Pre-breach services

• Data privacy risk assessment review
• Evaluate client’s current data security policies and practices
• Data privacy gap assessment
• Handbook review for data security and privacy
• Information security/cybersecurity/ privacy due diligence
• Cross-border transfers of data
• Information collection from children
• Disclosure of personal information (sale/share)

Review/revision or creation of:

• Written Information Security Program (WISP)
• Privacy Policy & Terms of Use (External)
• Privacy Policy (Internal Governance Policy)

• Vendor Risk Management Policy and Procedures

• Risk Management Policy and Procedures

• Cookie Notice

• Business Continuity and Disaster Recovery Plan

• Privacy Impact Assessments/Data Protection Impact Assessments

• Social Media Policy
• Computer & Electronic Devices Usage Policy
• Bring Your Own Device (BYOD) Policy
• Document Retention & Destruction Policy
• Data Subject Access Request (DSAR) Policy and Procedures
• Telecommuting/Remote Access Policy
• Physical and Logical Access Security Policy
• Acceptable Use Policy
• Password Management Policy
• Vendor Management Policy
• Information Classification & Handling Policy
• Training Policy
• HIPAA Policies (Privacy Rule, Security Rule & Breach Notification Rule policies)

Review/revision or creation of:

• Incident response plan and playbooks
• Incident response team (establishment of team and identification of roles/responsibilities)

Review/revision or creation of:

• Employment (Confidentiality) Agreements
• Non-Disclosure Agreements
• Data Privacy Agreements/Addendums
• Third-Party Vendor Agreements and Amendments
• Business Associate Agreements
• Visitor Agreements
• End User License Agreements
• Payment Card Merchant Agreements
• Cloud Vendor Agreements

Development of employee training module on client’s data privacy and security policies and best practices
regarding:

• The role of employees in protecting PII, PHI and/or PCI data
• Phishing scams
• Social engineering
• Ransomware threats
• Laptop security
• Mobile device security
• Passwords and encryption
• Internet security
• Physical site security
• Responding to individual requests to access and/or delete personal information
• Data disposal and destruction
• Reducing the risk of data breaches
• Reporting suspected privacy and security incidents

Facilitation of a Breach Response Workshop with tabletop exercise (2-4 hour session for client’s Incident
Response Team)

• In-person or remote options available