Incident Response Policy

This Incident Response Policy provides a structured framework for identifying, managing, and mitigating security incidents involving personal information. It ensures compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), safeguarding consumer rights and promoting timely, effective responses to incidents.

• Scope: Applies to all employees, contractors, and systems handling personal information, including consumer personal information (PI) and sensitive personal information (SPI).
• Incident Phases: Includes preparation, identification, containment, eradication, recovery, and post-incident review.
• Consumer Notification: Requires notification of affected consumers and regulatory authorities within 72 hours for reportable breaches.
• Roles and Responsibilities: Defines responsibilities for the Incident Response Team (IRT), Privacy Officer, IT Department, legal counsel, and employees.
• Monitoring and Training: Includes regular audits, simulations, and training to improve incident readiness and response.

This policy aligns organizational practices with CCPA/CPRA requirements to protect personal data and mitigate risks.