CARDWATCH POS
Breach Handling Policy
1. Purpose
This Breach Handling Policy outlines Cardwatch’s approach to identifying, managing, and mitigating data security breaches. It ensures compliance with relevant legislation and maintains the trust of our clients in the healthcare, senior living, and higher education sectors.
2. Scope
This policy applies to all employees, contractors, and third-party vendors who access Cardwatch systems, networks, or data.
3. Definitions
- Data Breach: Unauthorized access, disclosure, or loss of personal, financial, or health information.
- PII: Personally Identifiable Information.
- PHI: Protected Health Information, as applicable under HIPAA or similar regulations.
4. Breach Identification
All personnel are required to report suspected breaches immediately to the IT and Compliance teams via the internal security incident portal or emergency communication channels.
5. Breach Response Team (BRT)
Comprised of representatives from IT, Legal, Compliance, Product, and Customer Success teams. The BRT is responsible for:
- Confirming the breach.
- Assessing impact and affected systems.
- Containing and mitigating the breach.
- Communicating with affected parties.
6. Investigation & Containment
- Initiate logs and audit trails.
- Isolate affected systems.
- Patch vulnerabilities.
- If third parties are involved, notify them under contractual obligations.
7. Notification & Reporting
- Notify affected clients within 72 hours of breach confirmation.
- Report incidents to applicable regulators (e.g., PHIPA, HIPAA, PIPEDA, GDPR).
- Provide breach impact assessment and remediation plan.
8. Post-Incident Review
- Conduct internal review within 10 business days.
- Update security protocols, training, and breach prevention procedures.
- Document breach handling report and lessons learned.
9. Training & Awareness All employees receive annual training on breach identification, reporting protocols, and data protection responsibilities.
10. Roles & Responsibilities
| Role | Responsibilities |
| IT Security Lead | Identifies and contains breaches, preserves evidence, coordinates technical forensics. |
| Compliance Officer | Reviews legal obligations (HIPAA, PHIPA, GDPR), ensures regulatory reporting. |
| Customer Success | Coordinates client communication and support. |
| Legal Counsel | Reviews notification language, regulatory obligations, and mitigates liability. |
| Executive Sponsor | Approves major decisions (public disclosures, service suspensions, compensation). |
11. Breach Severity & Escalation
| Severity Tier | Definition | Response Time |
| Tier 1 – Minor | Unauthorized access to non-sensitive data; limited internal exposure. | 24 hours |
| Tier 2 – Moderate | Unauthorized access to PII or PHI affecting ≤ 50 individuals. | 12 hours |
| Tier 3 – Major | Large-scale compromise (e.g. ≥ 50 individuals, or system-wide breach). | 4 hours |
Each tier invokes a specific incident protocol including containment, root cause analysis, and stakeholder reporting. Tier 3 incidents must trigger executive notifications and PR coordination.
12. Regulatory Framework Compliance
HIPAA (U.S. Healthcare)
- Notify affected individuals within 60 days.
- Report to HHS if breach affects 500+ individuals.
- Maintain documentation for 6 years.
PHIPA (Ontario Health Information)
- Mandatory reporting to Ontario’s Information and Privacy Commissioner.
- Notification to individuals as soon as feasible.
- Logging of all breaches, regardless of severity.
GDPR (EU Residents, if applicable)
- Notify supervisory authority (e.g., EDPB) within 72 hours.
- If high risk, notify affected data subjects without undue delay.
- Maintain a Data Breach Register under Article 33 & 34.
13. Breach Notification Template
Subject: Important Security Notification from Cardwatch POS
Dear [Customer Name],
We are writing to inform you of a recent security incident that may have involved your personal data. On [Date], we detected unauthorized access to [Brief description: “a system containing client profiles and purchase history”].
What Happened:
[Insert summary of the breach, impact, and duration.]
What We Are Doing:
- The breach was contained within [X hours].
- Forensic investigation is ongoing.
- We are enhancing system safeguards, including [describe: MFA, updated firewall, vendor audits].
What You Can Do:
- Monitor your account statements for suspicious activity.
- Contact us at security@cardwatchpos.com if you have concerns or require assistance.
We sincerely regret any inconvenience and remain committed to data security.
Sincerely,
[Cardwatch Executive Contact Info]
14. Additional Measures
- Audit Trails: Full logs of user access and system changes are reviewed during breach investigations.
- Privacy by Design: All system enhancements undergo threat modeling and DLP reviews.
- Penetration Testing: Conducted semi-annually or post-breach.
Privacy Policy for Cardwatch POS
1. Introduction
Cardwatch POS values the privacy and security of our clients’ and users’ data. This Privacy Policy describes how we collect, use, store, and protect personal and sensitive information.
2. Scope
This policy covers all digital services and platforms offered by Cardwatch, including POS systems, mobile/web apps, kiosks, and integrated CRM solutions.
3. Data We Collect
- Customer data (name, contact info, user IDs)
- Payment details (card or plan-based transactions)
- Health and dietary preferences (in senior living/healthcare contexts)
- Usage logs and technical device data (for service optimization)
4. Use of Information
- To deliver and improve POS functionalities.
- To personalize user experience (menus, dietary restrictions).
- For troubleshooting, fraud detection, and security.
- To comply with legal and contractual obligations.
5. Data Sharing We do not sell or rent data. We may share it with:
- Trusted service providers (e.g., cloud hosting, analytics) under strict data processing agreements.
- Regulatory authorities when legally required.
- Integrated third-party apps only upon client request (e.g., dietary databases, billing systems).
6. Data Retention
We retain data for as long as necessary to fulfill the purposes outlined or to comply with legal requirements. Data is securely destroyed when no longer needed.
7. Data Security
- Encrypted storage and transmission
- Role-based access control (RBAC)
- Regular vulnerability assessments
- Secure coding and privacy-by-design practices
8. Your Rights Clients and users have the right to:
- Access their data
- Correct or update inaccuracies
- Request deletion, subject to legal constraints
- Opt-out of certain data uses
9. Contact Us
For privacy concerns, data access requests, or questions, contact: privacy@cardwatchpos.com
These policies are reviewed annually and updated as required by changes in law, technology, or Cardwatch business operations.
