I TRIO Roots of Progress Onward through Progress Life can be full of unexpected moments. Identify a time when you experien ced an unexpected moment. Write an essay about a time when you experienced an unexpected moment. Explain why the moment was unexpected and how it affected your life. Be sure to explain your choice by using details and examples. Many students enjoy doing something special for their family and friends. For example they may take car offer sibling or help clean the basement. Write an essay that describes something special that you would like to do for your family or friends. Explain why this would be something special and how your family or friends might react. Be sure to include details and facts to support your explanation. "A journey of a thousand miles begins with a single step." - Confucius Write an essay explaining what this quotation means to you. Use details and examples in your essay. "The greatest barrier to success is the fear of failure." - Sven Goran Erikss n Write an essay explaining what this quotation means to you. Use details and examples in your essay. "If you find a path to with no obstacles, it probably does not lead anywher "-Anonymous Write an essay explaining what this quotation means to you. Use details and examples in your essay. U.S. Department of Justice Instruction 0900.00.01 ACTION LOG All DOJ directives are reviewed, at minimum, every five years and revisions are made as necessary. The action log records dates of approval, recertification, and cancellation, as well as major and minor revisions to this directive. A brief summary of all revisions will be noted. In the event this directive is cancelled, superseded, or supersedes another directive, that will also be noted in the action log. Action Initial Approval Authorized by Luke J. McCormack Date 8/6/2013 2 Summary Summary of Action U.S. Department of Justice Instruction 0900.00.01 TABLE OF CONTENTS ACTION LOG ................................................................................................................................ 2 GLOSSARY OF TERMS ............................................................................................................... 4 I. Background ............................................................................................................................... 7 II. DOJ Core Management Team .................................................................................................. 8 III. Incident Detection and Reporting ............................................................................................. 9 A. Requirement for Reporting .................................................................................................. 9 B. Incident Record .................................................................................................................. 10 C. Initial Assessment .............................................................................................................. 10 D. Criminal Investigation........................................................................................................ 11 E. Incident Notification ........................................................................................................... 11 IV. Internal Notification Process .................................................................................................. 11 A. Requirement for Initial Notification .................................................................................. 11 B. Contents of the Notification ............................................................................................... 11 V. Risk Assessment ..................................................................................................................... 11 A. Incident Analysis................................................................................................................ 11 B. Summary of Facts with Recommendations ........................................................................ 12 C. AAG/A Notification and Meeting Determination .............................................................. 12 D. Other Meeting Determination ............................................................................................ 12 VI. Incident Handling and Response ............................................................................................ 12 A. Course of Action ................................................................................................................ 12 B. Risk Mitigation................................................................................................................... 12 VII. External Breach Notification ................................................................................................. 15 A. Whether Breach Notification is Required .......................................................................... 15 B. Timeliness of the Notification ............................................................................................ 17 C. Source of the Notification .................................................................................................. 17 D. Contents of the Notification ............................................................................................... 18 E. Means of Providing Notification ........................................................................................ 18 F. Who Receives Notification: Public Outreach in Response to a Breach ............................. 20 Appendix A, Sample Written Notifications .................................................................................. 22 Appendix B, General Guidance for the Establishment of a Call Center in the Event of a Significant Data Breach .......................................................................................................... 24 Appendix C, References ............................................................................................................... 28 3 U.S. Department of Justice Instruction 0900.00.01 GLOSSARY OF TERMS Term Breach Definition T b ac c c ,c , unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to information, whether physical or electronic. It includes both intrusions (from outside the organization) and misuse (from within the organization). Classified National Security Information Ca a a c a ca a NSI a a a a b pursuant to Executive Order 13526, Classified National Security I a , a c cc , protection against unauthorized disclosure and is required to be marked to indicate its classified status when in documentary form. Company or business Identifying information about a company or other business entity that could be used to commit or facilitate the commission of fraud, identifiable deceptive practices or other crimes (for example, bank account information information, trade secrets, confidential or proprietary business information). Component An Office, Board, Division, or Bureau of the Department of Justice as defined in 28 C.F.R. Part 0 Subpart A, Paragraph 0.1. Cybersecurity incident Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. Harm For the purposes of this document, harm means any adverse effects that would be experienced by an individual or organization (e.g., that may be socially, physically, or financially damaging) whose information was breached, as well as any adverse effects experienced by the organization that maintains the information. Identity Theft T ac ba a a a without authorization in an attempt to commit or facilitate the commission of fraud or other crimes. The resulting crimes usually occur in one of the following ways. Identity thieves may attempt to: x Gain unauthorized access to existing bank, investment, or credit accounts using information associated with the person x Withdraw or borrow money from existing accounts or charge purchases to the accounts x O acc a ab a a 4 U.S. Department of Justice Instruction 0900.00.01 Term Definition x Ob a c , ca c ca , a , other identification documents using the stolen identity Incident An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, acceptable use policies or standard computer security practices. National Security System Has the meaning given it in the Federal Information Security Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), codified at 44 U.S.C. 3542(b)(2). Components shall use National Institute of Standards and Technology Special Publication 800-59, G I a I a S a a Na a S c S , ify National Security Systems. Personally Identifiable Information (PII) PII a a ab a a a a b a a c , including (1) any information that can be used to distinguish or trace a a , c a a , social security number, date a ac b , a a , b c c ;a (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment a . 1 Information that standing alone is not generally considered personally identifiable, because many people share the same trait, includes: x First or last name, if common (For example: Smith or Brown) x Country, state, city or Zip code of residence x Age, especially if non-specific (such as age in years, without a birth date) x Gender or race x Workplace or school x Grades, salary, or job position Sometimes multiple pieces of information, none of which alone may be considered personally identifiable, may uniquely identify a person when brought together. 1 National Institute of Standards and Technology Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2010, f e 6 Thi defi i i i he GAO expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008. 