Introduction

ProjectManager takes the management of any and all customer data very seriously. This ProjectManager Data Breach Policy is designed to help us manage any personal data breaches, should they occur, in a timely and effective manner.

Additionally, per the European Union’s new 2018 General Data Protection Regulations (GDPR) Regulations, companies that process any EU customer data that could fall under the GDPR category of “personal data”, must have clear plans in place outlining their policies in the event of a breach of that data.

The term “data breach” generally refers to any unauthorized access of data. As ProjectManager processes personal data for a variety of business purposes from both customers in the EU and around the world, ProjectManager is required to make reasonable security arrangements to protect that personal data to prevent such unauthorised use, access or disclosure.

Scope

This policy is designed to help our customers understand our policies, and the implementation and fulfillment applies to all ProjectManager employees, including contractors. All employees and contractors must read this policy and comply with its terms. Any amendments or modifications to this policy will be circulated to all employees and contractors prior to adoption.

Our Data Protection Officer (DPO) has responsibility for the implementation of this policy.

Training

All employees and contractors have received training on this policy, and any new employees will receive training within 30 days of hire. If there are any substantial changes to this policy, additional trainings may be required.

Applicable Legislation Considerations

GDPR 2016/679 (GDPR)

According to the European Commission, Personal Data is defined as: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

This regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU.

Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.

Personal Data

ProjectManager gathers Personal Data for business operations as relates to the GDPR definition defined for EU residents.

Personal Data may include:

  • User profile information such as full name, photograph, telephone number and email address
  • Billing account information to process authorized transactions
  • Any data you provide to us as defined in the Privacy Policy and Terms of Use.

Causes

Data breaches can happen in a number of ways. They might be due to human error, malicious activities or computer errors.

Human Error

Data breaches might occur by such Human Error causes as:

  • Data is lost or stolen, like computers, phones, thumb drives, or even paper records
  • Data is errantly disclosed (eg. to the wrong recipient)
  • Data is mismanaged in an unauthorised way (eg: downloading copies of personal data to a personal machine)
  • Data is disclosed due to unauthorised access (eg: shared logins or passwords)
  • Data is disposed of incorrectly (eg: improper or ineffective deletions or hardware resets to factory defaults)

Malicious Activities

Malicious activities causes may include:

  • Hacking, such as attempts at illegal access to databases or via the API
  • Theft, such as of computers, company data storage devices, or paper records
  • Scammers, such as tricking employees or contractors into releasing customer data

Computer Error

Computer Error types of causes may include:

  • Bugs or coding errors in ProjectManager’s platform, mobile app, or API
  • Fails of 3rd party cloud services (eg. Amazon Web Services) or cloud storage (eg. LiquidWeb) related to security or authentication or authorization systems

Reporting Breaches

All employees and contractors are required to report attempted, actual or potential data breaches. This allows us to take the legal and required steps to:

  • Investigate any potential failures of security
  • Remediate any breaches as soon as possible
  • Register any compliance failures
  • Notify customers and the relevant authorities, where relevant

Per the GDPR regulations, ProjectManager’s DPO is legally obliged to notify the Supervisory Authority within 72 hours of the data breach (Article 33), and individuals have to be notified if adverse impact is determined (Article 34). Additionally, ProjectManager is required to notify any affected customers without undue delay after becoming aware of a personal data breach (Article 33).

ProjectManager is not required to notify the data subjects if anonymized data is breached. Per the GDPR, a notice to data subjects is not required “if the data controller has implemented pseudonymisation techniques like encryption along with adequate technical and organizational protection measures” to the personal data affected by the data breach (Article 34).

ProjectManager Data Breach Team

The ProjectManager Data Breach Team (PMDBT) consists of the DPO and CTO, who both have the responsibility to make time-sensitive decisions on what action to take to contain and manage the reported incident.

Contact the PMDBT immediately if you confirm or suspect a data breach.

Reporting EU-Impacted Breaches

In the event where EU individuals are impacted by a reported security breach, and specifically there might be a cause for public concern or where there is a risk of harm to a group of affected individuals, it is required that ProjectManager notify the relevant authority (each EU state has distinct supervisory authorities).

If impacted individuals reside in Singapore, the PDPC must be notified as following: cia info@pdpc.gov.sg with the e-mail subject “[Data Breach Notification]” organizations may also contact the commission at +65 6377 3131.

Notifications should articulate the following information:

  • Extent of any data breach
  • Amount and type of personal data potentially breached
  • Suspected cause of the breach
  • Whether the breach has been resolved
  • Plans and processes put in place as a result of the breach
  • Whether affected individuals were notified and when
  • Contact details within ProjectManager for authority

As the supervising authority decides whether organizations have reasonably protected personal data, notifications to the authorities should include details and be followed up on by ProjectManager officers. If complete information of breach is not yet available, ProjectManager should send interim updates on incident and follow up when full details are available.

