Data Breach Notification Plan
We take privacy and security very seriously at Less Annoying CRM. To our knowledge, there has never been a breach of our servers, and our goal is to keep it that way. However, taking security seriously means that we must be prepared for all possibilities, including that of a data breach.
The specifics of our response to a data breach would of course depend on the details of the breach itself (the method of the breach, what data was compromised, etc.) but here is an outline of how we will approach the situation:
Identifying a breach
The first step in responding to a data breach is knowing that one has happened in the first place. We monitor the status of our security with technology (running penetration tests and network scans) as well as policy (training employees on what to look out for, making sure issues are escalated appropriately).
If we ever identify a breach, or even notice something out of the ordinary that justifies investigation, we will take the following steps
Step 1: Assigning roles and responsibility
At any company, the best way to ensure that an issue is taken seriously is to make sure that it has the attention of top leadership. Less Annoying CRM has two co-founders who will both personally handle any security concerns. Tyler King, the CEO, will be responsible for organizing the company-wide response, assigning roles, and ensuring that we do everything outlined in this document and more to handle the situation as thoroughly as possible. Bracken King, the co-founder responsible for “DevOps” which includes security, will lead the technical team in their response.
Every member of the company knows that if there is ever a security concern, the issue should go directly to the co-founders without any delay.
Step 2: Investigate the type and scope of the breach
Breaches can happen in many different ways. They can be the result of a technical or social failing on our end. In many cases, the customer may have been tricked into giving their login information to the attacker, and it might not be the result of insecurity in the software at all. In order to decide how to respond to a breach, we must first understand how the breach happened. We will seek to answer the following questions as quickly as possible:
- Was there some sort of failure of our technology or processes that enabled the breach?
- What data was accessed?
- What was (or might have been) done with the data (i.e. deleting data is different from exporting it outside our server)
- How many users were impacted?
Step 3: Address immediate threats
If we find that the breach is caused by a customer’s login information being compromised (e.g. two business partners are fighting over ownership of the business and one steals the other’s CRM login information) we will shut down the CRM account in question until we are confident that the rightful owner is the only one with access. In some cases this can take several days or longer as there may be legal issues outside of the CRM that must be adjudicated first.
If we determine that the breach occurred due to an vulnerability on our end, we will work to fix whatever the vulnerability was as quickly as possible to prevent further damage. If a situation like this ever arises, every employee at LACRM who can be helpful will treat this as their top priority and set aside any other responsibilities until the problem is solved.
Step 4: Notify the appropriate parties of the breach
This step will depend heavily on the details of the breach. For example, in a situation where a specific user is phished, they will likely already know about the breach, and it wouldn’t impact any of our other customers. But if our entire database is compromised by a hacker, that would potentially impact all of our users.
Our general guideline is that if there’s a reasonable possibility that the breach will have a negative impact on a customer, we will notify them quickly. "Quickly" can mean different things depending on how long it takes us to conclude our investigation, but when possible, our goal would be to send notifications no more than 72 hours after we become aware of the issue.
Note: If you or your customers are in the EU then you may be subject to the GDPR data breach notification rules. This basically means that if you are storing private information about a person in the CRM and that data is breached, you may be responsible for notifying that person the same way we are responsible for notifying you (this is true with any CRM you use, not just us). If this happens, we will work with you to make sure that you have all the information possible so that you can comply with the GDPR.