5 U.S. Department of Justice Instruction 0900.00.01 ACRONYMS Acronym Meaning AAG/A Assistant Attorney General for Administration CIO Chief Information Officer CPCLO Chief Privacy and Civil Liberties Officer CCIPS Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division CO Contracting Officer COR C CMT Core Management Team DOJ Department of Justice DOJCERT DOJ Computer Emergency Readiness Team DSO Department Security Officer FTC Federal Trade Commission JSOC Justice Security Operations Center NSI National Security Information OLC Office of Legal Counsel OLA Office of Legislative Affairs OPA Office of Public Affairs OPCL Office of Privacy and Civil Liberties PII Personally Identifiable Information SSN Social Security Number US-CERT United States Computer Emergency Readiness Team ac O c R 6 a U.S. Department of Justice Instruction 0900.00.01 I. Background In September 2006, Office of Management and Budget (OMB) issued a Memorandum for the Heads D a a A c R c a I T R a Da a Breach Notification. I F b a 2007, DOJ U.S. Department of Justice Incident Response Procedures for Data Breaches Involving Personally Identifiable Information c a OMB M a . I Ma 2007, OMB issued Memorandum 07-16 entitled Sa a A a a R B ac P a Identifiable Information, which requires agencies to develop and implement a notification policy for breaches of personally identifiable information (PII), including the establishment of an agency response team. DOJ subsequently modified its procedures to create the DOJ Core Management Team. In October 2012, the Assistant Attorney General for Administration (AAG/A) expanded the responsibility of the DOJ Core Management Team (CMT) to include breaches of company or business identifiable information, significant breaches of classified national security information (NSI) and significant cybersecurity incidents. This Instruction applies to all DOJ components, contractors that operate systems supporting DOJ, and all information regardless of format (e.g., paper, electronic, etc.). It defines the responsibilities of: x DOJ Core Management Team (CMT) x DOJ Computer Emergency Readiness Team (DOJ-CERT) x All DOJ personnel, contractors, and others who process, store, or possess PII or NSI on behalf of DOJ, or are involved in cybersecurity incidents This Instruction also ab DOJ ca c a a b ac PII, company or business identifiable information, significant breaches of NSI and significant cybersecurity incidents. It supplements, but does not replace, the security and privacy requirements contained in the DOJ Security Program Operating Manual (SPOM); DOJ Order 2640.2F, Information Technology Security and DOJ Information Technology Security Standards; the DOJ Computer System Incident Response Plan; the Privacy Act of 1974, and DOJ Order 3011.1A, Compliance with the Privacy Requirements of the Privacy Act, the E-Government Act and the FISMA. Procedures to respond to information security incidents involving the Department's information systems are located in the DOJ Computer System Incident Response Plan. This Plan focuses on protection and defense of DOJ systems and network against data loss and intrusive, abusive, and destructive behavior from both internal and external sources. For a description of computer security incidents, refer to National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide. Guidelines for a risk-based approach to protecting the confidentiality of PII are provided in NIST Special Publication 800122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). The SPOM prescribes requirements and procedures for the classification, safeguarding and 7 U.S. Department of Justice Instruction 0900.00.01 declassification of classified national security information (NSI), including reporting of any incident involving a possible loss, compromise, or suspected compromise of sensitive or classified information. II. DOJ Core Management Team The DOJ Core Management Team (CMT) is the organizational backbone for the DOJ response to an actual or suspected data breach involving PII, company or business identifiable information, significant breaches of NSI and significant cybersecurity incidents. The CMT is the primary advisor to the Attorney General in making determinations regarding breach notification. As discussed in Section V, the CMT convenes in the event of certain significant data breaches or cybersecurity incidents. The CMT is responsible for: x Determining the extent to which the incident poses problems related to identity theft, loss a ,c a , b ac or confidentiality, or the security of DOJ information and systems x Managing activities to recover from the breach and mitigate the resulting damage, including decisions relating to external breach notification The DOJ CMT is chaired by the Chief Information Officer and Chief Privacy and Civil Liberties Officer and is supported by the staff members of each of the offices represented and reports to the Assistant Attorney General for Administration. The DOJ CMT consists of the following members: x Representative from the Office of Attorney General x Principal Associate Deputy Attorney General x Associate Attorney General x Assistant Attorney General, Office of Legal Counsel x Assistant Attorney General, Office of Legislative Affairs x Assistant Attorney General, Administration x Assistant Attorney General, Civil Division x Chief Information Officer x Chief Privacy and Civil Liberties Officer x Director, Office of Privacy and Civil Liberties x Department Security Officer 8 U.S. Department of Justice Instruction 0900.00.01 x Inspector General x Director, Office of Public Affairs Program Manager and Senior Component Official for Privacy, Executive Officer, and legal counsel from component experiencing breach or incident The DOJ CMT should convene at least annually to review these procedures and discuss likely actions should an incident occur. III. Incident Detection and Reporting A. Requirement for Reporting Components must report actual or suspected data breaches, significant breaches of NSI and significant cybersecurity incidents to DOJCERT within one hour of discovery2. 1. Additional Component Requirements The following individuals should be notified of the incident within their component; should support the investigation, mitigation and recovery efforts of the DOJ CMT; and should meet, as appropriate. x Component Head or designee x Component Chief Information Officer x Senior Component Official for Privacy, Executive Officer, and legal counsel x Component Security Program Manager3 x Incident response team representative x Owner or manager of the system from which the loss occurred 2. Additional Contractor Requirements C ac C ac O c (CO), C ac O c Representative (COR) and DOJCERT within one hour of discovery of any data breach, significant breaches of NSI or significant cybersecurity incident. Contractors shall c a a a c DOJ a ,a , mitigation, and recovery activities. 2 Components must also report incidents falling under SPOM Section 1-302, Incident and Vulnerability Reporting, to the Department Security Officer through their Security Program Manager. 3 Pursuant to SPOM Section 1-303, the SPM will initiate a preliminary inquiry to ascertain all the circumstances surrounding the incident. 9 U.S. Department of Justice Instruction 0900.00.01 B. Incident Record DOJCERT will work with the reporting Component to record the incident information in the DOJCERT Incident Tracking System. The record should contain the following: x Description of the data lost, including the amount and its sensitivity or classification level x For cybersecurity incidents, the nature of the cyber threat (e.g., Advanced Persistent Threat, Zero Day Threat, data exfiltration) x Nature and number of persons affected (e.g., employees, outside individuals) x Likelihood data is accessible and usable o Likelihood the data was intentionally targeted o Evidence that the compromised information is actually being used to commit identity theft o Strength and effectiveness of security technologies protecting data x Likelihood the breach may lead to harm and the type of harm x Ability to mitigate the risk of harm DOJCERT will notify the DSO and OIG of all reported breaches and incidents. C. Initial Assessment The DSO will assess data breaches and incidents involving classified information with support from DOJCERT. DOJCERT will assess all other data breaches and incidents. The assessment will be based on the details included in the incident report and will assign an initial potential impact level of Low, Moderate, or High4. The potential impact levels describe the worst case potential impact on a component, person, company or business of the breach or incident. x Low: the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals x Moderate: the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals 4 National Institute of Standards and Technologies Federal Information Processing Standards Publication (FIPS PUB) 199, S a da ds f Sec i Ca eg i a i f Fede a I f ai a dI f ai S e . 10 U.S. Department of Justice Instruction 0900.00.01 x High: the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals D. Criminal Investigation DOJCERT will also work with the Criminal Division, Computer Crime and Intellectual Property Section (CCIPS), to determine whether further investigation is warranted by law enforcement. As appropriate, CCIPS will notify the Federal Bureau of Investigation. E. Incident Notification DOJCERT will notify US-CERT within the OMB-mandated one hour timeframe for incidents involving PII and within US-CERT established timeframes for other incidents, and will start the internal alerting and notification process. IV. Internal Notification Process A. Requirement for Initial Notification For incidents with an initial risk rating of either Moderate or High, or that may receive particular notoriety, DOJCERT will, within 72 hours of the incident being reported to DOJCERT, send an initial e-mail notification to the following: x Office of the Inspector General x Office of Privacy and Civil Liberties x Office of the Chief Information Officer x Civil Division x Security and Emergency Planning Staff x Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division x Office of Public Affairs B. Contents of the Notification The e- a a c a a c , DOJCERT a rating, as well as the actions that have been taken to respond to the incident thus far. V. Risk Assessment A. Incident Analysis 11 U.S. Department of Justice Instruction 0900.00.01 After initial notification, DOJCERT will perform a more thorough analysis of the incident, using the factors used in the initial assessment (section III.B. above) and additional information that becomes available, including reassessing the risk rating. B. Summary of Facts with Recommendations Following the analysis, DOJCERT will prepare a Summary of Facts with Recommendations for Moderate or High risk incidents and forward it to the CIO and CPCLO, in their capacity as co-chairs of the DOJ CMT. The CIO and CPCLO will then notify the members of the DOJ CMT. C. AAG/A Notification and Meeting Determination If the risk is high, the CIO and CPCLO will also notify the Assistant Attorney General for Administration (AAG/A), who will decide whether to convene a meeting of the DOJ CMT. D. Other Meeting Determination The CIO, CPCLO or the AAG/A may also, at their discretion, convene a meeting of the DOJ CMT to address specific incidents assessed at a low or moderate risk level. VI. Incident Handling and Response A. Course of Action The component experiencing the breach or incident, or the CMT for breaches and incidents handled by the CMT, will determine the appropriate course of action, including notification to affected individuals (discussed in the next section), the resources needed, and any appropriate remedy options. The component experiencing the breach or incident may consult with the CMT in developing an appropriate course of action. B. Risk Mitigation The component experiencing the breach or incident, or the CMT for breaches and incidents handled by the CMT, will simultaneously consider options for mitigating the risk. The component experiencing the breach or incident may consult with the CMT in developing appropriate mitigation options. The following are actions that can be taken by DOJ or the contractor to mitigate the risk from loss of PII, and actions that individuals can routinely take to mitigate their risk: 1. Actions that Can Be Taken to Mitigate the Risk from Loss of PII x I b ac a ba ,c ca , a ca PII, DOJ or the contractor should notify the individuals and inform them of steps that they should take to mitigate the risk. Written notification 12 U.S. Department of Justice Instruction 0900.00.01 procedures are contained in Appendix A. Where necessary, the D a c ac a a a . x If the breach involves a large volume of users, DOJ or the contractor should consider establishing a Help Line that allows affected users to call in to DOJ or the contractor to learn information. Appendix B contains more information regarding the procedures for establishing a Help Line. x If the breach of PII has the potential to compromise the physical safety of the individuals involved, DOJ should ensure that the appropriate law enforcement agencies are notified and that the agencies take appropriate protective action. x If the breach involves government-authorized credit cards (such as a loss of a card or card number), DOJ should notify the issuing bank promptly. I b ac a ba acc b b the direct deposit of credit card reimbursements, government employee salaries, or any benefit payment, DOJ should notify the bank or other entity that handles that particular transaction for DOJ. x DOJ or the contractor may take two other significant steps that can offer additional measures of protection but which will involve DOJ or contractor expense. They are: o Data Breach Analysis Using available technology or services, analyze whether a particular data loss appears to be resulting in identity theft. DOJ or the contractor may consider using this measure if it is uncertain about whether the identity-theft risk warrants implementing more costly additional steps or if it wishes to do more than rely on individual actions. o Credit Monitoring In deciding whether to offer credit monitoring services and of what type and length, DOJ should consider the seriousness of the risk of identity theft arising from the data breach involving PII. A particularly important consideration is whether any identity theft incidents have already been detected. The cost of the service should also be considered. To assist the timely implementation of either data breach analysis or credit monitoring, the General Services Administration (GSA) is putting in place several government-wide contracting methods to provide these services if needed. If a contractor is responsible for the data breach involving PII, the contractor may provide credit monitoring and/or other corrective action in coordination with the Department. 13 U.S. Department of Justice Instruction 0900.00.01 2. Actions that Individuals Can Routinely Take to Mitigate the Risk x Contact their financial institution to determine whether their account(s) should be monitored or closed. This option is relevant only when financial account information Monitor their financial account statements and immediately report any suspicious or unusual activity to their financial institution. x Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. It may take a few months for most signs of fraudulent account activity to appear on the credit report. This option is most useful when the data breach involves information that can be used to open new accounts. x Contact the three major credit bureaus and place an initial fraud alert on credit reports maintained by each of the credit bureaus. This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. x For residents of states in which state law authorizes a credit freeze, consider placing a credit freeze on their credit file. This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. x For deployed members of the military, consider placing an active duty alert on their credit file. This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. x Review resources provided on the Federal Trade Commission (FTC) Identity Theft Website. x Complete a Federal Trade Commission ID Theft Affidavit at the above FTC Website. This will allow an individual to legally notify their creditors that their identity has been compromised. Any debts incurred after that date will not be assigned to them. x Be aware that the public announcement of the breach could itself cause criminals engaged in fraud to use various techniques to deceive individuals affected by the breach into disclosing their personal information. 3. Congressional Notification The CMT will also determine whether Congress should be notified. 14 U.S. Department of Justice Instruction 0900.00.01 VII. External Breach Notification Components and the CMT will consider the following six elements when considering external notification: x Whether breach notification is required x Timeliness of the notification x Source of the notification x Contents of the notification x Means of providing the notification x Who receives notification: public outreach in response to a breach A more detailed description of these elements is set forth below: A. Whether Breach Notification is Required To determine whether notification of a breach is required, the likely risk of harm caused by the breach and then the level of risk must be assessed. A wide range of harms should be considered, such as harm to reputation and the potential for harassment or prejudice, particularly when health or financial benefits information is involved in the breach.5 Notification when there is little or no risk of harm might create unnecessary concern and confusion6. Additionally, under circumstances where notification could increase a risk of harm, the prudent course of action may be to delay notification while appropriate safeguards are put in place. Five factors should be considered to assess the likely risk of harm: 1. Nature of the Data Elements Breached. The nature of the data elements compromised is a key factor to consider in determining when and how notification should be provided to affected individuals.7 It is difficult to characterize data elements as creating a low, moderate, or high risk simply based on the type of data because the sensitivity of the data element is contextual. A 5 For reference, the express language of the Privacy Act requires agencies to consider a wide range of harms: age cie ha e ab i h a ia e ad i i a i e, ech ica a d hysical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom i f a i i ai ai ed. 5 U.S.C. 552a (e)(10). 6 Another consideration is a surfeit of notices, resulting from notification criteria which are too strict, could render all such notices less effective, because consumers could become numb to them and fail to act when risks are truly significant. 7 F e a e, hef f a da aba e c ai i g i di id a a e i c j ci i h S cia Sec i be , and/or dates of birth may pose a high level of risk of harm, while a theft of a database containing only the names of individuals may pose a lower risk, depending on its context. 15 U.S. Department of Justice Instruction 0900.00.01 name in one context may be less sensitive than in another context.8 In assessing the levels of risk and harm, consider the data element(s) in light of their context and the broad range of potential harms flowing from their disclosure to unauthorized individuals. 2. Number of Individuals Affected. The number of affected individuals may dictate the method(s) the component chooses for providing notification, but should not be the determining factor for whether a notification should be provided. 3. Likelihood the Information is Accessible and Usable. Assess the likelihood information will be or has been used by unauthorized individuals. An increased risk that the information will be used by unauthorized individuals should influence the decision to provide notification. The fact the information has been lost or stolen does not necessarily mean it has been or can be accessed by unauthorized individuals, however, depending upon a number of physical, technological, and procedural safeguards employed by the component. If the information is properly protected by encryption that has been validated by NIST, for example, the risk of compromise may be low to nonexistent. 4. Likelihood the Breach May Lead to Harm. a. Broad Reach of Potential Harm. The Privacy Act requires agencies to protect against any anticipated threats or hazards to the security or integrity of records c c b a a a , ba a , c c , unfairness to any individual on whom information is ma a (5 USC 552a(e)(10)). Additionally, the analysis should consider a number of possible harms associated with the loss or compromise of information. Such harms may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, the disclosure of address information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem. b. Likelihood Harm Will Occur. The likelihood a breach may result in harm will depend on the manner of the actual or suspected breach and the type(s) of data involved in the incident. Social Security numbers and account information are useful to committing identity theft, as are date of birth, passwords, and a a .I a , , a a a address or other personally identifying information, the loss may also pose a significant risk of harm if, for example, it appears on a list of patients at a clinic for treatment of a contagious disease. 8 For example, breach of a database of names of individuals receiving treatment for contagious disease may pose a higher risk of harm, whereas a database of names of subscribers to agency media alerts may pose a lower risk of harm. 16 U.S. Department of Justice Instruction 0900.00.01 5. Ability to Mitigate the Risk of Harm. Within an information system, the risk of harm will depend on how the component is able to mitigate further compromise of the system(s) affected by a breach. In addition to containing the breach, appropriate countermeasures, such as monitoring system(s) for misuse of the personal information and patterns of suspicious behavior, should be taken.9 Such mitigation may not prevent the use of the personal information for identity theft, but it can limit the associated harm. Some harm may be more difficult to mitigate than others, particularly where the potential injury is more individualized and may be difficult to determine. B. Timeliness of the Notification Components should provide notification without unreasonable delay following the discovery of a breach, consistent with the needs of public or national security; official inquiries, investigations or proceedings; the prevention, detection, investigation, or prosecution of criminal offenses; the rights and freedoms of others, in particular the protection of victims and witnesses; and any measures necessary for the component to determine the scope of the breach and, if applicable, to restore the reasonable integrity of the computerized data system compromised. Decisions to delay notification should be made by the component head or a seniorlevel individual he/she may designate in writing. In some circumstances, law enforcement or national security considerations may require a delay if it would seriously impede the investigation of the breach or the affected parties. However, any delay should not exacerbate risk or harm to any affected individual(s). In cases where a contractor processes, stores, possesses, or otherwise handles the PII that is the subject of a data breach, any notification to individuals affected by the data breach must be coordinated with the Department. No notification by the contractor may proceed until the Department has made a determination that notification would not impede a law enforcement investigation or jeopardize national security. The method and content of any notification by the contractor must be coordinated with, and is subject to the approval of, the Department. C. Source of the Notification In general, notification to parties affected by the breach should be issued by the Component Head, or senior-level individual he/she may designate in writing. This demonstrates it has the attention of the chief executive of the organization. Notification involving only a limited number of persons (e.g., under 50) may also be issued jointly under the auspices of the Chief Information Officer and the Chief Privacy Officer or Senior Agency Official for Privacy. This approach signals the component recognizes both the security and privacy concerns raised by the breach. 9 For example, if the information relates to disability beneficiaries, monitoring a beneficiary database for requests for change of address may signal fraudulent activity. 17 U.S. Department of Justice Instruction 0900.00.01 When the breach involves a Federal contractor or a public-private partnership operating a system of records on behalf of a component, the component is responsible for ensuring any notification and corrective actions are taken. The roles, responsibilities, and relationships with contractors or partners must be reflected in contracts and other documents. D. Contents of the Notification The notification should be provided in writing and should use concise, conspicuous, plain language. The notice should include the following elements: x A brief description of what happened, including the date(s) of the breach and of its discovery x To the extent possible, a description of the types of personal information involved in the breach (e.g., full name, Social Security number, date of birth, home address, account number, disability code, etc.) x A statement whether the information was encrypted or protected by other means, when determined such information would be beneficial and would not compromise the security of the system x What steps affected parties should take to protect themselves from potential harm, if any x What is being done, if anything, to investigate the breach, to mitigate losses, and to protect against any further breaches x Who affected parties should contact for more information, including a tollfree telephone number, e-mail address, and postal address Given the amount of information required above, the component may want to consider layering the information, providing the most important information up front, with the additional details in a Frequently Asked Questions (FAQ) format or on the c b .I c a a a c a a not English speaking, notice should also be provided in the appropriate language(s). See Appendix A for samples of written notifications. E. Means of Providing Notification The best means for providing notification will depend on the number of persons affected and what contact information is available about the affected parties. Notice provided to persons affected by a breach should be commensurate with the number of persons affected and the urgency with which they need to receive notice. The following examples are types of notice which may be considered. x Telephone. Telephone notification may be appropriate in those cases where urgency may dictate immediate and personalized notification and/or when a 18 U.S. Department of Justice Instruction 0900.00.01 limited number of persons are affected. Telephone notification, however, should be contemporaneous with written notification by first-class mail. x First-Class Mail. First-class mail notification to the last known mailing a c c b a means notification is provided. Where the component has reason to believe the address is no longer current, it should take reasonable steps to update the address by consulting with other agencies such as the US Postal Service. The notice should be sent separately from any other mailing so that it is conspicuous to the recipient. If the component which experienced the breach uses another agency to facilitate mailing (for example, if the component which suffered the loss consults the Internal Revenue Service for current mailing addresses of affected persons), care should be taken to ensure the component which suffered the loss is identified as the sender, and not the facilitating agency. The front of the envelope should be labeled to alert the recipient to the importance of its contents, e.g., Da a B ac I a E c a should be marked with the name of the component as the sender to reduce the likelihood the recipient thinks it is advertising mail. x E-Mail. E-mail notification is problematic, because individuals change their email addresses and often do not notify third parties of the change. Notification by postal mail is preferable. However, where an individual has provided an email address and has expressly given consent to e-mail as the primary means of communication with the component, and no known mailing address is available, notification by e-mail may be appropriate. E-mail notification may also be employed in conjunction with postal mail if the circumstances of the breach warrant this approach. E-mail notification may include links to the component and www.USA.gov b , c a b a so the most important summary facts are up front with additional information provided under link headings. x Existing Government Wide Services. Agencies should use Government wide services already in place to provide support services needed, such as USA Services, including toll free number of 1-800-FedInfo and www.USA.gov. x Newspapers or other Public Media Outlets. Additionally, the component may supplement individual notification with placing notifications in newspapers or other public media outlets. The component should also set up toll-free call centers staffed by trained personnel to handle inquiries from the affected parties and the public. x Substitute Notice. Substitute notice in those instances where the component does not have sufficient contact information to provide notification. Substitute notice should consist of a conspicuous posting of the notice on the home page c b a ca a a b a ca media, including major media in areas where the affected parties reside. The notice to media should include a toll-free phone number where an individual 19 U.S. Department of Justice Instruction 0900.00.01 can learn whether or not his or her personal information is included in the breach. x Accommodations. Special consideration to providing notice to individuals who are visually or hearing impaired consistent with Section 508 of the Rehabilitation Act of 1973 should be given. Accommodations may include establishing a Telecommunications Device for the Deaf (TDD) or posting a large type notice on the component web site. F. Who Receives Notification: Public Outreach in Response to a Breach x Notification of Individuals. The final consideration in the notification process when providing notice is who should receive notification: the affected individuals, the public media, and/or other third parties affected by the breach or the notification. Unless notification to individuals is delayed or barred for law enforcement or national security reasons, once it has been determined to provide notice regarding the breach, affected individuals should receive prompt notification. x Notification of Third Parties including the Media. If communicating with third parties regarding a breach, agencies should consider the following. o Careful Planning. A c c b c a will require careful planning and execution so that it does not unnecessarily alarm the public. When appropriate, the component should notify public media as soon as possible after the discovery of a breach and the response plan, including the notification, has been developed. Notification should focus on providing information, including links to resources, to aid the public in its response to the breach. Notification may be delayed upon the request of law enforcement or national security agencies as described above in Section VII.B. To the extent possible, prompt public media disclosure is generally preferable because delayed notification may erode public trust. o Web Posting. Agencies should post information about the breach and notification in a clearly identifiable location on the home page of the component web site as soon as possible after the discovery of a breach and the decision to provide notification to the affected parties. The posting should include a link to Frequently Asked Questions (FAQ) a a a b c a breach and the notification process. The information should also appear on the www.USA.gov web site. The component may also c G a S c A a USA S c regarding using their call center. 20 U.S. Department of Justice Instruction 0900.00.01 o Notification of other Public and Private Sector Agencies. Other public and private sector agencies may need to be notified on a need-to-know basis, particularly those that may be affected by the breach or may play a role in mitigating the potential harm stemming from the breach.10 o Congressional Inquiries. Agencies should be prepared to respond to inquiries from other governmental agencies such as the Government Accountability Office and Congress. x Reassess the Level of Impact Assigned to the Information. After evaluating each of these factors, the component should review and reassess the level of impact it has already assigned to the information using the impact levels defined by the NIST. 10 For example, a breach involving medical information may warrant notification of the breach to health care providers and insurers through the public or specialized health media, and a breach of financial information may warrant notification to financial institutions through the federal banking agencies. 