AIST Data Breach Response Plan

This Data Breach Response Plan (“Response Plan”) sets forth how the Association for Iron and Steel Technology (“AIST”) will respond in the event of a breach in the security of its information.  The Response Plan includes four primary stages: (1) verification and containment; (2) breach assessment; (3) notification; and (4) post-notification review. 

This Response Plan will be reviewed as set forth herein, and at least once per year, to determine whether updates or modifications should be made. This Response Plan applies to all breaches of information including, but not limited to, the personally identifiable information (“PII”) of AIST’s employees or members.
 
PII refers generally to any information concerning a natural person that can be used to identify that person (for example, a name or account number).  The definition of PII may vary by jurisdiction.  In the event of a suspected data breach, AIST will promptly determine which jurisdictions’ laws and regulations are applicable and determine whether the information compromised as a result of the breach meets the definition of PII in those jurisdictions. 
 
AIST will implement sufficient security measures to protect the information under AIST’s control or in AIST’s possession.  To the extent AIST contracts with any third party vendors to provide data storage, hosting, support, maintenance or other services, AIST will ensure third party vendors implement sufficient security protocols to protect AIST information under the vendor’s control or in the vendor’s possession.  AIST will also conduct periodic audits of third party vendors to ensure AIST’s security requirements are satisfied.   
 
AIST will take all steps reasonably necessary to ensure that all AIST employees are familiar with this Response Plan.  In the event an employee is aware of suspicious activity (for example, receiving suspicious emails) or suspects that a data breach has occurred, the employee should immediately report such activity to a member of the Data Breach Response Team. Members of the Response Team are set forth on Exhibit A, which may be updated from time to time if the members of the Response Team change. 
 
The Data Breach Response Team (“Response Team”) is responsible for managing AIST’s investigation of each suspected data breach and for complying with breach notification requirements.  The Response Team will determine the scope of the investigation, collect and document all relevant data, determine when to engage outside assistance (such as law enforcement and forensic experts), organize breach notifications and conduct a post-notification review to assess the effectiveness of this Response Plan and determine whether changes are needed. 
 
This Response Plan contains four primary stages.  However, investigating and responding to a data breach is rarely a linear process and these stages will likely overlap.  AIST will take steps to ensure adequate resources are allocated to each of the following phases of this Response Plan: (1) verification and containment; (2) breach assessment; (3) notification; and (4) post-notification review.  Each stage of this Response Plan is explained in more detail below, along with the actions to be completed during each stage.  

1. Verification and Containment 

The Verification and Containment stage of this Response Plan has two goals: (1) to verify whether a breach has occurred; and (2) if a breach has occurred, contain the breach and mitigate any further disclosure of or access to the compromised information. 

To determine whether a data breach has occurred, the Response Team will perform the following actions and document its findings:

  • Identify the affected systems or hardware and determine whether any other systems or hardware are at risk of being compromised. 

  • Identify which AIST employees, members or other users are currently logged into any affected systems.

  • Deactivate the profiles of any user that is suspected of engaging in activities that led to the data breach or would risk a future data breach.  

  • Prohibit access to AIST’s services by any employee, member or vendor that is suspected of engaging in activities that led to the data breach or would risk a future data breach. 

  • Determine all current connections to AIST’s computer systems and services and what processes are running on those systems and services.

  • Determine all open ports and their associated applications and services. 

  • Identify the origin of the breach.

  • Identify any virus, malware or other harmful code used in connection with the breach.

  • Determine the nature of the data maintained on the affected systems or hardware.

  • Determine the type of incident (internal or external).

  • Determine whether the incident was the result of an accident or of a malicious attack. 

  • Determine whether the incident exposed or is reasonably likely to have exposed AIST’s data or any data of an AIST member or other user of AIST’s systems. 

  • Determine whether PII was affected and the data elements that have been compromised.

  • Determine whether the breach resulted in the deletion, modification or change of AIST’s data and/or of PII.

If AIST determines that a data breach has occurred, AIST will take all steps reasonably necessary to contain the breach and prevent further disclosure of or access to the compromised information.  This may include taking affected machines offline, segregating affected systems, deleting hacker tools and immediately securing the area after any physical security breach.  AIST may also implement additional technical measures such as changing passwords, access codes and administrative rights. 

