Management policy in case of personal data breach and related practices

Effective date: 15 September 2021

  1. Objectives.

    This Management Policy in the event of personal data breach and related practices of Inspiration Technology Co., Ltd. ("Guidelines") has been prepared to illustrate the steps taken by Inspiration Technologies Co., Ltd. (the "Company") will act in the event of a data breach. (As defined below), both actual There is a possibility that this will happen. or suspected to happen which may lead to a personal data breach

  2. Scope.

    This Guidelines apply to employees, contractors, agents, and other personnel of the Company. The Company also requires its business partners and external service providers, including employees, contractors, agents and other personnel of the Company to Such business partners and third-party service providers. Any person who is required to collect, access, store or handle personal information on behalf of the Company (hereinafter collectively referred to as "employees/contractors") must enter a contract to comply with this Guidelines. Incur any rights to employees / contractors or any rights beyond the duties of the Company under applicable law. This guideline is an internal document of the Company and does not create any rights or privileges for any third party.

    Anyone who violates this guideline may be subject to disciplinary action which includes termination of employment or may result in the termination of the contract with the business partner. or service providers

    The Company may amend this Guideline from time to time, whereby the Company will notify its employees/contractors as appropriate.

  3. Data Leak Incident Reporting Requirements.

    1. Data Leak Incident

      A data leak is an actual incident. There is a possibility that this will happen. or suspected to occur or action, disruption, or other event causing destruction, loss, alteration of the information that the Company owns, controls, or maintains either directly or indirectly (e.g., information under the supervision of a business partner or other external service providers who provide services to the Company) whether by accident, willful or unlawful or cause the unauthorized acquisition, disclosure or access to paper documents or electronic information. whether personal or confidential information Such information may be in paper documents, e-mails, tables, personnel records. payroll record server (servers) Portable storage devices (such as laptop computers or smart phones) and IT databases, etc.

      Some examples of events that are reportable include:

      1. Computer theft or loss laptop computer smart phone Thumb drive storage device or other recording devices belonging to the Company or of employees / contractors using such devices to record information related to the Company.
      2. Intrusion or theft of the Company's workplace.
      3. An attacker poses a risk to the Company's systems such as databases, computers, networks, and communications of the Company.
      4. Employees / contractors inspect, access, or disclose information, data files or databases outside the scope of their duties. Assigned.
      5. Third parties breach non-disclosure agreements or confidentiality agreements.
      6. Any of the foregoing events related to the Company's business partners or external service providers.
    2. Help. Employees / contractors are required to assist the Company and the Situation Management Department to investigate data breach incidents to their fullest potential.
    3. Situation Management Department.

      (1) Contact information: Personal Data Protection Officer Situation Management Department

      email: [email protected]

      Phone: 0 2194 1511

  4. Data leak incident management procedures.

    1. Phase 1: Internal reporting and confirmation of data breach incidents. The objective of Phase 1 is to identify and confirm in a timely manner whether a data breach has occurred. to report further to the Situation Management Department.
      1. Initial inspection

        The Situation Management Department assigns a member or delegate to an initial review of each incident report. (“Prior Event Manager”)

        1. The Incident Manager must first respond to the Employee/Contractor reporting the incident. and request as much information about the leak as possible at the time.
        2. If the data leak incident is related to information technology (IT) or other issues related to the security of the computer system. Priority incident managers must coordinate with members of the Information Technology Group.
        3. The First Incident Manager shall initially determine as soon as possible or within the first 24 hours whether the available information has a reasonable or reliable basis to believe that the event actually occurred.
        4. If there is no reasonable or legal basis Prior incident managers are required to provide an internal report with the following information:
          • Identify the employee/contractor reporting the incident.
          • A description of the circumstances surrounding the reported data leak incident.
          • A description of the reasons why the incident manager considers there is no reasonable or credible basis to believe that the event may or may not have occurred.

          The incident manager must provide a written report to other members of the Situation Management Department.

      2. Data Leak Confirmation.

        If the primary event manager considers that There is a reasonable or credible basis to believe that such data breach has actually occurred. Prior incident managers must promptly notify other members of their situation management department. to carry out phase 2.

    2. Phase 2: Data Leak Incident Management.

      The objective of Phase 2 is to manage data breach incidents at both internal and external levels. In this phase, data leak incidents must be assessed without delay and as soon as possible. so that the Company can make the necessary notifications in a timely manner If the situation management department sees that Any incident of data breach must be reported to any government agency, person or person as required by law.

      meanwhile Other necessary measures must be taken simultaneously to contain the incident and minimize the risks and damages as much as possible.