21 U.S. Department of Justice Instruction 0900.00.01 APPENDIX A Sample Written Notifications DATA ACQUIRED: Social Security Number (SSN) (Note: Do not insert actual SSN) Dear : We are writing to you because of a recent security incident at [DOJ or name of Component]. [Describe what happened in general terms, what kind of PII was involved, and what you are doing in response.] To protect yourself from the possibility of identity theft, we recommend that you complete a Federal Trade Commission ID Threat Affidavit. This will allow you to legally notify your creditors that your identity may have been compromised. Any debts incurred after that date will not be assigned to you. We also recommend that you place a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. Just call any one of the three credit reporting agencies at the number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from all of them, with instructions on how to get a free copy of your credit report from each. Equifax 1-800-525-6285 Experian 1-888-397-3742 TransUnion 1-800-680-7289 Look your credit reports over carefully when you receive them. Look for accounts you did not open. Look for inquiries from creditors that you did not initiate. And look for personally identifiable information, such as home address or Social Security Number that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on your report. If you do find suspicious activity on your credit reports, call your local c c a a c . [O , a a , c ac number for law enforcement agency investigating the incident.] Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records. Even if you do not find any signs of fraud on your reports, we recommend that you check your credit report every three months for the next year. Just call one of the numbers above to order your reports and keep the fraud alert in place. For more information on identity theft, we suggest that you visit the Identity Theft Website of the Federal Trade Commission. If there is anything [DOJ or name of Component] can do to assist you, please call [toll-free telephone number]. [Closing] 22 U.S. Department of Justice Instruction 0900.00.01 DATA ACQUIRED: Credit Card Number or Financial Account Number Only (Note: Do not insert actual credit card or financial account numbers) Dear : We are writing to you because of a recent security incident at [DOJ or name of Component]. [Describe what happened in general terms, what type of PII was involved, and what DOJ is doing in response.] To protect yourself from the possibility of identity theft, we recommend that you immediately contact [credit card or financial account issuer] at [phone number] and close your account. Tell them that your account may have been compromised. We also recommend that you complete a Federal Trade Commission ID Threat Affidavit. This will allow you to legally notify your creditors that your identity has been compromised. Any debts incurred after that date will not be assigned to you. In addition, we recommend that you place a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. Just call any one of the three credit reporting agencies at a number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from all of them, with instructions on how to get a free copy of your credit report from each. Equifax Experian TransUnion 1-800-525-6285 1-888-397-3742 1-800-680-7289 Look your credit reports over carefully when you receive them. Look for accounts you did not open. Look for inquiries from creditors that you did not initiate. And look for personally identifiable information, such as home address or Social Security Number that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on your report. If you do find suspicious activity on your credit reports, call your local c c a a c . [O , a a , c ac number for law enforcement agency investigating the incident.] Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records. Even if you do not find any signs of fraud on your reports, we recommend that you check your credit report every three months for the next year. Just call one of the numbers above to order your reports and keep the fraud alert in place. For more information on identity theft, we suggest that you visit the Identity Theft Website of the Federal Trade Commission. If there is anything [DOJ or name of Component] can do to assist you, please call [toll-free telephone number]. [Closing] 23 U.S. Department of Justice Instruction 0900.00.01 APPENDIX B General Guidance for the Establishment of a Call Center in the Event of a Significant Data Breach In the event of a significant data breach involving PII, the following guidance is provided to help with the determination of whether to establish a call center. The purpose of a call center is to provide individuals a number to call to obtain further information regarding the data loss and b ac a a a c ac a . The decision to establish a call center should be based on several considerations: x If a data breach does not extend outside of a Component (i.e., those affected by the breach are known and can be contacted), the establishment of a call center would not normally be necessary x If the breach affects a large number of individuals and those individuals are not easily identifiable or easily contacted, establishment of a call center should be considered to allow those potentially impacted to call and obtain additional information regarding the breach x Each situation will be unique and the decision to establish a call center must be based on individual circumstances. The main concern should be sharing of information with those affected and how they may obtain assistance. Once a decision is made to establish a call center, there are several options: x Contact the National Business Center to obtain a toll-free number. This option is likely the least expensive, since DOJ would provide its own personnel to support the call center. x C ac G a S c A a (GSA) USA Contact to establish a fully supported and staffed call center. A thorough description of the incident and set of frequently asked questions (FAQs) will also be required for call center to refer to when fielding calls. Suggested items to consider based on the nature of the breach would include, but are not limited to, the following: x Using existing DOJ personnel to staff the call center and the number of individuals required x Training of call center operators x Pre-stage FAQs x Ability to adjust staffing in response to call volume x Daily hours of operations 24 U.S. Department of Justice Instruction 0900.00.01 x Cost of service x Call logging x DOJ reporting requirements x Advertising call center numbers and making data breach information readily available to those affected x Quality assurance checks of call center effectiveness Sample call center FAQs are as follows: 1. How can I tell if my information was compromised? At this point, there is no evidence that any missing data has been used illegally. However, the DOJ/Component is asking each individual to be extra vigilant and to carefully monitor bank statements, credit card statements, and any statements relating to recent financial transactions. If you notice unusual or suspicious activity, you should report it immediately to the financial institution involved. 2. What is the earliest date at which suspicious activity might have occurred due to this data breach? The information was stolen from an employee of the DOJ/Component during the month of _____. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that individuals may notice suspicious activity during the month of _____. 3. I a c a c ac a ca a ,b a ca I protect myself from being victimized by credit card fraud or identity theft? The DOJ/Component strongly recommends that individuals closely monitor their financial statements and visit the DOJ/Component special Website at www._______.gov. 4. Should I reach out to my financial institutions or will the DOJ/Component do this for me? The DOJ/Component does not believe that it is necessary to contact financial institutions or cancel credit cards and bank accounts, unless you detect suspicious activity. 5. Where should I report suspicious or unusual activity? The Federal Trade Commission (FTC) Identity Theft web site (http://www.consumer.ftc.gov/features/feature-0014-identity-theft) recommends the following steps if you detect suspicious activity: 25 U.S. Department of Justice Instruction 0900.00.01 x Immediate Steps o Place an Initial Fraud Alert Contact the fraud department of one of the three major credit bureaus: Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013 TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790 o Order Your Credit Report from the three major credit bureaus above o Create an Identity Theft Report x Submit a report about the theft to the FTC online or call the FTC at 1-877438-4338 (1-866-653-4261 TTY). When you finish writing all the details, print a copy of the report. It will be called an Identity Theft Affidavit. Bring your FTC Identity Theft Affidavit when you file a police report. File a police report with your local police department or the police department where the theft occurred, and get a copy of the police report or the report number. Your FTC Identity Theft Affidavit and your police report make an Identity Theft Report. Extended Fraud Alerts and Credit Freezes o Extended Fraud Alerts. I c a a I T R , ca a extended fraud alert on your credit file. When you place an extended alert, you can get 2 free credit reports within 12 months from each of the 3 nationwide credit reporting companies, and the credit reporting companies must take your name off marketing lists for prescreened credit offers for 5 years, unless you ask them to put your name back on the list. The extended alert lasts for 7 years. o Credit Freezes. You may choose to put a credit freeze on your file. But a credit freeze may not stop misuse of your existing accounts or some other types of identity theft. Also, companies that you do business with would still have access to your credit report for some purposes. A fraud alert will allow some creditors to get your report as long as they verify your identity. x Close any accounts that have been tampered with or opened fraudulently FTC also has a printed publication called Taking Charge, What To Do If Your Identity Is Stolen 26 U.S. Department of Justice Instruction 0900.00.01 6. What is the DOJ/Component doing to ensure that this does not happen again? The DOJ/Component is working with the FTC to investigate the data breach and to develop safeguard against similar incidents. The DOJ/Component has directed all c DOJ C S c A a a Ta (CSAT) course. In addition, the DOJ/Component will immediately be conducting an inventory and review of all current positions requiring access to PII and require all employees needing access to PII to undergo an updated National Agency Check and Inquiries (NACI) and/or a Minimum Background Investigation (MBI), depending on the level of access required by the responsibilities associated with their position. Appropriate law enforcement agencies, including the Federal Bureau of Investigation and the DOJ Office of the Inspector General have launched full-scale investigations into this matter. 