Incident Response Policy

1. General Terms

1.1. This Incident Response Policy must be followed in case of security Incidents that lead a violation or imminent threat of violation of security policies, acceptable use policies, or standard security practices(“Incidents”). This Incident Response Policy sets out the actions that INNOVA TECHNOLOGIES, LLC (“InnovA”, “us” or “we”) should take in the event of an Incident.

1.2. Incidents may be classified as Personal Data Breaches, which can materialize in the following types of violations:

  • Violation of Confidentiality” means the event of unauthorized or accidental disclosure of, or access to, Personal Data.
  • Violation of Availability” means the event of unauthorized or accidental loss of access to or destruction of Personal Data.
  • Violation of Integrity” means the unauthorized or accidental modification of Personal Data.

1.3 Any individual who suspects or is aware that an Incident has occurred must immediately submit their claim to privacy@innovallc.com, and provide a description to one or more of the following contacts, depending on the severity:

Jeff Olmstead (President) 972-215-6080
Paul Rabalais (VP, Technology) 682-225-3425
Randy Wanser (IT Security Engineer) 682-215-9022
Howard Reid (Director Architecture & Strategy) 817-458-1909
Dustin Reeves (Sr Network Engineer) 325-999-6996
David Rogers (Enterprise Solutions Architect) 817-490-6848

1.4  An Incident could include the following:

  • Loss or theft of data or equipment on which data is stored, for example loss of a laptop or a paper file (this includes accidental loss);
  • Inappropriate access controls allowing unauthorized use or access;
  • Equipment failure;
  • Human error (for example sending an email or SMS to the wrong recipient);
  • Unforeseen circumstances, such as a fire or flood;
  • Hacking, phishing and other attacks where information is obtained by deceiving whoever holds it.

1.5  The purpose of the Incident Response Policy is to:

  • Detect and promptly determine the content of an Incident;
  • Assessing and minimizing the risk presented by Incidents, for Data Subjects affected or potentially affected;
  • Reducing or eliminating the risk represented by Incidents to InnovA;
  • Recording and documenting Incidents and implementing any measures necessary to mitigate the impact of these Incidents or reduce the risk of future Incidents occurring.

2. Definitions

For the purposes of this Incident Response Policy, unless the context requires otherwise, the following terms shall have the meaning given below:

  • Controller” means the natural person or legal person, public authority or agency, which alone or jointly with others, determines the means and purposes of Processing Personal Data.
  • Data Subject” means and identified or identifiable natural person.
  • General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation.
  • Personal Data” means information about an individual that (a) can be used to identify, contact or locate a specific individual; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “Personal Data” or “personal information” under the Applicable Law or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual and includes the Personal Data that Customer provides InnovA in connection with its use of InnovA Services.
  • Processing” and its cognates mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  • Processor” means a natural person or legal person, public authority or agency which Processes Personal Data on behalf of the Controller.
  • Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation, (ii) the public authority governing data protection, which has Supervisory Authority and jurisdiction over a Customer or (iii) any other competent public authority which has jurisdiction in relation to the Personal Data that is Processed under the Services provided by InnovA.
  • UK GDPR” means the UK General Data Protection Regulation, which supplements and sits alongside the Data Protection Act 2018.

3. Standard Incident Response Plan

PHASE 1: Detection of Incidents

  • Discovery through internal research;
  • Notification received from the Representative(s) acting on behalf of InnovA, such as the EU and/or UK Representative appointed in compliance with Article 27 of the GDPR and UK GDPR, respectively;
  • Notification received from Processors, who must notify without delay when they have become aware of an Incident, regardless of whether or not it is likely to lead to a risk to security rights and the freedoms of the individual;
  • Notification received from a third party, such as law enforcement, regulators, media outlets, whistleblowers or open-source intelligence sources;
  • Notification received from a Data Subject;
  • Notification received from a Controller for which InnovA Processes Personal Data on behalf of.

