This policy applies to all incidents where a breach of personal identifying information is suspected or confirmed relating to a customer of AIM or a user of software developed by AIM.
Personal Identifying Information (PII) – information that can be used to distinguish or trace an individual’s identity. PII includes, but is not limited to, any of the following:
Breach – any situation where PII is accessed by someone other than an authorized user, for anything other than an authorized purpose.
Upon learning of a possible breach immediate investigation by high-level technical team members.
Upon confirming of a breach perform risk assessment.
Notifying affected parties: Responsibility to notify is based both on the number of individuals affected and the nature of the PII that was accessed. Any information found in the initial risk assessment will be turned over to the legal counsel of who will review the situation to determine if, and to what extent, notification is required. Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Notification will be made in a timely manner, but not so soon so as to unnecessary compound the initial incident with incomplete facts or to make identity theft more likely through the notice. In the case that notification must be made: