Data Breach Response Policy

**Last Updated: 12-12-2025

Red Arrow Accounting is committed to protecting the confidentiality, integrity, and security of personal and nonpublic information. This Data Breach Response Policy outlines the procedures followed in the event of a suspected or confirmed data breach involving client, customer, or employee information.

1. Purpose

The purpose of this policy is to:

  • Ensure timely identification and containment of data security incidents
  • Minimize potential harm to affected individuals
  • Comply with applicable federal and state laws, including the Gramm‑Leach‑Bliley Act (GLBA) and the Michigan Identity Theft Protection Act (MITPA)
  • Define roles and responsibilities during a data breach response

2. Scope

This policy applies to all systems, data, employees, contractors, and third‑party service providers that store, process, or access sensitive information on behalf of Red Arrow Accounting.

Sensitive information includes, but is not limited to:

  • Nonpublic personal information (NPI)
  • Tax records and financial data
  • Social Security numbers and government‑issued identification numbers
  • Client account and business records

3. Definition of a Data Breach

A data breach is any unauthorized access, acquisition, use, disclosure, modification, or destruction of personal or nonpublic information that compromises the security, confidentiality, or integrity of such information.

This includes, but is not limited to:

  • Cyberattacks or hacking incidents
  • Malware, ransomware, or phishing attacks
  • Lost or stolen devices containing sensitive information
  • Accidental disclosure of information to unauthorized parties

4. Incident Identification and Reporting

All employees and contractors are required to immediately report any suspected or confirmed data security incident to management or the designated security contact.

Reports should include:

  • Date and time the incident was discovered
  • Description of the incident
  • Type of information potentially affected
  • Systems or devices involved

5. Incident Response and Containment

Upon identification of a suspected data breach, Red Arrow Accounting will:

  • Activate the incident response process
  • Take immediate steps to contain and secure affected systems
  • Preserve evidence related to the incident
  • Engage qualified IT, cybersecurity, or forensic professionals as needed

6. Investigation and Risk Assessment

An investigation will be conducted to determine:

  • The nature and scope of the incident
  • The type and amount of information involved
  • Whether personal information was accessed or acquired
  • The likelihood of identity theft, fraud, or other harm

7. Notification Procedures

Michigan Residents

In accordance with the Michigan Identity Theft Protection Act (MITPA), Red Arrow Accounting will provide notice to affected Michigan residents if a data breach involving personal information creates a reasonable risk of identity theft or fraud.

Regulatory and Legal Notifications

When required, Red Arrow Accounting will notify:

  • Applicable regulatory authorities
  • Law enforcement agencies
  • Insurance providers

Notifications will be made without unreasonable delay and in accordance with applicable legal requirements.

8. Mitigation and Remediation

Following a data breach, Red Arrow Accounting will take reasonable steps to:

  • Mitigate potential harm to affected individuals
  • Restore the security and integrity of systems
  • Update safeguards and controls to prevent future incidents

9. Documentation and Recordkeeping

All data security incidents and response actions will be documented, including:

  • Incident details and timelines
  • Decisions made and actions taken
  • Notification determinations

Records will be retained in accordance with legal, regulatory, and professional requirements.

10. Training and Policy Review

Employees will receive periodic training regarding data security awareness and incident reporting obligations.

This policy will be reviewed and updated as necessary to reflect changes in legal requirements, technology, or business practices.

11. Contact Information

Questions regarding this Data Breach Response Policy or reporting a suspected incident should be directed to:

Red Arrow Accounting
Email: office@redarrowaccounting.com
Phone: (269) 621-3389