Policies

Data Security and Privacy Policies

Plessas Experts Network (PEN) has the following Policies with respect to customers and information gathered or hosted by PEN. The terms PEN, "we" and "us" refer only to Plessas Experts Network.

Privacy Policy

In the scope of our training and investigations, we may collect identifying and non-identifying information. This information may include contact information, shipping and billing information, credit card numbers and other payment information, purchase history, and case information. This information includes investigation data such as names, personally identifying information, websites, email addresses, social networking data, ssn, property addresses and details and user-related content on the open and dark internet.

In these cases, only approved employees will have access to client information on tasks in which they are assigned and clients will only have access to the data associated with their own cases and projects.

We use the information only to complete the transaction for which the information is intended, including administering training and similar events, completing an order, replying to requests, completing investigations, or contacting you if you have granted us permission to do so. We do not share this information with outside parties without your permission except to the extent that is necessary to administer the services we offer or to comply in responding to subpoenas, court orders or other legal proceedings.

Clients and customers can access their information via e-mail to info@plessas.net, or by calling (202)684-8101. We will take reasonable steps to verify your identity before granting access or making changes to your information. We will respond to your request consistent with applicable law.

PEN does not guarantee that data received through third parties is correct and may retain this information in an attempt to verify or eliminate the information in conjunction with an investigation. This data should not be relied upon as accurate until analyzed and verified.

Collection of Personal Information from Children under Thirteen: In cases where there is incidental collection of information on a child under the age of thirteen (13), the information is immediately deleted.

To the extent information that we collect, receive or use is information which relates to an identified or identifiable individual in the European Economic Area (EEA) or under the California Consumer Privacy Act (CCPA), we will treat such information as personal information as required by applicable law.

We use cookies on our website. Cookies are small files that a web server transfers to an individual's computer for functionality and recordkeeping purposes while visiting that site. We use cookies to improve your user experience and the overall quality of our services, and to facilitate your ongoing access to and use of our site, among other things. Cookies may also convey information to us about how frequently you access the Services and allow us to evaluate usage of the Services over time. You can view and manage cookies in your browser, including blocking and deleting cookies, though browsers for mobile devices might not offer this visibility.

Breach Notification and Incident Management Policy

The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.

PEN’s intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how PEN’s established culture of openness, trust and integrity should respond to such activity. PEN is committed to protecting its employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. 

This policy mandates that any individual who suspects that a theft, breach or exposure of PEN’s protected data or PEN’s sensitive data has occurred must immediately provide a description of what occurred via e-mail to info@plessas.net, or by calling (202)684-8101, or through the use of the Contact Us web page at https://plessas.net/contact. This e-mail address, phone number, and web page are monitored by PEN’s executive team. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the PEN team will follow the appropriate procedure in place.

This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Personally Identifiable Information (PII) for PEN investigations or its members. Any agreements with vendors will contain language similar that protects this data.

Upon confirmed theft, breach or exposure of PEN’s data, the CEO will be notified of the theft, breach or exposure. The CEO and her designated team members will analyze the breach or exposure to determine the root cause. As soon as a theft, data breach or exposure containing PEN protected data or PEN sensitive data is identified, the process of removing all access to that resource will begin. The CEO will chair an incident response team to handle the breach or exposure. The team will include members based on the data type involved with additional individuals as deemed necessary by the CEO.

If necessary, PEN will provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.

Early notification is critical. In the event of a data breach, relevant internal employees will be notified immediately on discovery of a data breach. Notification will be made to every affected member or client within twenty-four hours of discovery by or notification to PEN’s executive team about the breach. Every customer involved or affected by the breach will be contacted, informed about the breach, and informed about what information was breached. 

Roles & Responsibilities:

• Sponsors - Sponsors are those members of the PEN community that have primary responsibility for maintaining any particular information resource. Sponsors may be designated by any PEN executive in connection with their administrative responsibilities, or by the actual sponsorship, collection, development, or storage of information.

• Executive team - The CEO and COO provide administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors.

• Users – Users are PEN members who have authorized access to information resources which is limited to the minimum necessary executive team members, employees, contractors, or consultants.

• The Incident Response Team shall be chaired by Executive Management and shall include relevant employees, contractors, or consultants.

Any PEN personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their network connection terminated.

Information Security Framework

PEN is not a cyber security provider. Instead, we are a cyber investigations company. As such, PEN will not be responsible for information security of data stored at customer locations, however, PEN will be responsible for any customer data used by and stored at our facilities for the period of time in which they reside on our systems.

PEN’s policy is to adopt and update its cybersecurity framework based on the NIST CSF because it is considered a best practice because it integrates industry standards our need to manage any cybersecurity risks to our assets or personnel.

Identify: Centered around risk assessment, inventory of IT assets, and creating a comprehensive risk management strategy, this function’s controls include but are not limited to basing access on lowest-level needed access to IT assets, ongoing inventorying of critical information, PII, sensitive data, and other business data, and enforcement of CSF policies.

Protect: PEN fulfills the protect function through its limited access controls, storage of data on encrypted external drives not connected to the Internet, encryption of data on hard drives that are connected to the Internet and through an active detection process. These controls include practical functions like ensuring all employees receive security awareness training, enforcement of access controls, engagement of top-of-the-line and up to date anti-malware and anti-virus on all devices, and active IT asset management.

Detect: Secure, continuous monitoring of PEN’s information systems help detect a cybersecurity event before it spreads. PEN’s data breach response policy describes a 24-hour notification for anyone impacted after discovery of a cyberattack. Detection includes but is not limited to simulated phishing exercises and network monitoring.

Respond: PEN’s cybersecurity event response is described in its data breach response policy including who to call, what to do, and how to efficiently inform anyone impacted by the incident. PEN has the capacity to rapidly respond to a cybersecurity incident.

Recover: PEN’s recovery planning ensures a review of any security incident for lessons learned, restores functionality to IT assets and best processes to ensure that its data systems are clean.

Customer Data Inventory and Retention/Disposal Policy

No method of transferring data over the internet is ever 100% secure. However, we follow industry standard security protocols and employ a variety of appropriate technical and organizational security measures designed to ensure the security of our customer data.

We retain personal information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include the length of time we are providing our Services to a customer, or as the customer instructs, whether there is a legal obligation to which we are subject, whether retention is advisable in light of our legal position such as in regard to applicable statutes of limitations, litigation or regulatory investigations.

A data inventory is maintained for each customer and protected data will be logged and inventoried with information to the data type, storage locations, access and transmissions logs, customer contact details, and history of how the data was used.

All data will be inventoried and classified for legal and customer data retention and destruction requirements, such as indicated on “Best Practices for Data Retention” by kirkpatrickprice.com.

Definitions

Cybersecurity - the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.

Cybersecurity Framework (CSF) - a list of implementable technical and process controls based on the informational and organizational framework that represent a cybersecurity program. Examples of these controls include the access controls, encryption of sensitive data, inventorying information resources and IT assets, and maintaining a policy to patch systems regularly.

Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text.

Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s).

Information Resource - The data and information assets of an organization, department or unit.

NIST - National Institute of Standards and Technology.

Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered

Plain text – Unencrypted data.

Protected data - See PII and PHI.

Protected Health Information (PHI) - Under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.

Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.

Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data.  See PII and PHI above.

We reserve the right to update or amend these Policies. These policies were last revised on Feb 12, 2021.