Scope:
This policy covers all computer systems, network devices, and any additional systems and outputs containing or transmitting Sensitive data.
Purpose:
The purpose of this policy is to provide a process to report suspected thefts involving data, data breaches or exposures (including unauthorized access, use, or disclosure) to appropriate individuals; and to outline the response to a confirmed theft, data breach or exposure based on the type of data involved.
Policy
Reporting of suspected thefts, data breaches or exposures
Any individual who suspects that a theft, breach or exposure of ORFIL Protected data or ORFIL Sensitive data has occurred must immediately provide a description of what occurred via email to info@orangeretailfinance.com or ithelpdesk@orangeretailfinance.com. This email address, are monitored by ORFIL’s Information Security team. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security team will follow the appropriate procedure depending on the class of data involved.
If the incident is a suspected theft, ORFIL’s HR, Admin, IT Department shall also be contacted. They will determine whether a local law enforcement agency should be contacted based on the location and details of the incident. If a local law enforcement agency is contacted, the name of the agency and the report number should be provided to ORFIL via the methods of contact outlined above.
Confirmed theft, data breach or exposure of ORFIL Protected data or ORFIL Sensitive data
As soon as a theft, data breach or exposure containing ORFIL Protected data or ORFIL Sensitive data is identified, the process of removing all access to that resource will begin as soon as possible. If the information is available on a site outside of ORFIL, that site will be contacted to have the information removed as soon as possible.
The MD/COO/CIO will chair a response team to handle the breach or exposure. The team will include members from:
- IT Team
- Risk Management Team
- The affected unit or department that uses the involved system or output or whose data may have been breached or exposed
- Additional departments based on the data type involved, as listed in the appendix
- Additional individuals as deemed necessary by the CIO
If a theft of physical property occurred, the Admin Dept / Legal Dept will be notified by IT. This team will provide information to Management regarding how the breach or exposure occurred, the types of data involved, the ORFIL classifications of those data types, any protective measures around the involved data (such as encryption), and the number of internal/external individuals and/or organizations impacted. Risk Team will handle all communications about the breach or exposure. IT will work with the appropriate parties to remediate the root cause of the breach or exposure.
Confirmed theft, breach or exposure of ORFIL Public data
The CIO will be notified of the theft, breach or exposure, and will inform MANAGEMENT as soon as possible. ITS will analyze the breach or exposure to determine the root cause. IT will work with the appropriate parties to remediate the root cause of the breach or exposure. ITS will also examine any involved systems to ensure that they did not also house any ORFIL Protected data or ORFIL Sensitive data. If the systems are found to also contain ORFIL Protected data or ORFIL Sensitive data, the CIO will be notified and the “Confirmed data breach or exposure of ORFIL Protected data or ORFIL Sensitive data” section of this policy will be invoked. If a theft of physical property occurred, the HR, Admin and Legal team
will be notified by IT. The Legal Department will determine if it is also appropriate to necessary other law enforcement agencies based on where the theft occurred.
Questions about this Policy:
If you have questions about this policy, please contact the Information Security team at info@orangeretailfinance.com
Policy Adherence:
Failure to follow this policy can result in disciplinary action as provided in the Employment Guide, Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Appendix:
For any data breaches, exposures, or thefts involving information listed below, a representative from the listed areas will be included on the response team:
Data Type | Areas or individuals to be additionally included on response team |
Financial information, including but not limited to credit card numbers, bank account numbers, investment information, and budget information | CFO, Legal Team, Management |
Information about individual employees, including but not limited to PF, ESI numbers | Human Resources |
Customer financial information | Sales and Marketing Team, Management |
Pilot, POC data | Tech Team |
Payroll information | HR Head |