Fueling discovery with data.

GENOMA BIOINFORMATICS LLC
INCIDENT RESPONSE POLICY
Last Updated: February 26, 2025

1. Purpose

This Incident Response Policy (“Policy”) establishes the procedures for identifying, responding to, and recovering from security incidents, including data breaches, to minimize damage, comply with legal obligations, and maintain trust with clients.

2. Scope

This Policy applies to all employees, contractors, and third-party vendors who have access to the Company’s systems, networks, or data.

3. Definitions

  1. Security Incident: Any event that compromises the confidentiality, integrity, or availability of the Company’s systems, networks, or data.
  2. Data Breach: A security incident that results in unauthorized access to or disclosure of personal or sensitive data.
  3. Personal Data: Any information relating to an identified or identifiable individual, as defined under GDPR.
  4. Sensitive Data: Includes Protected Health Information (PHI) under HIPAA and other sensitive information.

4. Incident Response Team

  1. Team Members:
    • Data Protection Officer (DPO): [Insert Data Protection Officer].
    • IT Security Lead: [Insert Name and Contact Information].
    • Legal Counsel: [Insert Name and Contact Information].
    • Communications Lead: [Insert Name and Contact Information].
  2. Responsibilities:
    • Identify and assess potential incidents.
    • Contain and mitigate the incident.
    • Notify affected parties and regulatory authorities.
    • Document and review the incident for future improvements.

5. Incident Identification and Reporting

  1. Monitoring: Regularly monitor systems for unusual activity or potential security incidents.
  2. Reporting: Employees and contractors must report potential incidents to the DPO immediately.
  3. Initial Assessment: The DPO will assess the incident to determine its severity and impact.

6. Incident Response Procedures

  1. Containment:
    • Isolate affected systems to prevent further unauthorized access.
    • Preserve evidence for forensic analysis.
  2. Mitigation:
    • Identify and address the root cause of the incident.
    • Implement temporary fixes to prevent further damage.
  3. Eradication:
    • Remove the cause of the incident (e.g., malware, unauthorized access).
    • Apply patches or updates to affected systems.
  4. Recovery:
    • Restore affected systems and data from backups.
    • Verify that systems are secure and functioning properly.

7. Notification

  1. Internal Notification:
    • Notify the Incident Response Team and senior management.
  2. Client Notification:
    • Notify affected clients within 72 hours of discovering a data breach, as required by GDPR.
    • Provide details of the breach, including the nature of the data involved and the steps being taken to address it.
  3. Regulatory Notification:
    • Notify relevant regulatory authorities (e.g., GDPR supervisory authority, HIPAA Office for Civil Rights) within the required timeframe.
  4. Public Notification:
    • If necessary, issue a public statement to inform stakeholders and maintain transparency.

8. Documentation and Review

  1. Incident Report: Document all details of the incident, including:
    • Date and time of the incident.
    • Nature and scope of the incident.
    • Steps taken to contain and mitigate the incident.
    • Notifications made to clients and regulators.
  2. Post-Incident Review: Conduct a review to identify lessons learned and improve future response efforts.

9. Training and Awareness

  1. Employee Training: Provide regular training to employees on incident response procedures.
  2. Incident Drills: Conduct periodic drills to test the effectiveness of the Policy.

10. Compliance

  1. GDPR: Comply with GDPR requirements for breach notification and data protection.
  2. HIPAA: Comply with HIPAA requirements for breach notification and safeguarding PHI.

11. Contact Information

If you have any questions about this Policy, please contact us at:
Genoma Bioinformatics LLC