Data Breach Response Protocol

At CyberSecurePC, we take the security of your personal information seriously. This Data Breach Response Protocol ("Protocol") outlines our commitment to protecting your data and our specific actions in the unlikely event of a security incident or data breach involving your information. This Protocol is designed to comply with the Maryland Personal Information Protection Act (PIPA), specifically Maryland Code, Commercial Law § 14-3501 et seq.

1. What Is a Data Breach?

For the purposes of this Protocol, a "breach of security" or "data breach" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by CyberSecurePC. Under Maryland PIPA, "personal information" includes:

• An individual's first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver's license number, Maryland identification card number, financial account number (including credit/debit card numbers) in combination with any required security code or password, or a medical or health insurance identification number.
• User name or email address, in combination with a password or security question/answer, that permits access to an online account.
• Taxpayer identification number, passport number, or military identification number.
• Biometric data (fingerprints, retina scans, etc.).

Note: If encrypted personal information is accessed and the encryption key is also acquired, that constitutes a breach requiring notification.

2. Immediate Response: Containment & Investigation

Upon discovery of any potential security incident, CyberSecurePC will take the following immediate steps:

• Activate Response Team: Our internal incident response coordinator will assemble a response team including ownership and technical staff.
• Contain the Breach: We will take immediate action to isolate affected systems, disable compromised accounts, and prevent further unauthorized access.
• Preserve Evidence: We will secure logs, system images, and forensic evidence to support investigation and potential legal requirements.
• Begin Good Faith Investigation: As required by § 14-3504(a)(1) of Maryland Code, we will conduct a "good faith, reasonable, and prompt investigation" to determine the nature and scope of the breach, including which individuals' personal information may have been compromised.

3. Risk Assessment: Will We Notify?

After completing our investigation, we will determine whether there is a "reasonable likelihood" that the breach has resulted in or will result in identity theft or fraud. According to Maryland PIPA:

• If we determine there is no reasonable likelihood of harm to affected individuals, we are not required to provide notification. However, we must retain a record of that decision for 3 years as required by law (§ 14-3504(d)(2)).
• If we determine there is a reasonable likelihood of harm, we will proceed with notifications to affected individuals and the Maryland Attorney General.

4. Notification Process (If Required)

If we determine that notification is required, CyberSecurePC will take the following actions:

A. Notifying Affected Individuals

We will notify each affected Maryland resident without unreasonable delay, but in all cases within 45 days of discovery. Notifications will be provided in the following ways:

• Primary Method: Written notice by first‑class mail to the individual's last known mailing address in our records.
• Secondary Method (if email exists): Email notice if we have a valid email address for the individual.
• Substitute Notice (if required by cost or volume): If the cost of mailing exceeds $100,000 or the affected group exceeds 175,000 individuals, we will provide substitute notice consisting of:
  • Conspicuous posting of the notice on our website (cybersecurepc.com) for at least 30 days, AND
  • Notification to major statewide media, AND
  • A toll‑free phone number for individuals to call for information.

Contents of Notice: Each notification will include a description of the breach, the types of personal information compromised, our contact information, the toll‑free numbers for major credit reporting agencies (Equifax, Experian, TransUnion), and advice for individuals to place a fraud alert or credit freeze.

B. Notifying the Maryland Attorney General

Before we send notices to affected individuals, we will provide the Maryland Attorney General's office with a copy of the notice and the total number of affected Maryland residents. The Attorney General's contact for data breach notifications is:

• Office of the Attorney General of Maryland
  Consumer Protection Division
  200 St. Paul Place, Baltimore, MD 21202
  Phone: (410) 528-8662

C. Notifying Consumer Reporting Agencies

If we are required to notify more than 1,000 affected individuals, we must also notify all consumer reporting agencies (Equifax, Experian, TransUnion) without unreasonable delay regarding the timing, distribution, and content of the notice.

5. Law Enforcement Delay

If a law enforcement agency (local, state, or federal) determines that notification would impede a criminal investigation, we will delay notification at their written request. Once law enforcement advises that the delay is no longer necessary, we will proceed with notifications immediately.

6. Third-Party Service Providers

If we discover that a data breach occurred through one of our third‑party service providers (e.g., payment processors, clean‑room lab partners, cloud backup vendors), we will:

• Notify the provider immediately and require them to comply with Maryland PIPA notification obligations.
• If the provider fails to notify affected individuals within the required 45‑day window, we will assume responsibility for notification as required by § 14-3504(c)(2).

7. Data Retention & Destruction

To minimize breach risk, CyberSecurePC follows strict data retention policies:

Data Type	Retention Period	Destruction Method
Service Records	3 years after service completion	Secure digital deletion (overwrite)
Access Credentials (passwords)	Destroyed within 30 days after service	Immediate permanent deletion
Client Devices (unclaimed)	90 days, then disposed of	Secure wipe or physical destruction

8. Record Keeping

As required by Maryland PIPA (§ 14-3504(d)(2)), CyberSecurePC will maintain a written record of:

• Any breach investigation where we determined that notification was not required (retained for 3 years).
• All breach notifications provided to individuals and the Attorney General (retained for 3 years).
• Evidence of notifications to consumer reporting agencies.

9. Preventive Measures

We continuously work to prevent data breaches through:

• Encryption of data in transit (TLS/SSL) and at rest where feasible.
• Strict access controls and employee training on data handling.
• Secure storage of client devices in locked cabinets.
• Regular security assessments of our systems.
• Vendor risk assessments for all third‑party service providers who handle personal information.

10. Contact for Breach-Related Inquiries

If you believe your personal information may have been compromised in a breach involving CyberSecurePC, or if you have questions about this Protocol, please contact us immediately:

11. Changes to This Protocol

We may update this Data Breach Response Protocol from time to time to reflect changes in legal requirements or our operational practices. Material changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this page periodically.

---

Legal Reference: This Protocol is based on the Maryland Personal Information Protection Act (PIPA), codified at Maryland Code, Commercial Law §§ 14-3501 through 14-3509. In the event of any conflict between this summary and the actual law, the law governs. For official legal text, please consult the Maryland General Assembly website.