Last Updated on January 10th, 2024

1. Introduction

This Incident Management and Notification Protocol outlines the procedures and responsibilities of Smarty Ears in the identification, management, and communication of incidents related to data security and privacy; specifically related to the use of Smarty Ears Online hosted on https://smartyearslearning.com/. This protocol is an extension of our commitment to maintaining the highest standards of data privacy and security, as detailed in our Privacy Policy.

We recognize the critical importance of safeguarding the Protected Information entrusted to us. This document is specifically designed to address our responsibilities under the Data Sharing and Confidentiality Agreement with the District, ensuring that we meet our obligations in a transparent, efficient, and effective manner.

The primary objective of this protocol is to establish clear guidelines for detecting, assessing, responding to, and reporting any security incidents that may impact the Protected Information. This includes outlining the roles and responsibilities of our incident response team, the steps for immediate and effective incident response, and the specific procedures for notifying School Districts in the event of an incident.

2. Scope and Applicability

This Incident Management and Notification Protocol applies to all forms of Protected Information handled by Smarty Ears under the agreement with Rocky Point Union Free School District. This includes personal and non-personal information collected, stored, processed, or transmitted by Smarty Ears in the course of providing our online speech and language therapy products and services to the District.

The protocol is applicable to all incidents that involve a breach of security, unauthorized access, or any other compromise of the confidentiality, integrity, or availability of the Protected Information. This encompasses both internal incidents within Smarty Ears’ systems and infrastructure, as well as incidents involving third-party service providers or partners who have access to or handle Protected Information on behalf of Smarty Ears.

All employees, contractors, and third-party partners of Smarty Ears are expected to comply with this protocol. It is mandatory for all relevant parties to understand their roles and responsibilities in incident identification, reporting, response, and management, as outlined in the subsequent sections of this document.

3. Incident Identification

In alignment with our Privacy Policy (https://smartyearslearning.com/privacy-policy/), Smarty Ears employs various methods and technologies to continuously monitor and identify potential security incidents that could impact the Protected Information. The identification process includes, but is not limited to, the following mechanisms:

• Automated Monitoring Systems: We utilize advanced security software and tools that continuously monitor our network and systems for any unusual activities or potential threats. This includes intrusion detection systems, firewalls, and system log analyzers.
• Regular Security Audits: Periodic audits of our systems and security measures are conducted to ensure that they are robust and up to date with the latest security standards.
• User Activity Analysis: Consistent with our Privacy Policy, we analyze user activity patterns to detect any irregularities or unauthorized access attempts. This includes monitoring login histories, IP addresses, and access patterns.
• Incident Reporting Mechanism: Employees and third-party partners are encouraged to report any suspicious activities or potential security breaches they observe. A dedicated email address (privacy@smartyearstechnologies.com) and internal reporting channels are available for this purpose.

Upon identification of a potential incident, our incident response team is immediately notified for further investigation.

4. Incident Classification

Once an incident is identified, it is classified based on its severity, impact, and the type of data involved. The classification helps in determining the appropriate response and escalation procedures. Incident classification includes:

• Minor Incidents: These incidents have a limited impact and do not involve any exposure of Protected Information. Examples include unsuccessful unauthorized access attempts or minor system glitches.
• Moderate Incidents: Incidents that may impact the integrity or availability of the Protected Information but do not involve large-scale exposure or significant breach of confidentiality.
• Severe Incidents: These are high-impact incidents involving unauthorized access, exposure, or compromise of Protected Information. Such incidents may have significant legal, reputational, or financial implications for Smarty Ears and the District.

The classification of an incident will be determined by the incident response team, taking into consideration factors such as the sensitivity of the affected data, the scale of the incident, and the potential harm to the users and the District.

5. Incident Response Procedure

Upon the identification and classification of a security incident, the following response procedures will be initiated by Smarty Ears:

• Immediate Response:
  • Containment: Our first priority is to contain the incident to prevent further unauthorized access or damage. This may involve isolating affected systems or temporarily suspending certain services.
  • Assessment: We will rapidly assess the nature and scope of the incident, including the type of data involved, the extent of the breach, and the potential impact on the District and affected individuals.
  • Mitigation: Steps will be taken to mitigate any adverse effects of the incident. This may include deploying additional security measures, engaging forensic experts, and implementing remedial actions to address vulnerabilities.
• Investigation:
  • A thorough investigation will be conducted to determine the cause of the incident, identify the extent of data compromise, and document the events leading up to the breach.
  • We will gather all necessary evidence for a comprehensive analysis and to assist in future legal or regulatory inquiries.
• Documentation:
  • Each incident will be meticulously documented, including the nature of the incident, steps taken in response, and lessons learned. This documentation will be used for post-incident reviews and compliance reporting.

6. Notification to District

In the event of an incident involving Protected Information, Smarty Ears is committed to promptly notifying school districts:

• Notification Timeframe: The District will be notified without undue delay and no later than 72 hours after becoming aware of the incident, in accordance with the Data Sharing and Confidentiality Agreement.
• Notification Content:
  • The notification will include a description of the incident, the type of data involved, the estimated number of individuals affected, and the potential impact.
  • We will also communicate the immediate steps taken in response to the incident and ongoing efforts to mitigate its effects.
• Notification Method:
  • Notifications will be made through the designated contact points as agreed in the contract, which may include email or phone,
  • The notification will be provided in a manner that maintains the security of the information and does not impede law enforcement investigations or other remedial actions.
• Ongoing Communication:
  • Smarty Ears will maintain open lines of communication with the District and provide updates as new information becomes available or as requested by the District.
  • In the case of significant incidents, we may also provide briefings to key stakeholders or arrange meetings to discuss the incident in more detail.

7. Review and Modification of the Incident Management Protocol

Regular Review and Updates:

• The Incident Management and Notification Protocol will be reviewed on an annual basis or more frequently if significant changes in technology, threats, or regulatory requirements occur.
• The review process will involve assessing the effectiveness of the current protocol, identifying areas for improvement, and making necessary adjustments to ensure the protocol remains robust and effective.

Process for Modification:

• Any proposed changes to the protocol will be thoroughly evaluated for their impact on security, compliance, and operational efficiency.
• Changes may be initiated due to lessons learned from incident responses, feedback from chool districts, changes in data protection laws and regulations, or advancements in technology.
• All modifications will be documented, with clear records of what was changed, why, and when.

Stakeholder Involvement:

• Relevant stakeholders, including key personnel from Smarty Ears and representatives from school districts, may be consulted as part of the review and modification process.
• Feedback from these stakeholders will be considered to ensure the protocol aligns with both Smarty Ears’ operational realities and the District’s expectations.

Communication of Changes:

• Any significant changes to the Incident Management Protocol will be communicated to all relevant parties within Smarty Ears and school districts.
• Employees and third-party partners will be informed of the changes and provided with updated training if necessary.