7. Where can I get further, up-to-date information? The DOJ/Component has set up a special Website which features up-to-date news and information. Please visit www._____.gov. 8. Does the data breach affect only certain individuals? It potentially affects a large population of individuals. We urge everyone possibly affected to be extra vigilant and monitor their financial accounts. 27 U.S. Department of Justice Instruction 0900.00.01 APPENDIX C References The following references are applicable to this Instruction. Unless otherwise stated, all references to publications are to the most recent version of the referenced publication. 1. Congressional Mandates a. Clinger Cohen Act of 1996, (Pub. L. 104-106, 110 Stat. 186); and (Pub. L. 104-208, 110 Stat. 3009). b. Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2511. c. E-Government Act of 2002, PL 107-347, 44 U.S.C. Ch 35. d. Federal Information Security Management Act of 2002 (FISMA), Pub. L. 107-347, 116 Stat. 2899. e. Freedom of Information Act (FOIA), 5 U.S.C. § 552. f. Privacy Act of 1974, 5 U.S.C. § 552a. 2. Federal/Departmental Regulations/Guidance a. DOJ Order 2880.1B, Information Resources Management. b. DOJ Order 2640.2F, Information Technology Security. c. DOJ Order 3011.1A, Compliance with the Privacy Requirements of the Privacy Act, the E-Government Act and the FISMA. d. DOJ Computer System Incident Response Plan. e. DOJ Information Technology Security Standards. f. DOJ Security Program Operating Manual (SPOM). 3. Presidential and Office of Management and Budget Guidance a. OMB Circular A-130, Management of Federal Information Resources (with Appendices and periodic revisions). b. OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. 28 Appendix III: Comments from the Department of Homeland Security Appendix III: Comments from the Department of Homeland Security (310508) Page 41 GAO-04-354 Cybersecurity of Control Systems Rootstackk Tribune x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x Other Financing Sources Roots of Progress Feb. 26, 2023 RootstackkTribune NOTE Statement of objects and reasons.- A regulation of Accounts Bill was passed by the abundant person who gave an assurance that Government was convinced that legislation would be beneficial for the regulation or certain classes of accounts: and that steps would be taken to place a Government Bill on a somewhat simpler scope before the Council. Explanation:- A person who has kept his account and sent his six-monthly statements of accounts in the form and manner prescribed in clauses (a) and (b) of sub-section (I) of section 3 shall be held to have complied with the provisions of these clauses, inspite of errors and omissions, if the finished extrapolation that the errors and omissions are accidental and not material and that accounts have been kept in good faith with the intention of complying with the provisions of these clauses. Working through bank telling netteller inquired call schedules of a stockholder’s price of this marking in a number to make sure a withholder is started underscored or true understanding requires a freedom of action in the business. Rootstackk Tribune holds the details of our going through in without a call schedule of FDIC but to imprint a new reason to hold a quest of thrifts assurance and making true likely details often written. FFIEC Call Schedule blocks under IDRSSD. Copyright amendments of a trial standpoint of our details in the rootstackk tribune offers All Rights Reserved As a new reason to describe a solid offered even detail is a final state in reminding fees in a service charge to meet a new inquiry often said between a revenue of our fortune and fostering in a crossed template of our issued assets and code revenue to determine in government revenue to re-approach a future. All forced fostered parents backwards is a new meeting to matte a goal of our random solved future of a different seat to each since stature designs a dry meaning of services and customs. As a trial process in a treaded procurement often waivered and expatriated of details gives an operated service charge. Portions to each of our reasons to describe a new total probable telling percent of our trial rapture isn’t a driven performance but understood in sail and fostering of enforced templates. Each of our matters are a concern of our gleamed assurance of our details operational. I want to withhold remarks of a new adjunct in business performance between shareholders and find a better temporary process of unlimiting forms of injured freedom. In mailing a business entity of starting between persons of holds to remember the described reason of timing understandings of call schedules for work is a temporary trustee. To have been contemplating a new free enhanced treatise often in thinking between parts of our jurisdiction… between this path of our services we recall some research and a final templates partition of each thread of code to rest assurance in a new sovereign inspection to meet each classification and describe a futured drift insured seasonal discipline to rest a temporary design. Working through bank telling netteller inquired call schedules of a paced asked price of this making in a number to make sure a withholder is started underscored or true to understanding requiring freedom of action. As in the business… Rootstackk Tribune holds the details of going through a call schedule of its accountholder and makes a true understanding in details written, and organized. Copyright amendments of a trial standpoint of our details in the rootstackk tribune offers All Rights Reserved Footprint… 52 address TOTAL GENERAL FUND and information gathering are essential to a "surgical" attack; the key 33,940,489 Target range and naming acquisition here is not to miss any details. Search engines, DD D DD DD DD DD D D D DDDDD D D DD D DDD D D D D D D D DDD D DD WHOIS database, Web interface DNS transfer. DD DDDD DD D D D DD D D D DDDDD Enumeration bulk target DD assessment and DD identification. ROOTS OFDPROGRESS DDDDDDDD DDD D DDDD DDDDDDDD: ... but challenges remain avenues of entry. D DDDDDDDDDD: Organizations which have not yet completed their migration to PLEAD can learn from the lessons of those who have. Nearly all respondents reported some measure of challenges in moving to the new platform. The most common issues: The transition took longer List user accounts, List than files expected, required a higher level of training, and cost more than originally budgeted. DDDDDDDD DD DDD D DDDD DD D DDD D DD Many of these concerns are echoed by those who have yet to make the move. Nearly half say that those across their organizations aren’t fully aware of benefits, and nearly as many say that resource constraints— in the form of both time and people—are likely to impact their journey. DDD D D D D D D DDDDD If only user level access was gained in the last step, the attacker will now seek to gain complete control of the system. Password D D DD D D DD D D DD cracking, Known exploits. DD D D : Acquisition The information-gathering process Evaluate trusts, begins again to identify mechanisms Search for passwords. to DD D D : gain access to trusted systems. Once total ownership D D D D D Dof: the target is secured, hiding this fact from the system administrators becomes paramount. DD D D D D D : Create rogue user accounts, Schedule batch jobs, Infect startup files, Plant remote control services, Install monitoring D D D mechanisms, \201 0 D D D D D D D DDD D D -D D \D D D Replace apps with trojans. Copyright amendments of a trial standpoint of our details in the rootstackk tribune offers All Rights Reserved Confidential COT3 SETTLEMENT AGREEMENT - IMPLEMENTATION COMPENSATION Employer: Caerphilly County Borough Council Employee: Address: Implementation Compensation Payment: £[ ] We the undersigned have agreed the terms contained with the attached Schedule and that the Schedule forms an integral part of this COT3 agreement. Signed by: Employee Date For and on Behalf of the Employer Date Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/ Downloaded by: rootstackk-music {stenglel23@gmail.com) APPENDIX The claims to be settled by this Agreement include all claims or potential claims (in respect of the Chief Officer post that the Employee currently holds as listed in the attached Appendix and includes, without limitation, the actual claim(s) (if any) listed on the attached cover sheet):Post Title Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/ Downloaded by: rootstackk-music {stenglel23@gmail.com) DOCUMENT A - IMPLEMENTATION COMPENSATION WITHOUT PREJUDICE The parties to this Agreement agree as follows:WHEREAS The Employer has previously successfully implemented, an equality proofed Single Status Structure in relation to our NJC employees (known as the "Green Book"). In addition we have harmonised the Terms and Conditions of our former craft employees ("Red Book") to achieve consistency with our Single Status arrangements. The Employer is now seeking to achieve consistent arrangements by harmonising the Chief Officer terms and conditions detailed below with those of our employees under single status: • Essential User Car Allowance and Mileage Rates • Annual Leave Allowances and Flexi Arrangements (A) All undertakings and waivers hereunder relate to the Single Status arrangements in relation to all employees. (B) In order to achieve the Single Status arrangements for Chief Officers the Employer is seeking to harmonise terms and conditions under a localised agreement within the principles of Single Status as negotiated with the recognised trade unions to achieve the Collective Agreement. The Employer has offered to vary the Employee's contract of employment which the Employee wishes to accept, which will be referred to as the "Single Status Contract of Employment". The Single Status Contract of Employment will automatically apply to the Employee by reason of the Collective Agreement. (C) The Employer does not admit any liability in relation to any of the Employee's actual claims or potential claims in relation to Breach of Contract , but in the interests of good industrial relations and to avoid protracted litigation the Employer has agreed to pay the Employee Implementation Compensation on the terms set out in this Agreement which the Employee wishes to accept on the terms of this Agreement. (D) The Employee acknowledges and accepts that by virtue of receiving the Implementation Compensation under this Agreement, the employee will not pursue any Breach of Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/ Downloaded by: rootstackk-music {stenglel23@gmail.com) Contract claim in relation to the variation to the JNC Terms for Chief Officers under a localised arrangement. SETTLEMENT 1. In consideration of the Employee's agreement to give the undertakings set out in this Agreement the Employer agrees, subject to the terms and conditions set out below, to pay to the Employee Implementation Compensation in the sum set out in the attached COT3 cover sheet. 