2. Breach Assessment

The Breach Assessment stage requires AIST to investigate the scope and nature of the data breach and to determine whether it is required to provide notice of the breach to any party.  To avoid further disclosure of compromised and/or sensitive information, the Response Team should communicate with each other by telephone or in-person meetings and avoid communicating via email.  
 
The Response Team will collect the information necessary to assess the data breach at the direction of legal counsel and take steps to invoke and preserve the attorney-client privilege wherever reasonably practical.  Written communications to or from AIST’s counsel  should clearly and explicitly marked as confidential, privileged and/or protected by the attorney work product doctrine.
 
To assess the data breach, the Response Team will perform the following actions and document its findings:

  • Take reasonable steps to preserve all data and evidence related to the data breach, including forensic evidence.

  • Collect and document information about the data breach, including: (i) how the breach was discovered; (ii) the date and time of the breach; (iii) the duration and the location of the breach; (iv) the files that were compromised (including what PII was accessed); (v) the number and identity of affected individuals; and (vi) whether the accessed information was encrypted.

  • With respect to each affected individual, the Response Team will identify which state (or, if outside the United States, which applicable jurisdiction) they reside in and determine whether the data breach triggers any data breach notification laws in that state or other jurisdiction.

  • Identify the type of information that was breached and determine whether the data breach triggers any additional statutory or regulatory obligations. 

  • Review AIST’s insurance policies to determine relevant coverage and notify the applicable carriers.

  • Determine AIST’s indemnification rights and obligations, including whether any third parties have any indemnification obligations to AIST as a result of the data breach.

  • Determine whether AIST should take any action against any employees, members or other users as a result of the breach.

If the Response Team determines that the data breach has triggered a reporting requirement, the Response Team will work with legal counsel to develop and execute a notification plan in accordance with Phase 3 of this Response Plan.

3. Notification 

The notification stage of the Response Plan consists of developing a notification plan and delivering notifications of the breach in compliance with applicable laws and regulations.  To prepare and execute this notification plan, the Response Team will:

  • Review with legal counsel the data breach notification laws and regulations of each state or other jurisdiction where an affected individual resides.

  • Determine requirements in the applicable states or other jurisdictions regarding  the timing of any required notice, the content to be included in the notice and whether other agencies must also be notified.  A template notification letter is attached to this Response Plan as Exhibit B.  This template may be modified as necessary to comply with AIST’s notification requirements and as otherwise recommended by legal counsel and/or the Response Team to protect AIST.

  • Determine the mode of communication that the Response Team will use to notify affected individuals (for example, by email or mail) and whether AIST will post a notice on its website regarding the data breach.

  • Determine whether AIST will send the notifications itself or will engage a third party to mail or email the required notification letters to affected individuals and/or respond to telephone calls and email messages related to the breach.

  • Determine whether remediation services such as credit card monitoring or identity theft insurance will be offered to affected individuals.

  • Determine if any other agency must be notified of the data breach, including any credit reporting agency, attorney general’s office or law enforcement. 

After the Response Team has developed a notification plan that satisfies AIST’s notification obligations, the Response Team will implement the notification plan. 

4. Post-Notification Assessment

After the notification plan has been completed, the Response Team will complete the final stage of the Response Plan, which is a Post-Notification Assessment of the breach and AIST’s response.  The goal of this assessment is to evaluate the performance and efficiency of the Response Plan and the Response Team and determine whether improvements can be made to the Response Plan, AIST’s computer systems and/or AIST’s security protocols. 

  • Review all policies, procedures and protocols relevant to the breach and determine whether changes should be made, including changes to any security standards.

  • Evaluate the effectiveness of this Response Plan and suggest ways to improve AIST’s response to future data breaches. 

  • Review AIST’s relationship with any relevant vendors and determine whether the relationship should be maintained or whether AIST should change the process by which it evaluates the adequacy of data protection and security by its vendors.

  • Determine whether AIST employees need more training with respect to data security issues and schedule times for performing this training. 

  • Determine whether any additional services, hardware or software should be acquired to reduce the risk of future data breaches.

In addition to performing a post-notification assessment, AIST will take reasonable steps, on an on-going basis, to maintain the security of its information.  These steps will include conducting periodic audits of AIST’s internal security controls and also the security controls of AIST’s vendors.