records. This includes CLC notification, business associate
documentation requirements and business associate financial responsibility regarding the cost
to CLC to notify individuals, law enforcement, and any related damages, tangible and
intangible.
III. Procedure
1
1. The Privacy and Security Incident Response Team (PSIRT) shall initiate breach notification if
warranted as part of the privacy and/or security incident response mitigation phase.
2. The communications officer shall initiate individual notification in the event of a breach of
unsecure PERSONAL DATA and/or CONFIDENTIAL DATA, electronic and non-electronic, if
required.
3. Electronic PERSONAL DATA and/or CONFIDENTIAL DATA is considered unsecure if it is not
encrypted in accordance with the CLC standards. Non-electronic PERSONAL DATA and/or
CONFIDENTIAL DATA is considered unsecure if it is not shredded or otherwise completely
destroyed.
4. The CLC Designee, shall review the PSIRT investigation findings and work with the privacy
and security officer to conduct a risk assessment to determine if the breach will cause
financial, emotional, physical, etc. harm to the individual(s) whose unsecure PERSONAL
DATA and/or CONFIDENTIAL DATA was breached.
5. If it is determined that harm will be caused to the individual(s) involved in the breach, the
Privacy and Security Officer shall initiate breach notification.
6. If it is determined that no harm will be caused by the breach, notification is not required
and the PSIRT shall document a risk assessment was conducted and it was determined that
the breach would not cause harm to individuals whose PERSONAL DATA and/or
CONFIDENTIAL DATA was breached.
7. The privacy and security officer may delay notification if law enforcement is notified and law
enforcement requests a delay in notification to assist with the investigation process.
8. If the PERSONAL DATA and/or CONFIDENTIAL DATA is considered secure, the PSIRT shall
document the breach following an investigation and document that breach notification is not
required.
2. Law enforcement may, by written request ask that notification be delayed to assist with
conducting a criminal investigation. Privacy and Security Officer shall require law
enforcement to provide written notice requesting a delay in notification.
3. Notice shall be made as soon after the breach as is feasible but no later than 60 days from
the date the breach is discovered or from the date on which the CLC business associate
notified CLC of a breach discovered by the business associate.
b. E-mail (if that is considered the normal communication vehicle by the individual)
5. Substitute notice will be made by CLC if CLC does not have current or complete contact
information for ten (10) or more individuals that need to be notified.
6. Substitute notice in the event of incomplete contact information shall include prominently
posting information about the breach and contact information (including a toll free number)
on CLC’s public web site for a minimum of 90 days or notification of major media in the
geograpersonal data area where individuals where data was breached reside.
8. Substitute notice will also be made if the breach involved 500 individuals or more.
9. If the breach involves 500 or more individuals, affected individuals shall also be notified by:
b. E-mail (if that is considered the normal communication vehicle by the individual)
f. Brief description of what CLC is doing to investigate the incident, mitigate damages
and protect against like breaches in the future
12. If the breach involved the breach of unsecure PERSONAL DATA and/or CONFIDENTIAL
DATA of 500 individuals or more in more than one geograpersonal data area or state,
Privacy and Security Officer shall notify major media in the different geograpersonal data
areas or states.
13. Such notification (individual, Web and/or major media) is the responsibility of CLC even if
the business associate was responsible for the breach.
14. If the breach involved 500 individuals or more, Privacy and Security Officer will notify OCR
as soon as feasible following the breach.
15. If the breach involved less than 500 individuals, Privacy and Security Officer will maintain a
breach log including all of the information related to the breach and the name of individuals
involved in the breach.
16. The breach log will be reported to OCR annually within 60 days from the end of the
calendar year.
17. The individual’s disclosure accounting will be updated to reflect a breach occurred resulting
in inappropriate disclosure of PERSONAL DATA and/or CONFIDENTIAL DATA.
18. All documentation related to appropriate breach notification shall be retained for a minimum
of six years.
1. The business associate is required to report any breach involving unsecured PERSONAL
DATA and/or CONFIDENTIAL DATA to CLC within five business days of the breach.
a. Individual names
f. Brief description of what the business associate is doing to investigate the incident,
mitigate damages and protect against like breaches in the future.
3. The business associate is responsible for reimbursing CLC for any costs associated with the
breach including but not limited to:
b. Mailing costs
g. Any intangible costs associated with damage to CLC’s reputation, erosion of trust,
business losses associated with erosion of trust, etc.
APPLIES TO: