We are publishing this Data Breach Response Policy to focus significant attention on data security and data security breaches and how our established culture of openness, trust, and integrity should respond to such activity. We are committed to protecting our users, employees, partners, and ourselves from illegal or damaging actions by individuals, either knowingly or unknowingly.
While this policy is intended for the internal reference by Rezzly in response to data breaches, we are making it visible to all users and the public in the spirit of transparency. We may change this Data Breach Response Policy from time to time. When we make changes, we will revise the date at the top of this policy.
When any Rezzly employee or contractor suspects that a theft, breach, or exposure of Sensitive Data has occurred, this policy mandates that person must immediately provide a description of what occurred via e-mail to firstname.lastname@example.org.
This e-mail address and phone number are monitored by Rezzly’s Information Security Administrator. The Information Security Administrator will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach, or exposure has occurred. If a theft, breach, or exposure has occurred, the Information Security Administrator will notify the Chief Executive Officer to begin Rezzly's response.
As soon as a theft, breach, or exposure containing Sensitive Data is identified, the process of removing all access to that resource will begin.
The Chief Executive Officer will be notified of the theft, breach, or exposure. The Chief Executive Officer will chair an incident response team to handle the breach or exposure.
The team will include members from:
- Engineering / IT
- Finance (if applicable)
- Customer Service
- Any other departments that use the involved system or output or whose data may have been breached or exposed
- Any other individual or forensic investigators deemed necessary by the Chief Executive Officer, based on the data and systems involved
The incident response team will designate members of the team to analyze the breach or exposure to determine the root cause.
The incident response team will decide how to communicate the breach to internal employees, the public, and Directly Affected Persons.
Directly Affected Persons will be notified of the breach or exposure as soon as reasonably possible once the following is known or estimated: when the data was breached, what data content was included, and the estimated breadth of exposure. Rapid notification is preferred over awaiting exact details.
Where a Directly Affected Person is determined to be a minor, notification will be made to at least one adult responsible for the minor. The quest group creator or teacher that enrolled the minor in any active quest groups is to be notified. Where Rezzly has the email address of the minor's parent in the minor's profile, that email is to also be sent the notification.
The incident response team will prepare a written plan for improving any data security or handling estimated to reduce or eliminate future theft, breach, or exposure. The improvement plan is to be primarily based on what is learned from the incident and investigation of its root cause. The improvement plan will be provided to the Chief Executive Officer and Information Security Administrator.
The Chief Executive Officer is responsible for ensuring appropriate implementation of the improvement plan.
The incident response team may provide information from the improvement plan to internal employees, the public, or Directly Affected Persons in later notifications only where the sharing of that information does not compromise the additional security intended from those improvements.