Computer Storage Services offers storage for clients’ data, which can include private information for clients and patients that falls under the protection of the PIPEDA Personal Information Protection and Electronic Documents Act and the PHIPA Personal Health Information Protection Act.  Computer Storage Services is committed to protecting this information by any means possible.  As well as storing client data in a secure physical environment as outlined in the Computer Storage Services security policy, Computer Storage Services stores all client data encrypted at the block level using AES 256-bit with a 32-character key, which makes the data useless should the hardware on which it is stored ever be physically stolen.  Because the encryption occurs before the data leaves the client’s site and remains encrypted while being stored and also when it is retrieved by a client, this encryption ensures that the data is unreadable in the event that data packets are intercepted over the internet or by any other virtual means.

Computer Storage Services does however acknowledge that the possibility of a breach through other means, such as access by an unauthorized person using a secure password to decrypt the data.  For this reason, Computer Storage Services has developed the process outlined in this document to contain and deal with a breach promptly and effectively, while ensuring the future privacy of all data stored on Computer Storage Services hardware.

The following Actions will be taken in the event of a data breach:

Action 1
Take affected server offline.  If the extent of the breach is unknown, all Computer Storage Services servers would be taken offline to ensure access to the data has been severed.

Action 2
Analyze the evidence of the breach to determine where the breach has occurred and determine which servers and which client’s data are affected.

Action 3
Notify clients whose data has been breached by telephone to the provided primary (emergency) contact when possible, and to secondary or tertiary contacts if primary contact is not possible.

Action 4
Document how the breach has occurred, and create a breach report that outlines the cause of the breach and the steps taken to correct the breach, as well as steps taken  to change Computer Storage Services privacy policy to ensure future breaches are avoided.

Action 5
Provide written notice to affected clients of the breach, as well as the breach report, while requesting permission to bring affected servers back online to resume service.

Action 6
When written permission has been received from affected clients, and all steps taken to correct the breach and to change Computer Storage Services privacy policy, put affected servers back online and resume service.

If you have any privacy concerns please contact Cynthia Tetley by email at cynthia@computerstorageservices.com, or by mail at Computer Storage Services, 6-2400 Dundas Street West, Suite 610, Mississauga, Ontario, L5K2R8, or by telephone at 1-877-660-6800 x 14.