2. The Employee accepts the Implementation Compensation in full and final settlement of the claims set out in paragraphs 3 and 4 that the Employee has or may in the future have against the Employer, any organisation to which the Employee's employment may transfer under TUPE and/or any of its or their present or former employees or officers. 3. The claims to be settled by this Agreement include all claims or potential claims(in respect of the Chief Officer post the Employee currently holds and as listed in the attached Appendix and includes, without limitation, the actual claim(s) (if any) listed on the attached cover sheet):(a) relating to Issues of Breach of Contract:(i) in relation to and arising from the variation to the JNC Terms for Chief Officers under a localised arrangement and the Single Status Contract of Employment; and (ii) payment of Implementation Consideration in connection with the variation to the JNC Terms for Chief Officers under a localised arrangement and the Single Status Contract of Employment; and (b) whether such claim is a claim, in relation to Issues of Breach of Contract :- Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/ Downloaded by: rootstackk-music {stenglel23@gmail.com) (i) under the Sex Discrimination Act 1975 (including but not limited to a claim for injury to feelings); (ii) under the Trade Union and Labour Relations (Consolidation) Act 1992 (including, but not limited to, a claim under section 188 and/or section 188A); (iii) for breach of contract, including any sum alleged to be payable under an equality clause); (iv) for unlawful deduction of wages (including any sum alleged to be payable under an equality clause or by reason of the implementation of the Single Status Contract of Employment); (v) relating to loss of pension and any other benefits; and/or (vi) (c) for any other form or type of claim. Further, and without prejudice to the generality of the foregoing, the Employee understands and accepts that, in signing this Agreement, the Employee shall not at any time institute any Employment Tribunal or Court proceedings for damages or compensation in relation to Pay Protection of former income levels, including without limitation, the payment of Implementation Consideration between the Effective Implementation Date and 1 April 2015. 4. For the avoidance of doubt, paragraphs 3 and 4 and therefore this Agreement compromise all claims arising at common law, statute, European Law and/or otherwise, whether or not such claims fall within the jurisdiction of the Employment Tribunal and/or the civil courts. In addition, by accepting the Settlement the Employee is settling any claim for an adjustment of any award under section 31 Employment Act 2002 (non-completion of statutory dispute resolution procedure: adjustment of Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/ Downloaded by: rootstackk-music {stenglel23@gmail.com) awards). Further, if there are any other ways in which claims relating to Issues of Breach of Contract have been or could be advanced, then it is the intention of the parties that these potential claims should also be treated as having been settled by this Agreement. 5. Payment of the Implementation Compensation shall be made by way of cheque made payable to the Employee. The amount of the Implementation Compensation has been calculated as a net amount less a notional deduction for income tax and National Insurance contributions, as agreed with HMRC, for which the Employer will account to HMRC on behalf of the Employee. The Implementation Compensation is not pensionable pay. 6. In the event that the Employee or anyone on his/her behalf commences or continues any proceedings against the Employer, any organisation to which the Employee's employment may transfer under TUPE and/or any of its or their present or former employees or officers for any of the claims set out in paragraphs 3 and 4, of this Agreement or otherwise then the Employee agrees to repay to the Employer an amount equivalent to the Implementation Compensation paid to the Employee under this Agreement. The Employee agrees that in such circumstances, the said sum is recoverable from him/her as a debt. 7. Payment of the Implementation Compensation by the Employer is made on the understanding that there is no admission of liability by the Employer. 8. For the avoidance of doubt, this Agreement does not affect any rights which the Employee may have in relation to any other claim against the Employer, any organisation to which the Employee's employment may transfer under TUPE and/or any of its or their present or former employees or officers including without limitation, any claim for personal injury or in connection with the Employee's accrued pension rights. Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/ Downloaded by: rootstackk-music {stenglel23@gmail.com) It is agreed that this schedule forms an integral part of the attached COT3 form. Employee: Date: For and on Behalf of the Employer: Date: Document shared on https://www.docsity.com/en/confidential-cot3-settlement-agreement/8992007/ Downloaded by: rootstackk-music {stenglel23@gmail.com) FINANCIAL MANAGEMENT CONTRACT This Financial Management Contract (“Agreement”) dated on this day of , 20 (the “Effective Date”) is made between (the “Client”) and (the “Financial Advisor”), for the purpose of setting forth the exclusive terms and conditions by which the Client desires to acquire the financial consultation and management services from the Financial Advisor. In consideration of the mutual obligations specified in this Agreement, the parties, intending to be legally bound hereby, agree to the following: Scope of Services. Client retains the above Financial Advisor and the Financial Advisor agrees to perform for the Client, the financial services set forth in Exhibit A to this Agreement (the “Services”). Any Service outside of the scope as defined in Exhibit A to this Agreement will require a new Agreement for other services agreed to by the Parties. At a minimum the Financial Advisor will understand the Client’s financial situation prior to advising the Client on making investments. Consideration / Compensation. In exchange for the full, prompt, and satisfactory performance of all Services to be rendered to the Client (as determined by the Client), the Financial Advisor shall be compensated as follows: The Financial Advisor will invoice the Client on the day of each month. The invoice will include any and all services performed under this Agreement as well as any pre-approved expenses. Payment will be due within days of the invoice date. A late charge of $ added to any invoice not paid on time. per month will be Payments must be made to the Financial Advisor by credit card, money order, check, or any other approved method of payment accepted by the Financial Advisor. Payments must be mailed to: Expenses. From time to time throughout the duration of this Financial Management Agreement, the Financial Advisor may incur certain expenses that are not included as part of the Fee for our Services to this Agreement. The Financial Advisor agrees to keep an exact record of any and all expenses acquired while performing the Services. The Financial Advisor will submit an invoice itemizing each expense, along with proof of purchase and receipt, every days upon completion of such Services. If any one expense if over $ before making the purchase. Financial Management Agreement , the Financial Advisor agrees to obtain the Client’s written consent Invoice Disputes. The Client shall notify the Financial Advisor in writing of any dispute with an invoice along with any substantiating documentation or a reasonably detailed description of the dispute within Business Days from the date of the Client’s receipt of such invoice subject to dispute. Client will be deemed to have accepted all invoices for which the Financial Advisor does not receive timely notification of a dispute and shall pay all undisputed amounts due under such invoices within the period set forth in this Agreement. The Parties shall seek to resolve all such disputes expeditiously and in good faith. Term and Termination. This Financial Management Agreement shall be effective on the date hereof and shall continue for a period of ([month[s]/year[s]) or until the expressly agree upon date of the completion of the Services, unless it is earlier terminated in accordance with the terms of this Agreement (the “Term”). If either Party subject to his agreement fails to follow through with their obligations under this Financial Management Agreement, the non-breaching Party can terminate this Agreement by providing day written notice to the breaching Party. The Client understands that the Financial Advisor may terminate this Agreement at any time if the Client fails to pay for the Services provided under this Agreement or if the Client breaches any other material provision listed in this Financial Management Agreement in the manner as defined above. Client agrees to pay any outstanding balances within days of termination. Supplies and Equipment. The Financial Advisor, at their own expense, shall furnish their own supplies and equipment necessary to deliver and complete the Services as defined under this Agreement unless otherwise agreed upon by the parties. Should the Client not furnish the agreed upon supplies, the Client understands they will be responsible for reimbursing the Financial Advisor for all expenses incurred. Independent Contractor. Client and Financial Advisor expressly agree and understand that the abovelisted Financial Advisor is an independent contractor hired by the Client and nothing in this Agreement shall be construed in any way or manner, to create between them a relationship of employer and employee, principal and agent, partners or any other relationship other than that of independent parties contracting with each other solely for the purpose of carrying out the provisions of the Agreement. Accordingly, the Financial Advisor acknowledges that neither the Financial Advisor or the Financial Advisor’s employees are not eligible for any benefits, including, but not limited to, health insurance, retirement plans or stock option plans. The Financial Advisor is not the agent of Client or its Company and is not authorized and shall not have the power or authority to bind Client or its Company or incur any liability or obligation, or act on behalf of Client or its Company. At no time shall the Financial Advisor represent that it is an agent of the Client or its Company, or that any of the views, advice, statements and/ or information that may be provided while performing the Services are those for the Client. The Financial Advisor