Run: Data Breach Notification Policy

This policy establishes the organization’s requirements for identifying, escalating, investigating, containing, notifying, and remediating data breaches involving personal, confidential, or sensitive information. The policy is designed to support timely response, legal compliance, and protection of affected individuals and the organization. This policy is intended to support compliance with applicable breach notification laws, including California Civil Code § 1798.82 and § 1798.29 where applicable, and other state, federal, and international privacy requirements as relevant to the incident.

This policy applies to all employees, managers, contractors, temporary workers, interns, and third parties who create, access, store, transmit, or process company data. It applies to all systems and records containing personal information, employee records, payroll data, benefits data, applicant data, customer data, vendor data, and other confidential business information. California employees: incidents involving California residents’ personal information must be evaluated for notice obligations under California Civil Code § 1798.82 and related requirements. Where other jurisdictions apply, the stricter notice rule or shorter deadline will be followed unless prohibited by law.

For purposes of this policy: - **Data Breach** means an unauthorized acquisition, access, disclosure, use, or loss of protected information. - **Personal Information** includes data that identifies or can reasonably be linked to an individual. - **Sensitive Information** includes data elements that could cause harm if exposed, such as government IDs, financial account numbers, health data, or credentials. - **Incident Response Team** means the cross-functional team assigned to triage and manage the incident. - **Good-Faith Investigation** means a documented investigation performed promptly after discovery to determine scope, impact, and notice obligations.

The organization will respond to suspected or confirmed data breaches in a prompt, coordinated, and documented manner. Any employee who becomes aware of a suspected breach must report it immediately through the escalation procedure below. The organization will: 1. Contain the incident as quickly as practicable. 2. Preserve evidence and maintain chain-of-custody where applicable. 3. Conduct a good-faith investigation to determine scope, affected data, and legal obligations. 4. Notify affected individuals and regulators when required by applicable law. 5. Implement remediation steps to reduce the risk of recurrence. 6. Maintain records of the incident, decisions, notices, and corrective actions. No employee may delay reporting in order to investigate independently, notify outside parties, or attempt remediation without authorization.

### 1) Immediate reporting Employees must report a suspected breach immediately, and in no event later than the end of the same business day, to the IT Security team, HR, and Legal/Compliance using the designated incident reporting channel. ### 2) Initial triage and containment The Incident Response Team will assess the report, determine whether the event may involve unauthorized access or disclosure, and take immediate containment actions, which may include disabling accounts, resetting credentials, isolating systems, preserving logs, or suspending affected processes. ### 3) Good-faith investigation The organization will document the nature of the incident, the categories of information involved, the number of affected individuals, the likely risk of harm, and whether notice is required. The investigation must be coordinated by Legal/Compliance with IT Security and HR as needed. ### 4) Notification decision Legal/Compliance will determine notice obligations based on the facts, applicable law, contractual requirements, and regulator guidance. Where notice is required, the organization will provide it without unreasonable delay and within any applicable statutory deadline. California employees: where California breach notification law applies, affected individuals must be notified within the timeframe required by California Civil Code § 1798.82 and related law, and the organization will use the shortest applicable deadline when multiple laws apply. ### 5) Notification content and delivery Notices will be reviewed by Legal/Compliance and must describe the incident, the information involved, steps individuals can take to protect themselves, and contact information for questions. Delivery method may include written notice, electronic notice, substitute notice, or other lawful methods depending on the circumstances. ### 6) Remediation and corrective action After containment and notice, the organization will implement corrective actions, which may include access control changes, security training, policy updates, vendor remediation, disciplinary action, or system hardening. ### 7) Documentation and retention All incident records, investigation notes, notices, approvals, and remediation evidence must be retained in accordance with the organization’s records retention schedule and any legal hold requirements.

**All employees**: Immediately report suspected breaches and cooperate with investigations. **Managers**: Escalate reports promptly and ensure employees do not attempt unauthorized containment or disclosure. **HR**: Coordinate on employee data incidents, support employee communications, preserve personnel-record confidentiality, and assist with corrective action where employee conduct is involved. **IT Security**: Contain technical incidents, preserve logs, assess system impact, and support forensic review. **Legal/Compliance**: Lead the good-faith investigation from a legal perspective, determine notice obligations, approve notifications, and coordinate with outside counsel as needed. **Policy holder**: The Compliance Officer or designated privacy lead owns this policy, ensures periodic review, and approves material updates. **Executive Leadership**: Support resource allocation, approve high-risk response decisions, and receive escalation for material incidents.

Failure to promptly report a suspected breach, unauthorized disclosure of incident details, destruction of evidence, or failure to follow this policy may result in corrective action up to and including termination of employment, subject to applicable law and any collective bargaining obligations. Where employee conduct may implicate protected concerted activity under NLRA Section 7, or other legally protected rights, the organization will apply this policy consistently and in a manner that does not interfere with protected rights. If the incident involves potential employee misconduct, the organization may use documented warning steps, a PIP, or other corrective measures as appropriate. Any discipline will be based on the facts, the severity of the conduct, and applicable law. Escalation triggers requiring immediate Legal/Compliance review include: - Exposure of Social Security numbers, financial account data, health information, or credentials - Potentially large-scale incidents - Third-party vendor involvement - Media attention or regulator inquiry - Cross-border data transfers or non-US data subjects - Any incident involving California residents or other jurisdictions with accelerated notice requirements

This policy will be reviewed at least annually and updated as needed to reflect changes in law, technology, incident response practices, and organizational structure. The policy holder is responsible for ensuring that revisions are approved by Legal/Compliance, communicated to affected teams, and re-acknowledged when material changes occur.