Draft - Pending Legal Review
Data Breach Notification Policy
1. Purpose
This Data Breach Notification Policy describes how Asterium LLC, doing business as NannyLedger ("NannyLedger," "we," "us," or "our"), detects, responds to, and notifies affected individuals in the event of a data breach involving personal information. NannyLedger processes sensitive data including Social Security Numbers, bank account numbers, and tax information, and we take our obligation to protect this data seriously.
2. What Constitutes a Breach
A data breach is any unauthorized access to, acquisition of, or disclosure of unencrypted personal information that compromises the security, confidentiality, or integrity of that information. Examples include: unauthorized access to database records containing personal information, theft or loss of devices containing unencrypted personal data, unauthorized employee or contractor access to personal information beyond their authorized scope, successful phishing or social engineering attacks resulting in credential compromise, and exploitation of a software vulnerability resulting in data exposure.
3. Encryption Safe Harbor
Most state breach notification laws provide a safe harbor for encrypted data. NannyLedger encrypts all sensitive personal information (SSNs, bank account numbers, EINs) at rest using AES-256-GCM encryption. If a breach involves only encrypted data and the encryption keys were not compromised, notification may not be required under applicable state law. We will evaluate each incident individually and err on the side of notification when there is any doubt about whether the safe harbor applies.
4. Detection and Response
NannyLedger maintains multiple layers of breach detection: comprehensive audit logging on all database operations involving sensitive data, automated alerts for unusual access patterns (multiple failed login attempts, bulk data access, access from new locations), real-time monitoring of authentication events, and regular review of access logs by authorized personnel. Upon detecting a potential breach, we immediately activate our incident response plan: contain the breach (revoke access, rotate credentials, isolate affected systems), assess the scope (determine what data was accessed, how many individuals affected, and whether encryption was compromised), engage legal counsel and forensic investigators as appropriate, and begin the notification process as described below.
5. Notification Timeline
NannyLedger operates nationwide and complies with all applicable state breach notification laws. Because our users are located across the United States, we follow the most stringent applicable timeline. Key state requirements include: California (Cal. Civ. Code 1798.82) requires notification in the most expedient time possible and without unreasonable delay, not to exceed 72 hours for breaches involving login credentials. New York (N.Y. Gen. Bus. Law 899-aa) requires notification in the most expedient time possible and without unreasonable delay. Texas (Tex. Bus. & Com. Code 521.053) requires notification without unreasonable delay, not to exceed 60 days. Florida (Fla. Stat. 501.171) requires notification within 30 days and notification to the Florida Attorney General if more than 500 residents are affected. NannyLedger's target notification timeline is 72 hours from breach confirmation for all affected individuals, regardless of state of residence, which meets or exceeds all current state requirements.
6. Notification Content
Breach notifications will include: a description of the incident and the approximate date it occurred, the types of personal information involved (e.g., names, SSNs, bank account numbers), a description of the steps we have taken to investigate and contain the breach, steps affected individuals can take to protect themselves (credit monitoring, fraud alerts, password changes), contact information for NannyLedger's support team for questions, and information about filing complaints with the appropriate state attorney general or the Federal Trade Commission.
7. Notification Methods
Primary notification will be sent via email to the email address associated with the affected account. If we do not have a valid email address, or if the email is returned undeliverable, we will attempt notification by postal mail to the last known address. If the breach affects more than 500 individuals in a single state, we will also provide notice to the state attorney general or other designated state agency as required by that state's law. We will also post a notice on our website at https://www.nannyledger.com for at least 90 days.
8. Third-Party Vendor Breaches
If a breach occurs at one of our subprocessors (see our Subprocessor List at /subprocessors), we will work with the affected vendor to determine the scope and impact on NannyLedger users. Our subprocessor agreements require vendors to notify us within 24 hours of discovering a breach that may affect our users' data. We will then evaluate the incident and provide notification to affected individuals as described in this policy, even if the breach originated at a third party.
9. Record Keeping
NannyLedger maintains records of all data breach investigations, including: the date the breach was discovered, the date notifications were sent, the number of individuals affected, the types of data involved, remediation steps taken, and communications with law enforcement and regulatory agencies. These records are retained for a minimum of 5 years.
10. Contact Us
If you believe your NannyLedger account has been compromised, or if you have questions about this policy, contact us immediately at security@nannyledger.com, by mail at Asterium LLC, Katy, TX 77450, or through our Contact Support page. For urgent security concerns, email security@nannyledger.com with the subject line "Security Incident" for priority handling.
Related Policies
- Information Security Policy - Our security practices and data protection measures.
- Privacy Policy - How we collect, use, and protect your personal information.
- Subprocessor List - Third-party services that process data on our behalf.