PHASE 2: Coordinating the Incident investigation team

  • InnovA will urgently designate an Incident Response Team:
    1. The Incident may affect several departments within InnovA. Therefore, the initial Incident Response Team may be extended to ensure that other internal stakeholders, including management, the legal department, the IT department, security and guarding personnel, the public relations / marketing department, as well as risk management / insurance;
    2. In order to efficiently manage the Incident, InnovA may opt for the services of external consultants / experts, especially in cases where their services are needed to limit the damage. External counselors would ordinarily include lawyers, legal professionals and IT specialists;
  • Notification of the Internal Legal Department or the External Lawyer. It is important to involve the local legal team in advance in order to establish the attorney-client privilege.
  • Notification of the Controller(s) for which InnovA Processes Personal Data on behalf of. Controllers must be kept up-to-date and be provided with information throughout each Phase.
  • InnovA will consider whether it is timely or necessary to make a notification to the police. Informing law enforcement authorities also allows authorities to develop a clearer picture of the types of cybercrime that occur in certain sectors.
  • If an Incident has led to unauthorized payments from InnovA’s bank account to another bank account, consideration will be given to contacting the bank from or to whom unauthorized payments have been made to inform them about unauthorized payments and to attempt to stop or return unauthorized payments.
  • If the bank or credit card data were compromised, InnovA will consider obligations under the card issuance agreement and inform the bank or credit card issuer.
  • If InnovA has, through contractual clauses, informed contractual partners or third parties of matters such as Incidents, it shall make notices for those parties to the extent that they are requested within the required time limits.

PHASE 3: Documenting and analyzing the Incident

  • Investigating the Incident:
    1. As soon as possible after discovering an Incident, the investigating team should investigate if the Incident is ongoing, if the method used to commit the Incident is still active and if the vulnerability is still present and exploitable;
    2. As soon as possible after discovering an Incident, InnovA must establish with reasonable confidence whether the Incident classifies as a Personal Data Breach. In such cases, InnovA, when acting as a Controller, should immediately consider the measures listed in Phase 5 below. When InnovA is acting as a Processor, the Controller(s) affected shall be immediately informed that the Incident classifies as a Personal Data Breach.
  • Containing the Incident: The Incident Response Team should take action to ensure the limitation of the advancement of the Incident and to remove the source of the Incident and any remaining vulnerabilities.
  • Recording Personal Data Incidents: The Incident Response Team will keep a record of Incidents. More information in Phase 7 of this Policy.
  • Control Report: The Incident Response Team will draw up a control report to determine the causes of the Incident, the measures required and the elements that help identify the extent of the damage.

PHASE 4: The investigation procedure

  • IT evaluation: The Incident Response Team should make a more detailed assessment of:
    1. the way in which the Incident occurred, including the causes and vulnerabilities in question;
    2. data and systems that have been affected;
    3. if Personal Data, business secrets, IP or other in-formal information have been compromised;
    4. if Personal Data are involved, the number of individuals involved and the place where they are located;
    5. the identity of stakeholders or Data Subjects who may be affected by the Incident (eg clients, customers, employees etc.);
    6. the parties that could have been responsible for the violation (eg third-party service providers, employees and / or internal employees, etc.);
    7. the existence and efficiency of implemented technical and organizational measures, such as encryption of Personal Data;
    8. the necessary measures for the closure of the Incident;
  • Collect evidence during IT evaluation: Where appropriate, available legal proofs will be collected and retained, including evidence that might be relevant to actual or potential litigation. In this respect, InnovA will use the support of the Legal Department.

