Data Breach Policy

Introduction

This policy explains how our organization will respond in the event of a data breach of personal or organisational data. InfoTiles collects limited personal data as described in our Privacy Policy. InfoTiles takes care to protect all data from incidents to avoid a data protection breach that could compromise security.

Purpose and Scope

InfoTiles is obliged under the laws and regulations in the countries in which it operates to have an approved framework for ensuring the security of all personal and organisational data during its lifecycle. This document details the procedure for ensuring a consistent, effective and compliant response to any possible information security events. The purpose of this document is to contain any breaches and minimise downstream consequences of breaches as well as to prevent further breaches.

This policy relates to all personal and organisational data managed by InfoTiles, regardless of format. It applies to all staff, including temporary staff, student interns and suppliers and data processors working for or on behalf of InfoTiles.

Customers of InfoTiles have the ability to upload data to the InfoTiles platform. In the event that a customer suffers a data protection breach unrelated to InfoTiles, InfoTiles will coordinate with the customer to limit the risk associated with such a breach. Such events are beyond the scope of this document unless the breach is a direct consequence of InfoTile's actions.

Terminology

An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to information assets and/or reputation.

An incident may include but is not restricted to, the following:

• loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, tablet device, or paper record);
• equipment theft or failure
• system authentication or authorisation failure
• sharing of passwords or other credentials with third parties
• sharing of user account passwords with other users
• system compromise or failure preventing access to data
• unauthorised use of, access to or modification of data or information systems
• attempts (failed or successful) to gain unauthorised access to information or IT system(s)
• unauthorised disclosure of sensitive/confidential data
• human error
• social engineering

Definitions:

CTO: Chief Technology Officer
DPO: Data Protection Officer
DPA: Data Protection Authority
DPIA: Data Protection Impact Assessment
EDPS: European Data Protection Supervisor
GDPR: General Data Protection Regulation
ICO: Information Commissioner's Office (UK)
NCSC: National Cybersecurity Centre (UK)
NIS directive: Network and Information Systems NIS directive
Organisational Data: Data that is non-personal in nature, but is nevertheless sensitive. Including but not limited to process data, telemetry, asset data, geographical information systems data.
Personal Data: Information that relates to an identified or identifiable individual.

Reporting an Incident

All InfoTiles staff are responsible for reporting an incident to the following communication channels:

• InfoTiles MS Teams #security channel; tagging @channel. This is important as it will record the beginning of the incident timeline. Do not provide details, just report that an incident has occurred.
• Direct verbal communication to CTO (Pedja Bihor) &  DPO (Magne Eide). This step may be omitted if you receive acknowledgement via MS Teams within 5 minutes.

People who are not employed by InfoTiles can confidentially inform us of incidents via our security vulnerability reporting page.

The CTO and DPO will coordinate to request full and accurate details of the incident including when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. Please start compiling these details after you have posted an alert to Slack and remember not to post these details to a non-private channel as it could lead to further unauthorised disclosure.

Staff should be aware that any breach of Data Protection laws may result in disciplinary procedures.

Containment

The CTO and DPO will coordinate to determine if the breach is active. If so they will take appropriate steps to minimise the effects of the breach. Advice from partners may be sought to resolve the incident quickly and effectively. If customer actions may help contain an active breach the DPO will promptly contact the affected customer(s) to provide guidance on how they can limit the breach.

Investigation

The DPO and CTO will fully investigate the incident within 24 hours of reporting. The investigation will include consideration of factors such as:

• the type of data involved;
• its sensitivity;
• the protections are in place (e.g. encryptions);
• what has happened to the data (e.g. has it been lost or stolen;
• whether the data could be put to any illegal or inappropriate use;
• data subject(s) affected by the breach, number of individuals involved and the potential
• effects on those data subject(s);
• whether there are wider consequences to the breach.

After the incident has been resolved, the DPO will launch a post incident review to determine the root cause of the incident and put in place corrective actions to prevent a recurrence. The review will consider:

• where and how personal and organisational data is stored and how it is secured
• where the biggest risks lie including identifying potential weak points within existing security measures
• whether methods of transmission are secure
• staff awareness
• revising the data breach plan
• whether the internal response was adequate
• whether affected or non-affected customers need to be advised to implement investigations or changes to their own procedures.

If necessary, the CTO and DPO will lead the implementation of changes to policy and procedure based on the findings of the post mortem.

Notification

The DPO will consult with colleagues to determine whether relevant government bodies will need to be notified of the breach. If so, the DPO will notify the relevant government bodies according to the directives on their respective websites. The list of relevant government bodies includes