Mandatory Data Breach Notification Policy
Last updated: 2024-09-23
Apsis Labs believes that access to Personal Identifiable Information (PII) — especially Personal Health Information (PHI) — is a privilege not to be taken lightly. Our customers, and the customers of our clients, trust that we will be responsible stewards of their data; that we will not abuse our access to privately held information for personal gain or malevolent purpose.
In short, our commitment is to treat your data the way we would treat our own data. To that end, Apsis Labs is committed to providing timely and appropriate notice when there is a reasonable belief that any form of PII held by Apsis Labs has been compromised by a data breach.
The purpose of this policy is to outline how Apsis Labs will respond to incidents involving data breaches. It will define the steps and procedures that will be followed when those breaches occur, and how we will notify our clients or customers of unauthorized access to data.
This policy applies to all information or assets which Apsis Labs has access to, unless otherwise agreed to in writing with our customer or client.
Definitions
Data Breach: An incident in which an external actor — known or unknown — has gained unauthorized access to PII held by Apsis Labs. PII does not include information reasonably considered to be public information; information which has been voluntarily shared with Apsis Labs for the purpose of sharing with third parties; nor does it include information that has been previously made public by its owner.
Access to information for a legitimate purpose is not to be considered a data breach, so long as accessed PII is not used for an unlawful or explicitly unauthorized action.
Personal Identifiable Information: Apsis Labs defines PII in accordance with the CCPA as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal Health Information: Apsis Labs defines PHI in accordance with HIPAA as:
“[I]ndividually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”
Policy
Reporting Responsibilities
All affiliates of Apsis Labs, including (but not limited to) Partners, Employees, and Contractors, should report suspected or actual data breaches immediately to a Partner, or to [email protected]. Examples of incidents which should be reported include, but are not limited to:
- Physical or remote access by an unknown individual to any resource managed by Apsis Labs
- Evidence of access to a system which stores PII or PHI
- Unauthorized sharing of credentials which provide access to PII or PHI
- Identification of software bugs which may have provided access to PII or PHI
- Loss or theft of a device which is authorized for access to PII or PHI
- Unauthorized access to an apsis.io email account
- Documents, files, or images containing PHI or PII sent to the wrong recipient
Data Breach Procedures
Upon receipt of a report of a data breach, Apsis Labs will:
- Determine whether a data breach has occurred.
- If a data breach is determined to have occurred, contain the breach such that no further unauthorized access is allowed.
- Once contained, assess the scope and impact of the data breach.
- Preserve all evidence used during determination and assessment of a data breach for future analysis.
- Document all steps taken during the determination and assessment for further review.
- Notify all customers, clients, or users that a breach has occurred.
Notification
Apsis Labs will provide electronic written notification of a data breach within 30 days of the conclusion of the internal assessment process. This notification will be provided to our client or customer, or the individual owner of the accessed PII, depending on the nature of the data breach, or if another mechanism of notice has been previously agreed upon in writing.
If the nature of the breach prevents notification in writing (i.e. access to PII which does not have an associated mechanism for notification), substitute notice will be provided by placing a conspicuous notice of the breach on the Apsis Labs website for a minimum of 30 days.
The written notification will include, at a minimum:
- A description of the data breach
- A timeline of the data breach
- A summary of the steps taken to contain the breach
- An assessment of the scope of the breach
- An email address to contact with further questions regarding the breach