WaterSmart works diligently to minimize the possibility of data breach. For more information, please review WaterSmart’s information security policy, which documents our approach to security and our technical safeguards. In the case of a data breach, this document describes our core approach for responding to these events in a predetermined and organized manner across our entire organization.
A data breach is an event in which data intended to be protected from unauthorized access is inappropriately exposed.
- GENERAL APPROACH
WaterSmart’s general approach to response will include the following steps:
- Documentation of events prior to and following discovery
- Immediate response
- Activation of the response team and legal counsel
- Clear and timely communication within the company about the issue and with Utility Partner as appropriate
- Instructions to the organization on responding to external inquiries
- Determination of law enforcement and regulatory agency inclusion
- Root cause analysis, remediation planning, and remediation
- Development of messaging and notification schedule to affected parties based on legal counsel
- Account management for the Utility Partner
- Determination of compensatory necessity based on legal counsel
- DISCOVERY AND DOCUMENTATION
Upon discovery of a data breach, WaterSmart will immediately record the date and time when the breach was suspected, as well as the current date and time when response efforts begin.
Once the breach has been verified to actually include PII, we begin the documentation phase. Documentation about the breach should include everything known thus far. The necessary facts are:
- Who discovered it
- Who reported it
- To whom it was reported
- Who else knows about it
- What type of breach occurred
- When the breach occurred
- What systems are affected
- What was stolen or is missing
- Which Utility Partners, if any, are affected
- If the breach is active or on-going
After the facts are recorded, we will interview those involved in discovering the breach as well anyone else who may know about it and document this investigation. The investigation will include such facts as how the discovery was made and a distinction between what is known versus suspected.
- IMMEDIATE RESPONSE
Depending on the nature of the breach, it may be appropriate to take some immediate response actions. These may include:
- Securing the premises in the case of a physical breach event
- Cordoning off areas to preserve evidence
- Isolating specific machines from broader networks
- Disabling certain internal facing tools
- Disabling certain customer-facing tools or products
Additionally, we will immediately take the following technical actions:
- Replace developer system SSH access keys
- Replace machine-to-machine internal system SSH access keys
- Revoke all laptop SSL client-certificates and plan to reissue them
- Change employee passwords for key cloud-based systems
- RESPONSE TEAM ACTIVATION
While documentation is ongoing, WaterSmart will alert and activate everyone on the response team, including necessary external resources, to begin executing our preparedness plan. A senior level manager such as the VP of Engineering or organizational unit head will be assigned as the incident manager. In accordance with our agreements with Utility Partners, if we believe a data breach includes data provided by one or more Utility Partners or their end users, we will also notify the Utility Partner of the suspected breach and provide regular updates throughout the rest of the process.
At the time of activation, the immediate priority of the response team is to assess our priorities and risks given what we know about the breach at the time. This risk assessment will provide context to inform all further decisions regarding the breach response timeline.
Our response team will include many members of our organization. The response team leadership committee includes:
|Chad Haynes||VP, Platform and Infrastructure Engineering||· Coordination
· Technical Discovery
|Ali Barsamian||Director of Marketing||· Legal Counsel Liaison
· Insurance Liaison
· Law Enforcement Liaison
· Compensatory Analysis
|Kevin Kern||CEO||· Internal Communication
· External Messaging
|Ora Chaiken||Director of Client Services||· Utility Partner Notification
· Client Services Team Training
The response team will also make recommendations as to the necessity or usefulness of retaining outside assistance; specifically, Legal Counsel or Technical Forensics.
These resolution partners may include:
- Silicon Valley Counsel (Legal)
- Kroll or AWS (Forensics)
- Law enforcement agencies including local police, the FBI, and/or the department of homeland security
At the conclusion of the response team initiation phase, we will create a high-level overview of priorities and progress, as well as problems and risks. This should include a list of upcoming business initiatives that may interfere with response efforts. The response team will decide whether to postpone these efforts and for how long, in order to focus on the breach.
- INTERNAL COMMUNICATION
As the response team concludes the first phase of response planning, WaterSmart will communicate in a clear and timely fashion to all employees regarding the incident. The purpose of this dialog is to:
- Ensure a breach incident is never hidden
- Retain the trust of all employees with a high level of transparency
- Create an avenue for two-way communication and Q&A
- Explain to employees that the breach information must be kept confidential; no information may be communicated outside the organization at this time
- RESPONDING TO INQUIRIES
Employees may not discuss the breach with customers unaffected by the breach, the general public, or the press until explicitly given the go-ahead to do so and provided with a response guide by the breach response team. This is to make sure that no speculative comments or unverified information is spread unnecessarily.
