Data Breach Response Policy

Glass Baron Data Breach Response Policy Overview

I. This policy mandates that any individual who suspects that a theft, breach, or exposure of Glass Baron's protected data or any consumers' sensitive data has occurred must immediately provide a description of what occurred via e-mail to administrative@glassbaron.com. The Information Technology Manager will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach, or exposure has occurred. If a theft, breach, or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place.

II. As soon as a theft, data breach or exposure containing Glass Baron's protected data or any consumers' sensitive data is identified, the process of removing all access to that resource will begin.

•The affected unit or department that uses the involved system or output or whose data may have been breached or exposed will be immediately notified

• Additional departments based on the data type involved, and additional individuals as deemed necessary will also be immediately notified

III. Glass Baron will work to determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.

IV. Glass Baron Marketing and Human resources Departments will decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.

V. Evaluate the response and recovery to implement all processes required to prevent future breaches

Glass Baron Data Breach Response Plan

1. Confirm the breach

2. Contain the breach

• Shut down the compromised system that led to the data breach.

• Establish whether steps can be taken to recover lost data and limit any damage caused by the breach

• Prevent further unauthorized access to the system

• Reset passwords if accounts and/or passwords have been compromised

• Isolate the causes of the data breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system

3. Assess Risks and Impact

• How many people were affected?

• Whose personal data had been breached?

• Who might gain access to the compromised personal data?

• Will compromised data affected transactions with any other third parties?

4. Report the Incident

• Notify individuals whose personal data have been compromised.

• Notify other third parties such as banks, credit cards companies or the police, where relevant

• Notify the relevant authorities if criminal activity is suspected and evidence for investigation should be preserved (eg: hacking, theft or unauthorized system access).

5. Evaluate the Response & Recovery to Prevent Future Breaches

• Are there processes that can be streamlined or introduced to limit the damage if future breaches happen or ti prevent a relapse?

• Were there weaknesses in existing security measures such as the use of outdated software and protection measures, or weakness in the use of portable storage devices, networking, or connectivity to the Internet?

• Was training provided on personal data protection matters and incident management skills?