Rezzly
DATA BREACH RESPONSE POLICY
Last Updated: July 6, 2020
This Data Breach Response Policy explains the goals and vision for how Rezzly Education Technologies, LLC ("Rezzly") responds to data breaches.
Audience

We are publishing this Data Breach Response Policy to focus significant attention on data security and data security breaches and how our established culture of openness, trust, and integrity should respond to such activity. We are committed to protecting our users, employees, partners, and ourselves from illegal or damaging actions by individuals, either knowingly or unknowingly.

While this policy is intended for the internal reference by Rezzly in response to data breaches, we are making it visible to all users and the public in the spirit of transparency. We may change this Data Breach Response Policy from time to time. When we make changes, we will revise the date at the top of this policy.

Scope
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Sensitive Data of Rezzly users, employees, and partners.
Alerting

When any Rezzly employee or contractor suspects that a theft, breach, or exposure of Sensitive Data has occurred, this policy mandates that person must immediately provide a description of what occurred via e-mail to privacy@rezzly.com.

This e-mail address and phone number are monitored by Rezzly’s Information Security Administrator. The Information Security Administrator will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach, or exposure has occurred. If a theft, breach, or exposure has occurred, the Information Security Administrator will notify the Chief Executive Officer to begin Rezzly's response.

Response

As soon as a theft, breach, or exposure containing Sensitive Data is identified, the process of removing all access to that resource will begin.

Establish Incident Response Team

The Chief Executive Officer will be notified of the theft, breach, or exposure. The Chief Executive Officer will chair an incident response team to handle the breach or exposure.

The team will include members from:

  • Engineering / IT
  • Finance (if applicable)
  • Legal
  • Customer Service
  • Any other departments that use the involved system or output or whose data may have been breached or exposed
  • Any other individual or forensic investigators deemed necessary by the Chief Executive Officer, based on the data and systems involved

The incident response team will designate members of the team to analyze the breach or exposure to determine the root cause.

Develop Communications Plan

The incident response team will decide how to communicate the breach to internal employees, the public, and Directly Affected Persons.

Directly Affected Persons will be notified of the breach or exposure as soon as reasonably possible once the following is known or estimated: when the data was breached, what data content was included, and the estimated breadth of exposure. Rapid notification is preferred over awaiting exact details.

Where a Directly Affected Person is determined to be a minor, notification will be made to at least one adult responsible for the minor. The quest group creator or teacher that enrolled the minor in any active quest groups is to be notified. Where Rezzly has the email address of the minor's parent in the minor's profile, that email is to also be sent the notification.

Plan and Implement Security Improvements

The incident response team will prepare a written plan for improving any data security or handling estimated to reduce or eliminate future theft, breach, or exposure. The improvement plan is to be primarily based on what is learned from the incident and investigation of its root cause. The improvement plan will be provided to the Chief Executive Officer and Information Security Administrator.

The Chief Executive Officer is responsible for ensuring appropriate implementation of the improvement plan.

The incident response team may provide information from the improvement plan to internal employees, the public, or Directly Affected Persons in later notifications only where the sharing of that information does not compromise the additional security intended from those improvements.

Definitions
Directly Affected Person(s)
Any person(s) whose PII was included in the theft, breach, or exposure of Sensitive Data.
encryption
A highly effective way to support data security. To read an encrypted file, one must have access to a secret key or password that enables them to decrypt it.
encrypted data
Data that has been protected by encryption and not readable without a secret key or password.
Personally Identifiable Information (PII)
Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered personally identifiable information.
plain text
Data unprotected by encryption and is readable without a secret key or password. Also called unencrypted data.
Sensitive Data
PII data, whether encrypted or in plain text, that has been entrusted to be protected by Rezzly under Rezzly's Privacy Policy.

Data Breach Response Policy Changes

Date Reason
Jul. 21, 2020 Removed company phone number (no longer in service); use email instead.
Jul. 6, 2020 Minor typographical corrections; add link to privacy policy
Jul. 3, 2020 Initial version