🚨 Incident Response & Breach Notification Plan

Better Choices Education LLC

www.BetterChoicesEducation.com

1. Purpose

This Incident Response and Breach Notification Plan outlines the procedures Better Choices Education LLC (“Company”) will follow in the event of a suspected or confirmed data security incident involving personally identifiable information (PII), including student data. The policy ensures timely mitigation, compliance with legal requirements, and transparent communication with affected parties.

2. Scope

This policy applies to:

• All information systems and data assets managed by the Company
• Student and administrative user data stored or processed by the Services
• Incidents including unauthorized access, use, disclosure, alteration, or destruction of protected data

3. Definitions

• Security Incident: Any actual or suspected compromise of confidentiality, integrity, or availability of data or systems
• Breach: A confirmed security incident resulting in unauthorized acquisition or access to personal data

4. Roles and Responsibilities

• Incident Response Team (IRT): Led by the Data Protection Officer and includes system administrators, legal advisors, and communications staff
• System Administrators: Detect and contain incidents, assess technical impact
• Legal & Compliance Officer: Evaluate breach notification requirements and timelines

5. Incident Response Phases

1. Identification: Detect or receive report of suspicious activity (e.g., alerts, user complaints, system anomalies)
2. Containment: Isolate affected systems, disable compromised accounts, block unauthorized access
3. Assessment: Determine scope, affected data types, and root cause
4. Eradication: Remove threats, patch vulnerabilities, and restore secure configuration
5. Recovery: Resume normal operations, restore data from clean backups
6. Notification: If applicable, initiate notifications per Section 6
7. Post-Incident Review: Document findings, update policies, and prevent recurrence

6. Breach Notification Procedures

• The Company will notify affected school districts of confirmed breaches involving student data within 30 calendar days
• For breaches involving only directory/assignment-level data, notification will occur within 60 calendar days
• The Company will support the district’s effort to notify students, parents, or guardians as required by Connecticut General Statutes §§ 10-234aa to 10-234dd and FERPA

7. Notification Contents

All required notices will include:

• Description of the breach and its scope
• Types of data involved
• Mitigation actions taken
• Recommendations for affected individuals
• Company contact information for follow-up

8. Training and Testing

• Incident response training will be provided to relevant staff annually
• The IRT will conduct tabletop exercises at least once per year to simulate and improve breach readiness

9. Contact for Reporting Incidents

Suspected data incidents should be reported immediately to:

Better Choices Education LLC – Data Protection Officer
📧 Email: security@betterchoiceseducation.com
🌐 Website: www.BetterChoicesEducation.com

10. Policy Review

This plan will be reviewed annually or after any major incident, and updates will be communicated to all contracting districts.

The Company reserves the right to modify this policy as needed to ensure compliance with applicable laws and best practices.