AFAS Data Breach Policy
AFAS has implemented the following procedures to follow in the event of a data breach involving Personally-Identifying Information (PII), Personal Health Information (PHI), or other confidential information maintained on networks hosting the AFAS application.
The following staff has key responsibility for implementing and executing the data breach procedures:
- FIRST RESPONDER-AFAS Development Team (nnn-nnn-nnnn)
- SECOND RESPONDER- Joint Technology Solution, Inc. (nnn-nnn-nnnn)
In the event of a data breach or imminent breach of PII, PHI or other confidential information, information technology staff will:
- Disconnect the application from related systems or networks.
- Contact AFAS Development Team to notify them of the data breach or imminent breach of PII, PHI or other confidential data.
- Document date and time the breach occurred, what information the user was accessing at the time of the breach, the breach team member contacted, and actions taken to secure data.
- Detect and remove any malware or other information related to the breach if applicable.
- Notify the persons affected by the breach within 24 hours of the breach occurrence or detection of the imminent breach.
- Review application vulnerabilities and increase the level of protection for the application.
- Send persons whose information was exposed a letter explaining actions they should take to prevent identity theft within 7 working days if deemed necessary. (See letter attached.)
Following the incident, AFAS application developers will review procedures to determine if any actions by an application user contributed to the data breach. Application users will be updated on policies to protect against data breaches or imminent breaches of PII, PHI, or other confidential data.
Information related to the data breach will be documented on the incident log, repairs or modifications to the application that were implemented will be included on the log and kept in a secure location.