20. Breach Investigation and Notification

Previous Next

2025.1

In the case of a breach, Niche Studio shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.

Policy Statements

Niche Studio policy requires that:

(a) Breach notification procedures are invoked upon confirmation of security breach that results in unauthorized disclosure of unprotected/unencrypted sensitive data.

(b) Notification timelines depend on jurisdiction: • HIPAA: Notify affected individuals within 60 days of discovery. • Australia (APPs/NDB): Assess within 30 days and notify OAIC and affected individuals as soon as practicable if likely to cause serious harm. • GDPR: Controllers must notify authorities within 72 hours and affected data subjects without undue delay. As a processor, we support controllers in meeting this.

(c) In the event of a data breach involving personal information that is likely to result in serious harm, Niche Studio must comply with the Australian Notifiable Data Breaches (NDB) scheme by: - Assessing within 30 days and notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable - Notifying affected individuals as soon as practicable - Following the procedures outlined in the Points of Contact for Authorities section below

Controls and Procedures

Breach Investigation Process

  1. Discovery of Breach: A data breach shall be treated as “discovered” as of the first day on which such breach is known to the organisation, or, by exercising reasonable diligence would have been known to Niche Studio (includes breaches by the organisation’s Customers, Partners, or subcontractors). Niche Studio shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organisation. Following the discovery of a potential breach, the organisation shall begin an investigation (see organisational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Niche Studio shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)

  2. Breach Investigation: The Niche Studio Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organisation as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of seven years. A breach log is kept and maintained by the Security and Privacy Officer.

  3. Risk Assessment: A risk assessment is performed in accordance to applicable laws and regulations.

Australian Privacy Act 1988 - Notifiable Data Breaches (NDB) Scheme: For breaches involving Australian personal information, Niche Studio must assess whether the breach is likely to result in serious harm to any of the affected individuals. The assessment must consider: - The kind of information involved - The sensitivity of the information - Whether the information is protected by security measures - The persons who have obtained or could obtain the information - The nature of the harm

Notification Requirements: - If serious harm is likely, Niche Studio must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days of becoming aware of the breach - Prepare a statement containing: description of the breach, kind of information involved, steps taken to address the breach, recommendations for affected individuals - Submit statement to OAIC via online portal or email to notifications@oaic.gov.au - Notify affected individuals by email (if available) or website notice

  1. Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected Niche Studio Customers according to applicable jurisdiction requirements:

General Policy: Usually within 24-48 hours but no later than 10 calendar days after discovery.

Jurisdiction-Specific Requirements: - HIPAA: 60 days for individual notification, 60 days for HHS (if 500+ individuals affected) - Australian NDB: Assess within 30 days; notify “as soon as practicable” if serious harm likely - GDPR: 72 hours for authority notification, prompt notification to data subjects - Other Jurisdictions: Follow local regulatory requirements

It is the responsibility of the organisation to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.

  1. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organisation that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organisation shall:

    • If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the timer period specified by the official; or
    • If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.

  2. Content of the Notice: The notice shall be written in plain language and must contain the following information:

    • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
    • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known;
    • Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
    • A brief description of what Niche Studio is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
    • Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address.

  3. Methods of Notification: Niche Studio Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.

  4. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Niche Studio shall maintain a process to record or log all breaches of unsecured sensitive data regardless of the number of records and Customers affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):

    • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
    • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
    • A description of the action taken with regard to notification of patients regarding the breach.
    • Resolution steps taken to mitigate the breach and prevent future occurrences.

  5. Workforce Training: Niche Studio shall train all members of its workforce on the policies and procedures with respect to sensitive data as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organisation.

  6. Complaints: Niche Studio must provide a process for individuals to make complaints concerning the organisation’s patient privacy policies and procedures or its compliance with such policies and procedures.

  7. Sanctions: The organisation shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.

  8. Retaliation/Waiver: Niche Studio may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. The organisation may not require individuals to waive their privacy rights under as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Niche Studio Platform Customer Responsibilities

The following requirements and guidelines shall be provided to and agreed upon by a client organisation using Niche Studio platform to host sensitive data such as PII.

The agreement may be in the form of a contract or acceptance of terms and conditions.

  1. The Niche Studio Customer that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured sensitive data shall, without unreasonable delay and in no case later than 72 hours after discovery of a breach, notify Niche Studio of such breach. The Customer shall provide Niche Studio with the following information:

    • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
    • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
    • A description of the action taken with regard to notification of patients regarding the breach.
    • Resolution steps taken to mitigate the breach and prevent future occurrences.

  2. Depending on the nature of the breach, an investigation may be conducted by Niche Studio or the Customer or jointly to determine the cause of breach.

  3. Notice to Media: Unless Niche Studio is directly at fault for the cause of breach, Niche Studio Customers are responsible for providing notice to prominent media outlets at the Customer’s discretion.

  4. Notice to Authorities: Unless Niche Studio is directly at fault for the cause of breach, Niche Studio Customers are responsible for providing notice to the appropriate authorities, including the Secretary of Health and Human Services (HHS) and your Lead Supervisory Authority (LSA) under GDPR, at the Customer’s discretion.

Sample Letter to Customers in Case of Breach

[Date]

[Name] [Name of Customer] [Address 1] [Address 2] [City, State Zip Code]

Dear [Name of Customer]:

I am writing to you from The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust, with important information about a recent breach that affects your account with us. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows:

Describe event and include the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known.
  • Any steps the Customer should take to protect themselves from potential harm resulting from the breach.
  • A brief description of what Niche Studio is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
  • Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, web site, or postal address.

Other Optional Considerations:

  • Recommendations to assist customer in remedying the breach.

We will assist you in remedying the situation.

Sincerely,

Mikael Wedemeyer
Security Officer
The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust
mikael@team.nichestud.io

List of Contacts for Authorities

Australian Privacy Commissioner (OAIC)

  • Phone: 1300 363 992
  • Email: notifications@oaic.gov.au
  • Website: https://www.oaic.gov.au/privacy/notifiable-data-breaches
  • Address: Office of the Australian Information Commissioner GPO Box 5218 Sydney NSW 2001

Australian Cyber Security Centre (ACSC)

  • Phone: 1300 CYBER1 (1300 292 371)
  • Website: https://www.cyber.gov.au/acsc/report
  • Email: asd.assist@defence.gov.au

Australian Federal Police (AFP)

  • Phone: 131 237
  • Website: https://www.afp.gov.au/contact-us
  • Address: Australian Federal Police GPO Box 401 Canberra ACT 2601
19. Incident Response 21. Third Party Security and Vendor Risk Management