is not entitled to receive any other compensation or any benefits from the Client. Except as otherwise required by law, the Client shall not withhold any sums or payments made to the Financial Advisor for social security or other federal, state, or local tax liabilities or contributions, and all withholdings, liabilities, and contributions shall be solely the Financial Advisor’s responsibility. The Financial Advisor further understands and agrees that the Services are not covered under the unemployment compensation laws and are not intended to be covered by workers’ compensation laws. Page 2 of 8 Financial Management Agreement The Financial Advisor is solely responsible for directing and controlling the performance of the Services, including the time, place and manner in which the Services are performed. The Financial Advisor shall use its best efforts, energy and skill in its own name and in such manner as it sees fit. Confidentiality. Throughout the duration of this Agreement, it may be necessary for the Financial Advisor to have access to the Client’s confidential and protected information for the sole purpose of performing the Services subject to this Agreement. The Financial Advisor is not permitted to share or disclose such confidential information whatsoever, unless mandated by law, without written permission from the Client. The Financial Advisor’s obligation of confidentiality will survive the termination of this Financial Management Agreement and stay in place indefinitely. Upon the termination of this Agreement, the Financial Advisor agrees to return to the Client any and all Confidential Information that is the property of the Client. Return of Property. The Financial Advisor shall promptly return to the Client all copies, whether in written, electronic, or other form or media, of the Client’s Confidential Information, or destroy all such copies and certify in writing to the Client that such Confidential Information has been destroyed. In addition, the Financial Advisor shall also destroy all copies of any Notes created by the Financial Advisor or its authorized Representatives and certify in writing to the Client that such copies have been destroyed. Intellectual Property. All Intellectual Property and related materials, including but not limited to, moral rights, goodwill, trade secrets, applications for registrations or relevant registration, rights to any trademark, trade tress, patent, copyright, trade name, and industrial design (“Intellectual Property”) that is produced or developed under this Financial Management Agreement. The Financial Advisor understands that the aforementioned is a “work for hire” and shall be the sole property of the Client. The Client’s use of the Intellectual Property shall not be restricted in any manner. The Financial Advisor may not use the Client’s Intellectual Property for any purpose other than contracted for in this Financial Management Agreement unless the Financial Advisor has written consent from the Client. The Financial Advisor shall be responsible for any damages resulting from any unauthorized use of the Client’s intellectual property. Indemnification and Release. The Financial Advisor agrees to take all necessary precautions to prevent injury to any persons or damage to property during the term of this Agreement, and shall indemnify, defend and hold harmless the Client, its officers, directors, shareholders, employees, representatives and/or agents from any claim, liability, loss, cost, damage, judgment, settlement or expense (including attorney’s fees) resulting from or arising in any way out of injury (including death) to any person or damage to property arising in any way out of any act, error, omission or negligence on the part of the Financial Advisor or any of the Financial Advisor’s employees in the performance or failure to fulfill any Services or obligations under this Agreement. No Exclusivity. The Parties subject to this Agreement understand and acknowledge that this Agreement is not exclusive. Each Party respectively agree that they are free to enter into other similar Agreements with other parties. Warranty. The Financial Advisor shall provide its services and meet its obligations set forth in this Agreement in a timely and satisfactory workmanlike manner, using its knowledge and recommendations for performing its services which generally meets standards in the Financial Advisor’s region and Page 3 of 8 Financial Management Agreement community, and agrees to provide a standard of care, equal or superior to care used by other professionals in the same profession. The Financial Advisor shall perform the services in compliance with the terms and conditions of the Agreement. Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (“Notice”) shall be in writing and addressed to the parties at the addresses set forth on the signature page of this Agreement (or to such other address that may be designated by the receiving party from time to time in accordance with this section). All Notices shall be delivered by personal delivery, nationally recognized overnight courier (with all fees pre-paid), facsimile, or email (with confirmation of transmission), or certified or registered mail (in each case, return receipt requested, postage prepaid). Dispute Resolution. Parties to this Agreement shall first attempt to settle any dispute through good-faith negotiation. If the dispute cannot be settled between the parties via negotiation, either party may initiate mediation or binding arbitration in the State of . If the parties do not wish to mediate or arbitrate the dispute and litigation is necessary, this Agreement will be interpreted based on the laws of the State of , without regard to the conflict of law provisions of such state. The Parties agree the dispute will be resolved in a court of competent jurisdiction in the State of . Governing Law. This Financial Management Agreement shall be governed in all respects by the laws of the State of without regard to the conflict of law provisions of such state. This Agreement shall be binding upon the successors and assigns of the respective parties. Force Majeure. The Financial Advisor and any of its employees or agents shall not be in breach of this Financial Management Agreement for any delay or failure in performance caused by reasons out of its reasonable control. This includes, but is not limited to, acts of God or a public enemy; natural calamities; failure of a third party to perform; changes in the laws or regulations; actions of any civil, military or regulatory authority; power outage or other disruptions of communication methods or any other cause which would be out of the reasonable control of the Financial Advisor. Legal Fees. Should a dispute between the named Parties arise lead to legal action, the prevailing Party shall be entitled to any reasonable legal fees, including, but not limited to attorneys’ fees. No Assignment. This Agreement shall inure to and be binding upon the undersigned and their respective heirs, representatives, successors and permitted assigns. This Agreement may not be assigned by either party without the prior written consent of the other party. Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. A signed copy of this Agreement delivered by facsimile. email, or other means of electronic transmission shall be deemed to have the same legal effect as delivery of an original signed copy of this Agreement. Electronic Signatures. This Agreement and related documents entered into in connection with this Agreement are signed when a party’s signature is delivered electronically, and these signatures must be treated in all respects as having the same force and effect as original signatures. Page 4 of 8 Financial Management Agreement Severability. If any term or provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Captions for Convenience. All captions herein are for convenience or reference only and do not constitute part of this Agreement and shall not be deemed to limit or otherwise affect any of the provisions hereof. No Waiver. No waiver of or failure to act upon any of the provisions of this Agreement or any right or remedy arising under this Agreement shall be deemed or shall constitute a waiver of any other provisions, rights or remedies (whether similar or dissimilar). Amendment. This Agreement may be amended only by a writing signed by all of the Parties hereto. Entire Agreement. This Agreement constitutes the sole and entire agreement of the Parties regarding the subject matter contained herein, and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, regarding such subject matter. This Agreement may only be amended, modified, or supplemented by an agreement in writing signed by each Party hereto. [Signatures on Following Page] Page 5 of 8 Financial Management Agreement IN WITNESS WHEREOF, the undersigned have executed this Financial Management Agreement effective as of the day of , 20 (the “Effective Date”). Dated: Dated: Financial Advisor’s Signature Client’s Signature Financial Advisor’s Printed Name or Entity Client’s Printed Name or Entity Financial Advisor’s Contact Information: Client’s Contact Information: Address: Address: Phone Number: Phone Number: Email Address: Email Address: Page 6 of 8 Financial Management Agreement EXHIBIT A SERVICE(S) The Financial Advisor agrees to provide the following service(s): The Financial Advisor is entitled to reimbursement of the following expenses incurred while performing such Service(s): *The Financial Advisor agrees that any expense not listed must be pre-approved by the Client. The Financial Advisor agrees to provide any receipts of any other related document to such expenses. Other: Page 7 of 8 Financial Management Agreement Payee/Company Information Section - Payee prints or types the name of the payee/company and address that will receive ACH vendor/miscellaneous payments, social security or taxpayer ID number, and contact person name and telephone number of the payee/company. Payee also verifies depositor account number, account title, and type of account entered by your financial institution in the Financial Institution Information Section. 2. Financial Institution Information Section - Financial institution prints or types the name and address of the payee/company's financial institution who will receive the ACH payment, ACH coordinator name and telephone number, nine-digit routing transit number, depositor (payee/ company) account title and account number. Also, the box for type of account is checked, and the signature, title, and telephone number of the appropriate financial institution official are included. BURDEN ESTIMATE STATEMENT The estimated average burden associated with this collection of information is 15 minutes per respondent or recordkeeper, depending on individual circumstances. Page 8 of 8 Financial Management Agreement