PHASE 5: Personal Data Breach – Notification and Record Keeping

  • Notifying the Supervisory Authority.
    1. Having determined that the Incident is classified as a Personal Data Breach, InnovA, as a Controller, must determine whether the Supervisory Authority should be notified. Unless the Personal Data Breach is unlikely to pose a risk to the rights and freedoms of individuals, InnovA will notify the Supervisory Authority within 72 hours of being aware of the existence of the Personal Data Breach. InnovA is considered to be “aware” of the violation when it had the first level of certainty that a Personal Data Breach occurred;
    2. InnovA should consider the following criteria in determining the level of risk:
      1. type of infringement;
      2. nature, sensitivity and volume of Personal Data;
      3. ease of identification of people;
      4. severity of consequences on people;
      5. special characteristics of individuals;
      6. the number of people affected.
      7. The risk threshold triggering the notification to the Supervisory Authority is rather low.
    3. Any question regarding compliance with the risk threshold should be addressed to the Legal Department of InnovA and / or the Data Subject.
    4. InnovA will be aware that it can be sanctioned if it fails to notify the Personal Data Breach and the Supervisory Authority concludes that it should have been notified;
    5. If InnovA decides to notify the Supervisory Authority, it must provide the following information:
      1. nature of the Personal Data Breach, including the categories and the approximate number of Data Subjects and the categories and the volume of Personal Data;
      2. contact point within InnovA for more information;
      3. the likely consequences of the Personal Data Breach, in particular the affected Data Subjects;
      4. measures taken or proposed to be taken to address the Personal Data Breach;
      5. measures taken or proposed to be taken to mitigate the consequences of the Personal Data Breach;
      6. if the infringement may affect Data Subjects in other EU Member States.
    6. If all this information is not available within the first 72 hours, InnovA may provide relevant information in later phases when available. InnovA must provide the Supervisory Authority with the reasons for the delay in providing additional information.
    7. If InnovA makes an initial notification to the Supervisory Authority while being late for more than 72 hours, then, as with the provision of stepwise information, it will need to provide reasons for the delay.
  • Notification of Data Subjects.
    1. If the Personal Data Breach is likely to lead to a high risk for the rights and freedoms of individuals, InnovA must communicate without undue delay the Personal Data Breach to each of the affected Data Subjects, unless:
      1. InnovA has applied technical and organizational measures that make that Personal Data incomprehensible to any person, such as encryption, and the encryption keys have not been affected by the Incident;
      2. Immediately after a violation, InnovA has taken steps to ensure that high risk is no longer likely to materialize;
      3. notification would involve a disproportionate effort. In this case, a public announcement should be made; or
      4. the requirement to notify the Data Subjects was discussed with the Supervisory Authority and the Supervisory Authority stated that the notification is not necessary.
    2. The risk threshold leading to the notification of the Data Subjects is higher than for the notification of the Supervisory Authority and the determinants such as those listed above should be taken into account in determining the degree of risk represented by the Personal Data Breach.
    3. InnovA should be aware that there is a risk that if it decides not to notify the Data Subjects, it will be sanctioned if, following the investigation of the Incident, the Supervisory Authority concludes that the Personal Data Breach should have been notified.
    4. The notification must include:
      1. a clear description of the nature of the Personal Data Breach with regard to Personal Data, its likely consequences and possible mitigation actions;
      2. any advice that helps those concerned to mitigate the impact of the infringement; and
      3. the name and contact details of the person / department within InnovA, responsible for the protection of Personal Data, who may provide further details of the Incident.
    5. InnovA will consider the extent of involvement of the PR team / external counselors regarding the appropriate approach and the notification of the Data Subjects. The Supervisory Authority may also advise on how to address the Data Subjects.

PHASE 6: Complaints and defense phase in front of the authorities

In the event of a complaint, claim, trial or action arising out of an Incident, InnovA will assess the opportunity to engage an external lawyer to assess the risks revealed by such complaints as well as the defense capabilities.

PHASE 7: Keeping a Personal Data Breach Registry

  • The details of all Incidents, including Personal Data Breaches, and the measures taken by InnovA should be recorded by the person / department responsible for conducting the Incident Response Plan in a dedicated data register (“Data Breach Register”). This register may be provided to the Supervisory Authority upon request.
  • Details of Personal Data Breaches that have occurred should be recorded, regardless if notification is required or not. In cases where the notification is not considered necessary, it is recommended to record the reasons for not issuing the notification.