Plessas Experts Network (PEN) has the following Policies with respect to customers and information gathered or hosted by PEN. The terms PEN, "we" and "us" refer only to Plessas Experts Network.
Privacy Policy
In the scope of our training and investigations, we may collect identifying and non-identifying information. This information may include contact information, shipping and billing information, credit card numbers and other payment information, purchase history, and case information. This information includes investigation data such as names, personally identifying information, websites, email addresses, social networking data, ssn, property addresses and details and user-related content on the open and dark internet.
In these cases, only approved employees will have access to client information on tasks in which they are assigned and clients will only have access to the data associated with their own cases and projects.
We use the information only to complete the transaction for which the information is intended, including administering training and similar events, completing an order, replying to requests, completing investigations, or contacting you if you have granted us permission to do so. We do not share this information with outside parties without your permission except to the extent that is necessary to administer the services we offer or to comply in responding to subpoenas, court orders or other legal proceedings.
Clients and customers can access their information via e-mail to [email protected], or by calling (202)684-8101. We will take reasonable steps to verify your identity before granting access or making changes to your information. We will respond to your request consistent with applicable law.
PEN does not guarantee that data received through third parties is correct and may retain this information in an attempt to verify or eliminate the information in conjunction with an investigation. This data should not be relied upon as accurate until analyzed and verified.
Collection of Personal Information from Children under Thirteen: In cases where there is incidental collection of information on a child under the age of thirteen (13), the information is immediately deleted.
To the extent information that we collect, receive or use is information which relates to an identified or identifiable individual in the European Economic Area (EEA) or under the California Consumer Privacy Act (CCPA), we will treat such information as personal information as required by applicable law.
We use cookies on our website. Cookies are small files that a web server transfers to an individual's computer for functionality and recordkeeping purposes while visiting that site. We use cookies to improve your user experience and the overall quality of our services, and to facilitate your ongoing access to and use of our site, among other things. Cookies may also convey information to us about how frequently you access the Services and allow us to evaluate usage of the Services over time. You can view and manage cookies in your browser, including blocking and deleting cookies, though browsers for mobile devices might not offer this visibility.
Breach Notification and Incident Management Policy
The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.
PEN’s intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how PEN’s established culture of openness, trust and integrity should respond to such activity. PEN is committed to protecting its employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
This policy mandates that any individual who suspects that a theft, breach or exposure of PEN’s protected data or PEN’s sensitive data has occurred must immediately provide a description of what occurred via e-mail to [email protected], or by calling (202)684-8101, or through the use of the Contact Us web page at https://plessas.net/contact. This e-mail address, phone number, and web page are monitored by PEN’s executive team. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the PEN team will follow the appropriate procedure in place.
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Personally Identifiable Information (PII) for PEN investigations or its members. Any agreements with vendors will contain language similar that protects this data.
Upon confirmed theft, breach or exposure of PEN’s data, the CEO will be notified of the theft, breach or exposure. The CEO and her designated team members will analyze the breach or exposure to determine the root cause. As soon as a theft, data breach or exposure containing PEN protected data or PEN sensitive data is identified, the process of removing all access to that resource will begin. The CEO will chair an incident response team to handle the breach or exposure. The team will include members based on the data type involved with additional individuals as deemed necessary by the CEO.
If necessary, PEN will provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.
Early notification is critical. In the event of a data breach, relevant internal employees will be notified immediately on discovery of a data breach. Notification will be made to every affected member or client within twenty-four hours of discovery by or notification to PEN’s executive team about the breach. Every customer involved or affected by the breach will be contacted, informed about the breach, and informed about what information was breached.
Roles & Responsibilities:
• Sponsors - Sponsors are those members of the PEN community that have primary responsibility for maintaining any particular information resource. Sponsors may be designated by any PEN executive in connection with their administrative responsibilities, or by the actual sponsorship, collection, development, or storage of information.
• Executive team - The CEO and COO provide administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors.
• Users – Users are PEN members who have authorized access to information resources which is limited to the minimum necessary executive team members, employees, contractors, or consultants.
• The Incident Response Team shall be chaired by Executive Management and shall include relevant employees, contractors, or consultants.
Any PEN personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their network connection terminated.
Information Security Framework
PEN is not a cyber security provider. Instead, we are a cyber investigations company. As such, PEN will not be responsible for information security of data stored at customer locations, however, PEN will be responsible for any customer data used by and stored at our facilities for the period of time in which they reside on our systems.
PEN’s policy is to adopt and update its cybersecurity framework based on the NIST CSF because it is considered a best practice because it integrates industry standards our need to manage any cybersecurity risks to our assets or personnel.
Identify: Centered around risk assessment, inventory of IT assets, and creating a comprehensive risk management strategy, this function’s controls include but are not limited to basing access on lowest-level needed access to IT assets, ongoing inventorying of critical information, PII, sensitive data, and other business data, and enforcement of CSF policies.
Protect: PEN fulfills the protect function through its limited access controls, storage of data on encrypted external drives not connected to the Internet, encryption of data on hard drives that are connected to the Internet and through an active detection process. These controls include practical functions like ensuring all employees receive security awareness training, enforcement of access controls, engagement of top-of-the-line and up to date anti-malware and anti-virus on all devices, and active IT asset management.
Detect: Secure, continuous monitoring of PEN’s information systems help detect a cybersecurity event before it spreads. PEN’s data breach response policy describes a 24-hour notification for anyone impacted after discovery of a cyberattack. Detection includes but is not limited to simulated phishing exercises and network monitoring.
Respond: PEN’s cybersecurity event response is described in its data breach response policy including who to call, what to do, and how to efficiently inform anyone impacted by the incident. PEN has the capacity to rapidly respond to a cybersecurity incident.
Recover: PEN’s recovery planning ensures a review of any security incident for lessons learned, restores functionality to IT assets and best processes to ensure that its data systems are clean.
We reserve the right to update or amend these Policies. These policies were last revised on Apr 20, 2026.
