A. The purpose of this data breach response policy (“Policy”) is to establish the goals and the vision for the data breach response process. This Policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms.
B. This Policy shall be well publicized and made easily available to all personnel whose duties involved data privacy and security protection.
C. Damansara Technology Sdn. Bhd. (“DTech”) intentions for publishing this Policy are to focus significant attention on Personally Identifiable Information and data security breaches. DTech is committed to protecting itself, its holding company, its subsidiaries, its related companies, its employees, and affiliates from any illegal or damaging action by individuals (hackers), either knowingly or unknowingly.
D. This Policy mandates any individual who suspects that a theft, breach or exposure of Sensitive Data has occurred must immediately provide a description of what has occurred via e-mail to firstname.lastname@example.org, or by calling 03-2081 2688. This e-mail address, phone number, and web page are monitored by the DTech’s authorized personnel.
E. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place.
This Policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable information.
3.0 POLICY CONFIRMED THEFT, DATA BREACH OR EXPOSURE OF SENSITIVE DATA
A. As soon as a theft, data breach or exposure containing the Sensitive Data is identified, the process of removing all access to that resource will begin.
B. The Executive Director will chair a Team to handle the breach or exposure.
C. The Team will include members from:
(i) IT Department;
(ii) Company Secretary;
(iii) Legal Department;
(iv) Corporate Planning and Transformation (“CPT”);
(vi) Personal Data Protection Officer;
(vii) Finance (if applicable);
(viii) Human Resources (if applicable);
(ix) IT Forensic Team/Consultant (if applicable); and/or
(x) any employee of DTech and/or its related companies as may be determined by the Executive Director.
D. The Executive Director will be notified of the theft, breach or exposure. IT Department, together with the designated IT forensic team, will analyze the breach or exposure to determine the root cause.
3.1 Work with IT Forensic Investigator
As provided by DTech cyber insurance provider, the insurer will need to provide access to the IT forensic investigators and experts that will determine how the breach or exposure occurred, the types of data involved, the number of internal/external individuals and/or organizations impacted, and analyze the breach or exposure to determine the root cause.
3.2 Develop a communication plan
Work with Communications Department, Legal Department and CPT to decide on how to communicate the breach to:
i. internal employees;
ii. the public;
iii. those directly affected; and/or
iv. relevant authorities.
3.3 Ownership and Responsibilities
A. Data Protection Officer is a personnel of DTech, designated and appointed by the Executive Director or the Director of DTech, who provides administrative support for the implementation, oversight and coordination of personal data and security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors.
B. Users include all employees of DTech to the extent they have authorized access to information resources, and may include staff, trustees, contractors, consultants, interns, temporary employees and volunteers.
C. The Team shall be chaired by Executive Director and shall include, but not limited to, the departments or their representatives as listed in paragraph 3.0(C) above.
A. Any DTech’s personnel found in violation of DTech’s data protection policy may be subject to disciplinary action, up to and including termination of employment.
B. Any third party related to DTech found in violation of DTech’s data protection policy may have their network connection terminated.
C. The Executive Director may lodge a report to the relevant authority regarding any breach or theft before or after the conclusion of an investigation.
“Personally Identifiable Information” means any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another, and can be used for de-anonymizing anonymous data.
“Sensitive Data” means protected data under the possession of DTech that are encrypted or in plain text and contains Personally Identifiable Information.
“Team” means incident response team as prescribed under paragraph 3.0 (C) of this Policy.
As at September 1, 2019