WaterSmart will have a single point of contact for any potential inquiries; the personnel to be assigned by the response team member with the responsibility for external communication. This response team member will also be responsible for training WaterSmart employees on inquiry response when the timing is appropriate.
- LAW ENFORCEMENT / REGULATORY
WaterSmart, under the supervision of the response team member responsible for legal and regulatory process, will first identify its legal obligations. This includes:
- Revisiting state and federal regulations governing our industry and the type of data involved in the breach
- Based on regulations, determining all entities that need to be notified, i.e., customers, employees, the media, government agencies, regulatory boards, etc.
- Determining the correct timeline mandates for any possible notification requirements
At this phase, WaterSmart will also decide whether to retain specific assistance from legal counsel regarding the breach and its resolution. We will also decide which possible law enforcement agencies could be relevant to involve and if so, make appropriate notification.
- ANALYSIS AND REMEDIATION
Led by the response team member with technical discovery and remediation responsibilities, WaterSmart will begin a deep dive into the breach with an attempt to fully understand the timing and risk of the exposure.
Once the extent has been discovered and documented, the team will begin root cause analysis to identify the security flaw that created a breach opportunity.
The remediation effort will consist of the following phases:
- Fix the root issue that caused the breach
- Fully audit all existing systems for evidence that anything undesired was left on any systems (such as bots, hacker tools etc)
- Fully audit all network traffic across the DMZ boundary to ensure outbound traffic is all rightfully generated by WaterSmart systems
- Wiping and rebuilding any of the affected machines
Since WaterSmart uses an almost entirely virtual infrastructure, all machines can be easily rebuilt from scratch using our machine build automation. This includes all network configurations and security certificates.
At this phase, WaterSmart will also decide whether to retain specific assistance from a forensic specialist or data breach investigation management firm.
In the event that WaterSmart is legally obligated must to notify the affected individuals of a data breach, the legal team will identify:
- The mandated timelines for notification
- The mandated channels of notification (email, print)
- The mandated requirement of a call center and other services for affected individuals
- Any specific content mandated for the notification letters
- Any timeline adjustments necessary to avoid interference with ongoing law enforcement investigation
- Any notification requirements as a result of geographical jurisdictions in which the affected individuals reside
In addition to requirements gathering, the notification team will decide the scope of the notifications, i.e., will they be sent to affected individuals or to all individuals regardless of being affected by the breach, etc. WaterSmart will coordinate these efforts with Utility Partners as appropriate.
Additional management points for consideration include:
- Management of multiple letter versions based on specific state regulations
- Professional printing that includes company logo and electronic signature
- Address validation and delivery
- Return mail management to handle and discard returned letters
- Certified address cleansing / National Change of address
- Quality assurance for printing and fulfillment
- First-class postage
- Print vendor with top-tier data security protocols
- Electronic letter copies for proof of notification
- USPS Delivery Report
- WORKING WITH THE UTILITY PARTNERS
Due to the unique nature of WaterSmart’s business, the representative on the response team responsible for Client Services will take the lead in effectively communicating information about the breach to the Utility Partner.
This will include:
- Timely notification of data breach when discovered (link pending)
- Updates and description of the breach and affected data, e.g., incident-specific FAQ when available
- Updates and confirmation of remediation steps being taken by the forensic team
- Coordination in publication of the notification plan and communication content to Utility Partner’s customers
- Training for how to field inbound inquiries related to the breach and/or referral directly to the WaterSmart action number
WaterSmart’s response team will decide if the breach warrants making a claim against our data breach insurance policies, and if so, begin insurance claim proceedings. During that process, they will also determine if any individuals affected by the breach are entitled to compensation, and if so, determine the mechanics of disbursing said compensation.
WaterSmart’s business operations staff will also review existing Utility Partner contracts to determine if any contracts have specific compensatory requirements as related to data breach, and if so, determine the mechanics of acting on those special clauses.
Once all necessary remediation activity has occurred, the breach incident can be closed. All documentation that tells the history of the breach and decisions made will be packaged electronically in a secure repository for archive purposes.
Based on new lessons from executing our breach response plan, we will make the necessary modifications to our response strategy to improve our process, as well as enhance and modify our information security and training policies so that recurrence of breaches are minimized.
WaterSmart’s data breach response plan is intended to be a blueprint of the steps to take in the case a data breech occurs. Periodically reviewing this plan can help it stay current and useful.
On an annual basis, WaterSmart will:
- Review staff security awareness
- Update response team contact information
- Verify response plan is updated for any major changes such as changes in lines of business, departments, or data management policies
- Evaluate internal IT security to ensure proper data access controls are in place
- Ensure automated monitoring and reporting on systems is in place
- Ensure backups are stored securely
- Evaluate third-party vendors we exchange data with for their security policies
Breach Response Plan v1.3 | Revised November 2019