Data Breach Response Policy

Version1.0.1 Last Updated2023-12-12 APPROVED

1. Introduction

AccuCode AI Inc. is committed to protecting the privacy and security of the personal and sensitive information it collects, processes, and stores. This Data Breach Response Policy establishes the goals and procedures for responding to data breaches involving protected health information (PHI) and personally identifiable information (PII).

2. Scope

This Policy applies to all employees, contractors, and third-party partners of AccuCode AI who have access to PHI or PII in the course of their duties.

3. Definitions

  • Data Breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PII maintained by the Company.
  • Personally Identifiable Information (PII): An individual’s first name, or first initial and his or her last name, in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted:
    • Social Security number;
    • Driver’s license number or state identification card number;
    • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
    • Medical information (any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional);
    • Biometric data (data generated by automatic measurements of an individual’s biological characteristics) and any other unique biological characteristics of an individual if used to uniquely authenticate the individual’s identity for access to a system of account.

4. Roles and Responsibilities

  • Information Security Officer (ISO): Responsible for overseeing the implementation of this Policy and ensuring compliance with applicable laws and regulations.
  • Incident Response Team (IRT): Responsible for investigating and responding to data breaches, as directed by the ISO. The IRT shall include representatives from Legal, IT, Human Resources, and other departments as necessary.
  • All Employees: Responsible for immediately reporting any suspected data breaches to the ISO or IRT.

5. Incident Response Procedures

  1. Identification: Any employee who becomes aware of a potential data breach must immediately notify the ISO or IRT.
  2. Investigation: The IRT will promptly investigate the reported incident to determine whether a data breach has occurred and the scope of the breach.
  3. Containment: If a data breach is confirmed, the IRT will take immediate steps to contain the breach and prevent further unauthorized access or disclosure.
  4. Notification: The ISO will notify affected individuals, clients, and regulatory authorities as required by applicable laws and regulations.
    • Notification to affected Arkansas residents shall be made in the most expedient time and manner possible and without unreasonable delay, subject to any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
    • Notification is not required if after a reasonable investigation the Company determines there is no reasonable likelihood of harm to consumers.
    • If the affected class of persons to be notified exceeds 1,000, the Company must disclose the breach to the Attorney General at the same time it notifies the affected class, or 45 days after it determines there is a reasonable likelihood of harm to individuals, whichever is first.
  5. Remediation: The IRT will work with IT and other departments to identify and address any vulnerabilities that contributed to the breach.
  6. Documentation: The ISO will document the incident, including the response actions taken and any remediation measures implemented. The Company must retain a copy of the determination of the breach and any supporting documentation for five years from the date the breach was determined.

6. Training and Awareness

All employees will receive regular training on data privacy and security best practices, as well as their responsibilities under this Policy. The ISO will ensure that the Policy is widely communicated and easily accessible to all personnel.

7. Policy Review and Update

This Policy will be reviewed and updated annually, or more frequently as needed, to ensure it remains effective and compliant with applicable laws and regulations.

8. Enforcement

Violations of this Policy may result in disciplinary action, up to and including termination of employment or contract. AccuCode AI, Inc. reserves the right to report violations to appropriate law enforcement authorities.

By implementing this Data Breach Response Policy, AccuCode AI Inc. demonstrates its commitment to protecting the privacy and security of the sensitive information entrusted to it, and to responding promptly and effectively to any data breaches that may occur in compliance with Arkansas law.