Incident Response Plan
Adopted: July 1, 2021
Updated: June 2022
The purpose of this Incident Response Plan is to provide general guidance to The Learning Consortium, LLC ("TLC") to enable quick and efficient recovery from security incidents; respond in a systematic manner to incidents and carry out the steps necessary to handle an incident; and minimize disruption to critical computing services or loss or theft of sensitive or mission critical information.
Security incidents are defined as events, often malicious or suspicious in nature, which interrupt normal business operations or impact the confidentiality or integrity of protected data. When a security incident is detected or reported, key first steps are to (1) contain the incident, (2) initiate an investigation of its scope and origins, and (3) decide if the security incident qualifies as a breach and whether notification procedures must be followed.
All applicable Employees/Staff and third parties working for TLC that may access TLC client data or TLC employee data, shall be aware of and follow this Plan in the event of a security incident.
At such times that a security incident may occur, it is important that TLC respond as quickly as possible. Steps that TLC will take in the event of a data security incident include:
Determination of the nature and scope of a security incident
Security incidents can be discovered or detected by anyone – administration, management, employees, third parties, vendors, law enforcement, or any other entity. Upon the occurrence of a security incident, TLC CEO shall be notified immediately. Upon TLC's notification of the security incident, TLC shall review its cybersecurity insurance policy and shall contact legal counsel as necessary to assist with determining, amongst other things: the nature of the security incident, affected individuals, and any potential mitigation. At this stage the following shall be documented: the identity of the person reporting the security incident (name, contact info, etc.), record of the location, timeframe, and apparent cause of the security incident and a preliminary assessment of confidential data that may be at risk.
Upon consultation with legal counsel, TLC may begin to determine:
a. Whether access to personal information has been compromised.
b. The type of information that may have be compromised.
c. What systems and/or services, if any, have been compromised or are involved.
d. Whom, if anyone, is involved.
e. Whether any service providers are involved.
f. What resources and/or personnel are needed to resolve the incident.
g. The severity of the incident based on risk and applicable law.
h. The location of the individuals whose sensitive information may be affected.
2. Investigation of security incident
TLC shall, in consultation with legal counsel and necessary third party experts, investigate the security incident and ensure compliance with applicable state, federal and international laws. This investigation of the security incident may include, but not be limited to: 1) confirmation/inventory of confidential materials at risk; 2) determining if security measures were defeated or circumvented; 3) gathering forensic evidence; 4) assessing the likelihood of recovering data (or stolen equipment); and 5) utilizing outside assistance, such as an Information Security Consultant or forensic team, if needed.
3. Assessment of security incident
TLC shall, in consultation with legal counsel and necessary third party experts, promptly take steps as necessary, appropriate, and feasible, to effect password changes and other security measures to prevent further security incidents as well as to identify individuals affected by the security incident (e.g., those whose loss of sensitive information may put them at risk of identity theft or other adverse consequences).
TLC shall, in consultation with legal counsel and necessary third party experts, determine the scope of the security incident and make a determination if a reportable breach has occurred under applicable state, federal, and international law. TLC may consult with legal counsel to make this determination as necessary.
4. Evidence Preservation
TLC shall direct appropriate internal or external third-party experts to capture and preserve evidence related to the security incident during investigation, analysis, and response activities. TLC shall consult with legal counsel, as necessary, to establish appropriate evidence handling and preservation procedures and reasonably identify and protect evidence for information security incidents.
5. Remediation
TLC shall, in consultation with legal counsel and necessary third party experts, take measures to determine if lost data can be restored from backups. TLC shall take appropriate steps to determine if lost data can be neutralized by changing account access and ID information and any other necessary steps as appropriate.
6. Notification of security incident
If TLC, in consultation with legal counsel and necessary third party experts, determines that the security incident rises to a reportable data breach under applicable law, TLC shall comply with applicable state, federal, and international laws pertaining to breach notification requirements. In addition, TLC shall comply with any contractual obligations as it pertains to security incident notification requirements.
TLC shall notify its cybersecurity insurance carrier according to the terms and conditions of its current policy, including filing a claim, if appropriate. The contact information of TLC’s insurance provider, Hanover Insurance Company, is 1-800-628-0250.
7. European Union General Data Protection Regulation (GDPR):
To the extent that a personal data breach comprises the data of an individual located in the European Union, compliance with the GDPR is required. Upon belief of a security incident that may implicate the GDPR, legal counsel may be contacted to assist with compliance.
Upon the occurrence of a data breach that implicates the GDPR, TLC shall without undue delay and, where feasible, notify the data breach to the appropriate Supervisory Authority within seventy-two (72) hours after having become aware of the data breach.
8. Post-Incident Follow-Up
In completion of the incident response, the following steps should be taken:
a. Restore affected systems, programs, and data. The system administrators will remediate the immediate compromise and restore the host to normal function. This is most often performed by reinstalling the compromised host; although if the investigation confirms that the attacker did not have root/administrator access other remediation plans may be effective.
b. Determine whether procedures taken during the incident were adequate. Implement additional procedures as needed.
c. If the incident was the result of a service provider breach, perform an assessment to determine if changes need to be made regarding the relationship between TLC and the service provider.
d. Conduct a "lessons learned" session to identify potential improvements. TLC shall implement recommendations presented as necessary throughout TLC. TLC shall train employees, staff, and coaches on "lessons learned" as appropriate to mitigate the potential for future security incidents.
e. Whenever there is an incident, regardless of whether such security incident gives rise to a reportable data breach, there shall be a post-incident review of events and actions taken. This review shall be cataloged in a security incident register and shall be maintained in accordance with TLC's retention policy.
TLC shall determine whether changes to TLC's security practices are required to improve the security of sensitive information for which TLC is responsible. TLC and individuals appointed to mitigate risk shall meet to review protocols and update as necessary.
These security incident procedures shall be reviewed annually.