Data Breach Response Plan

INTEGRO HEALTH SERVICES AND INFORMATION TECHNOLOGIES INC.
Organization / Authorized Unit: Information Security Management Systems Team
Policy Version: v.1
Effective Date: 01.01.2023
Review Date: 01.02.2023
For questions regarding this policy, contact: [email protected]

Purpose

The Data Breach Response Plan is prepared to outline the procedures and principles for actions to be taken in the event that personal data is unlawfully accessed by others during the personal data storage and processing activities conducted by Integro Health. This plan aims to prevent or minimize the negative consequences that may arise for affected individuals, in accordance with Article 12/5 of the Law and the Board’s Decision.

Actions to be taken upon detection of a personal data breach will be carried out in accordance with the plan prepared by Integro Health.

RESPONSIBILITIES AND DUTIES

All units and employees within Integro Health are obligated to report to their managers or responsible units as soon as they become aware of unauthorized or unlawful interference with personal data stored and processed by Integro Health, or if data has been knowingly or accidentally transmitted to unauthorized individuals. All employees are responsible for knowing and following this Plan and the steps outlined in Appendix 1.

The distribution of titles, units, and job descriptions for individuals responsible under the Personal Data Breach Response Plan is as follows:

General Manager: Responsible for ensuring all employees act in accordance with this plan. 

Lawyer: Responsible for the preparation and updating of this plan; preparing notifications required by law upon detection of a data breach and tracking the process. 

IT Department: Responsible for providing the necessary infrastructure and solutions for the publication and implementation of the plan. 

Other Units: Responsible for assessing the potential consequences of a data breach and ensuring the plan is executed according to duties. 

Data Controller / Data Processor : A natural or legal person processing personal data on behalf of Integro Health based on the authority granted by it. 

PERSONS TO BE NOTIFIED IN CASE OF A DATA BREACH

In the event of a personal data breach, the personnel who detect the breach must immediately report the situation to their department manager, the General Manager, and the lawyer. The following details will be included in the report, which will serve as the basis for notifications to the Personal Data Protection Authority and affected individuals:

• Date and time of the breach occurrence
• Date and time the breach was detected
• Source of the breach
• Categories of personal data affected by the breach
• Exact or estimated number of individuals and records affected by the breach
• Groups of affected individuals
• Potential effects of the breach on the affected individuals (e.g., financial loss, reputational damage)

NOTIFICATIONS TO BE MADE UNDER THE LAW

In accordance with Article 12/5 of the Personal Data Protection Law (KVKK) and the Board’s Decision, a notification will be made to the Board without delay and no later than 72 hours after the detection of a personal data breach by the lawyer authorized on behalf of the data controller.

Additionally, after identifying the individuals affected by the data breach, Integro Health will notify the affected individuals as soon as reasonably possible. If the contact address of the affected individual is accessible, the notification will be made directly; if not, it will be published on Integro Health’s website.

If the data controller is unable to notify the Board within 72 hours for justifiable reasons, the reasons for the delay will also be explained to the Board along with the notification.

The notification to the Board will utilize the “Personal Data Breach Notification Form” published by the Board, which can be found at https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi#.

In cases where it is not possible to provide all the information in the form at once, the information will be provided in stages without causing delay.

ASSESSMENT OF THE POSSIBLE CONSEQUENCES OF A PERSONAL DATA BREACH

In the event of a detected personal data breach, the relevant department head, lawyer, and General Manager will conduct an assessment to identify the potential consequences of the data breach. Additionally, in accordance with the Board’s Decision:

• Information regarding the data breach, its effects, and the measures taken will be recorded and kept ready for review by the Board.
• If personal data held by the data processor is unlawfully accessed by others, the data processor must notify Integro Health, the data controller, without any delay. Following the notification from the data processor, Integro Health will follow the processes outlined in this plan to make the necessary notifications.

PUBLICATION AND STORAGE OF THE PLAN

The plan will be published in two different formats: in hard copy (with ink signatures) and electronically, and it will be made publicly available on the website. A printed copy will be stored in the Integro Health office files.

UPDATE PERIOD OF THE PLAN

The plan will be reviewed as needed and at a maximum interval of one year, with necessary sections updated accordingly.

5 Steps of the Data Breach Process

• STEP 1 – Protect Your Systems

– Act quickly to protect your systems and determine whether the data breach is still ongoing.

– Stop any further data loss.

– Do not destroy evidence.

– Communicate with individuals within your organization who have detected the data breach or are designated contacts for reporting data breaches.

– Document your investigation and maintain records.

• STEP 2 – Take Action & Address Vulnerabilities

– Depending on the magnitude of the data breach, establish a Response Task Force; ensure that lawyers are involved in the process in any case.

– Address vulnerabilities that may have caused the breach.

– If one of your service providers is involved in the breach, review the personal data they have access to and decide whether changes to access privileges are necessary.

– Ensure that your service providers have taken the necessary measures to prevent another breach.

STEP 3 – Notification

– Ensure that the relevant authorities, including the Personal Data Protection Authority, are properly informed.

– Notification to the Personal Data Protection Authority should be made within 72 hours of detecting the data breach.

– General rule: the more personal data involved, the more important it is to report the breach.

– Inform the affected individuals about the data breach.

– Ensure that the information and notifications provided to the affected individuals and other relevant parties and institutions are prompt and adequately comprehensive.

STEP 4 – Communication

– Create a comprehensive communication plan that reaches all affected parties within the Integro Health organization that need to be informed of the breach.

STEP 5 – Enhance Your Data Protection Efforts

– Train relevant teams on data protection to prevent future data breaches.

– Monitor the specific Integro Health department or area where the data breach occurred.

– Ensure that employees are trained and supported on how to handle similar situations in the future.

– Document your organization’s efforts regarding how you address data protection and security breaches.