Data Breach Response Policy

1.0 Purpose

MuscleEgg’s intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how we should respond to such activity. MuscleEgg is committed to protecting its employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

1.1 Background

This policy mandates that any individual who suspects that a theft, breach or exposure of Protected data or Sensitive data has occurred must immediately provide a description of what occurred via e-mail to MuscleEgg’s Management team. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the MuscleEgg Team will follow the appropriate procedure in place.

2.0 Scope

This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable information or Protected Health Information (PHI) of customers. Any agreements with vendors will contain similar language.

3.0 Confirmed theft, data breach or exposure of Protected data or Sensitive data

As soon as a theft, data breach or exposure containing Protected data or Sensitive data is identified, the process of removing all access to that resource will begin. The person who finds such a breach or exposure is required to start that process by notifying MuscleEgg Management Team.

3.1 Notifying the Management Team

The MuscleEgg Management Team will be notified via email of any theft, breach or exposure by the person who found it.

3.2 Incident Response Team

The Chief Executive Officer (or another member of the Executive Team) will chair an incident response team to handle the breach or exposure.

The team will include members from:

• IT Infrastructure & Applications
• Customer Support
• Finance (if applicable)
• Legal
• The affected unit or department that uses the involved system or output or whose data may have been breached or exposed
• Additional departments based on the data type involved and/or additional individuals as deemed necessary by the CEO

This team will discuss plans to mitigate the security breach according to this policy.

3.3 Investigation

IT and any other departments deemed necessary by the Incident Response Team will analyze the breach or exposure to determine the root cause.

Once the root cause is found and fixed, the Incident Response Team will be given a full report so they can develop a communication plan.

3.4 Develop a communication plan.

The Incident Response Team will decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.

4.0 Enforcement

Any MuscleEgg personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their relationship with MuscleEgg and its customers terminated.