Skip to content

Breach Investigation and Notification

2025.8

In the case of a breach, Matrak shall notify all affected customers and users directly. The CTO is responsible for coordinating the breach response and investigation process.

Policy Statements

Matrak policy requires that:

(a) Breach notification procedures are invoked upon confirmation of security breach that results in unauthorized disclosure of unprotected/unencrypted sensitive data.

(b) Customers and users impacted by a confirmed data breach must be notified within 60 days of discovery of such breach.

Controls and Procedures

Breach Investigation Process

  1. Discovery of Breach: A data breach shall be treated as "discovered" as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to Matrak (includes breaches by the organization's Customers, Partners, or subcontractors). Matrak shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Matrak shall also begin the process of determining what external notifications are required or should be made (e.g., relevant regulatory authorities, law enforcement officials as appropriate)

  2. Breach Investigation: The CTO shall lead the breach investigation with support from the engineering team and product manager as appropriate. The CTO is responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with external counsel and other resources as needed. All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of seven years. A breach log is kept and maintained by the CTO.

  3. Risk Assessment: A risk assessment is performed in accordance to applicable laws and regulations.

  4. Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected Matrak Customers, usually within 24-48 hours but no later than 10 calendar days after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.

  5. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organization shall:

    • If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the timer period specified by the official; or
    • If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.

  6. Content of the Notice: The notice shall be written in plain language and must contain the following information:

    • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
    • A description of the types of customer data that were involved in the breach (such as names, email addresses, account information, or other personal information), if known;
    • Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
    • A brief description of what Matrak is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
    • Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address.

  7. Methods of Notification: Matrak Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.

  8. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Matrak shall maintain a process to record or log all breaches of unsecured sensitive data regardless of the number of records and Customers affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):

    • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
    • A description of the types of customer data that were involved in the breach (such as names, email addresses, account information, etc.), if known.
    • A description of the action taken with regard to notification of individuals regarding the breach.
    • Resolution steps taken to mitigate the breach and prevent future occurrences.

  9. Workforce Training: Matrak shall train all members of its workforce on the policies and procedures with respect to sensitive data as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization.

  10. Complaints: Matrak must provide a process for individuals to make complaints concerning the organization's privacy policies and procedures or its compliance with such policies and procedures.

  11. Sanctions: The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.

  12. Retaliation/Waiver: Matrak may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right.

Sample Letter to Customers in Case of Breach

[Date]

[Name] [Name of Customer] [Address 1] [Address 2] [City, State Zip Code]

Dear [Name of Customer]:

I am writing to you from Matrak Industries Pty Ltd, with important information about a recent breach that affects your account with us. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows:

Describe the event and include the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  • A description of the types of customer data that were involved in the breach (such as names, email addresses, account information, or other personal information), if known.
  • Any steps the Customer should take to protect themselves from potential harm resulting from the breach.
  • A brief description of what Matrak is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
  • Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, web site, or postal address.

Other Optional Considerations:

  • Recommendations to assist customer in remedying the breach.

We will assist you in remedying the situation.

Sincerely,

Brett Hodgkins
CTO
Matrak Industries Pty Ltd
brett@matrak.com.au