How to Respond to a Data Breach

BREACH MANAGEMENT PLAN

The Data Breach Team should immediately activate this CCARE data breach & response plan upon being notified of any data breach (whether just suspected or confirmed):

  1. Confirm if there was a Breach
  2. Contain any Breach of Personal Data
  3. Assess the Risks and Impact
  4. Report the Incident to the relevant authorities
  5. Evaluate our Response & Remediation in order to Prevent Future Breaches

1. CONFIRM IF THERE WAS A BREACH

The PMDBT needs to act as soon as it is made aware of a potential data breach. If it makes sense to do so, the team should first confirm whether the data breach has in fact occurred. Depending on the risk severity potential of an unconfirmed reported data breach, the team could go ahead and contain the breach at this stage.

2. CONTAIN ANY BREACH OF PERSONAL DATA

The following measures should be implemented in order to contain the breach, if applicable:

  • Disable any compromised systems
  • Determine which steps should be taken to minimize damage and/or to recover data losses
  • Isolate the causes of the data breach, and/or block external connections to the system
  • Prevent further unauthorized access to impacted systems
  • Reset compromised passwords and/or change access permissions to any compromised systems

3. ASSESS THE RISK AND IMPACT

ProjectManager should endeavour to understand the risks and impact of the data breach in order to assess any potential consequences to affected individuals, as well as to validate the steps required to notify any impacted individuals.

Risk and Impact on Individuals

  • How many people did the breach impact?
  • Was any personal data directly breached?
  • Does that personal data belong to customers, employees, contractors or minors? (Risk changes depending on the categories of different people.)
  • What types of personal data was involved in the breach?
  • What measures did we have in place at the time of the breach that might minimize its impact?

Risk and Impact on Organisations

  • What was the cause of the data breach?
  • Was the breach a singular event, or did it happen multiple times?
  • Who might gain access to the compromised personal data as a result of the breach?
  • Will the breached data affect any 3rd party transactions?

4. REPORT THE INCIDENT TO THE AUTHORITIES

Depending on the nature of the data that has been breached (eg. anonymized vs. non-anonymized), ProjectManager is required by law to notify EU affected individuals in the event of a personal data breach. This helps those impacted individuals to reduce the impact of the breach and safeguard their other personal data.

Who gets notified:

  • Any individuals when their personal data has been compromised.
  • Any relevant third parties such as banks, credit card companies or law enforcement.
  • PDPC / GDPR particularly if the data breach involves sensitive personal data.
  • Relevant authorities (eg: police) if there is suspected criminal activity and/or when investigatory evidence should be preserved (eg: theft or unauthorized system access by an employee.)

When are they notified:

  • Immediately for affected individuals if a data breach involves sensitive personal data.
  • After resolution, so they know when the data breach incident is over.

How are they notified:

  • Use common sense and consider the urgency of the situation and scope of the impact to determine the best communication method for affected individuals. Examples include: (e.g. email, phone, blog post, press releases, social media).
  • Communication notices should be written clearly and provide clear instructions on what affected individuals can do to protect their data and their privacy.

What to contain in the notification:

In communications to impacted individuals, transparency is key, where relevant and depending on the nature of the breach. Explain the following:

  • How and when the data breach occurred, and steps individuals can take to prevent their data further.
  • What ProjectManager is doing as a risk mitigation response to the risks brought about by the data breach.
  • Information on how individuals can get in touch with us to get further information.

5. EVALUATE OUR RESPONSE & REMEDIATION TO PREVENT FUTURE BREACHES

Upon resolution of the data breach, PMDBT should do a postmortem. The goals is to re-evaluate the protection and prevention processes currently in place to determine if they are sufficient going forward.

Questions to ask on policy:

  • Did we conduct regular security audits?
  • Can we streamline processes or introduce new ones to limit future damages?
  • Can we identify any loopholes in current protection measures related to our toolstack?
  • Are our security protocols for accessing and transmitting personal data sufficient? (eg. are they too accessible by employees without designated permissions?)
  • Do we need to re-evaluate any vendor or 3rd party provider relationships as a protection measure?
  • Did we adequately define the responsibilities of the handling of personal data by vendors and partners?
  • Should we develop additional data-breach scenarios?

Questions to ask about resources:

  • Do we have sufficient resources allocated to managing possible data breaches?
  • Do we need to contract with external vendors to help us manage our breach response?
  • Do employees and the PMDRT have enough resources to manage future incidents?

Employee Related Issues:

  • Are employees and contractors sufficiently alerted about security related issues?
  • Is enough training provided to the team about securing personal data, as well as breach reporting and management processes?
  • Has the team been sufficiently informed about key learnings from past data breaches?

Management Related Issues:

  • How is management communicated with and participating in data breach response and management?
  • Are the responsibilities and communications channels clear for future data breaches?

Compliance and Monitoring

All employees and contractors are required to observe this policy. We take compliance with this policy very seriously. Failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.

ProjectManager’s DPO has overall responsibility for this policy and will review and monitor this policy and its adherence by the team.