      1. Threat Control.

        If a data breach is a permanent threat or ongoing threats (such as hackers or viruses In the Company's information system), the Situation Management Department shall ensure that personnel in the Information Technology Group determine appropriate measures to maintain security and isolate threats. so as not to cause any further damage to the Company's technical environment.

      2. Keeping records of documents related to incident management.

        Situational Management must keep records of all relevant documents during the process. From incident discovery to notification and correction.

      3. Evidence collection.

        In conducting an audit, the Situational Department shall put in place appropriate measures to preserve relevant information and evidence, including:

        • Suspend the deletion or destruction of data. (Including automatic log files overwriting onto tape backup or recycling)
        • Instruct employees / contractors, agents, or representatives with access to the system to take precautions not to delete, modify or damage the relevant data and evidence.
        • Retain any suspect code or malware, and
        • Operate in accordance with the relevant laws according to the Company's policy (if relevant).
      4. Forensic investigators.

        The Situational Department will consider on a case-by-case basis that an investigator/forensic investigator is required to capture the affected equipment. Computer forensic examination or other services? Forensic investigations are governed by the legal force or external legal counsel to provide legal advice and advice to the Company if litigation is expected. legal inquiry or internal audits.

      5. Confidentiality.

        Situational Operations will coordinate with other parties to ensure that incidents of data breaches are kept confidential until a decision is made about notification or disclosure. Additionally, the number of employees/contractors who are aware of a data breach incident must be limited to as little as possible.

      6. Examining the extent of the data leak incident.

        Situational Operations will review and collect information about the extent of the data breach incident. This includes the following information. (if applicable)

        • Time and nature of the data breach incident and the time it was found.
        • Types of information (e.g., types of personal data) that may be at risk of being affected.
        • The risk of damage or misuse, and
        • The person who knew about the leak of such information. whether it is personnel inside or outside the company.

        A checklist of data breach incidents that Situation Management may use in their investigations are as follows:

        • The nature of the known data leak (hacking, device loss, etc.) theft by insiders or the like), and how did the Situation Administration know the incident?
        • What is the nature of the affected data? Does the scope of the affected data contain information that could constitute a breach of notification or other statutory or contractual obligations?
        • The type of person who may be affected (e.g., customer, employee, etc.).
        • The address of the person who may be affected (for example, in Thailand only or other countries as well).
        • Can we estimate the type and approximate number of personal records affected?
        • Extent of known data leak incidents. If such incidents may be related to an unauthorized intrusion of information systems, then which host computers may be accessed and what information resides on them; including the methods used by intruders to gain access.
        • Has the incident been reported in the media?
        • Measures in progress to maintain system security. and at the same time not destroying vital electronic evidence (e.g., disconnecting servers containing personal data from the Internet or the like, or having images of potentially affected devices or not)
        • Who is responsible for the technical and security aspects of the data breach? Has the company engaged a reputable IT/forensic firm to do so?
        • Has law enforcement been contacted? If contacted Which agency, did you contact and who was the contact person?
      7. Reporting to law enforcement agencies.

        As part of the audit The Situational Department must determine whether a report is necessary or appropriate. to law enforcement agencies? In the event of unauthorized access to the Company's information or information system.

      8. Consideration of applicable legal requirements.

        Legal and/or external legal advisors will use an analytical approach. To provide advice to the Situational Department regarding the Personal Data Infringement Notification Act that will be applied in the event of a data breach. (“Personal Information Infringement Notification Act”) and advises that such breach of information constitutes a breach of information security to be reported. Is there a government agency/data protection regulator, etc., or is there a direct notification to the affected personal data subject?

        The Situational Department must provide truthful information as requested by the Legal Department and/or external legal counsel. To enable the legal line and/or external legal advisors to make the necessary legal assessments.

      9. Consideration of other requirements.

        In addition, the Legal Division and/or external legal advisors will advise the Situation Management Department regarding requirements other than the Personal Data Infringement Reporting Act that may require reporting. data leak event This includes the following requirements:

        • Industry-specific regulations that may apply to data breach incidents.
        • Contractual obligations to business partners or others.
        • Privacy Policy or other statements in documents regarding internal and external notifications.
        • Non-binding promises or public company policies.
      10. Reporting to government agencies or other persons.

        If applicable law does not specify a specific form of notification. in giving notice to those affected (who have provided an email address to the Company) must be sent by email to all affected persons. ready to ask for a response for those who provide a postal address to the Company without an e-mail address Must be notified by registered mail.

        The Situational Operations Department must coordinate with the Legal Department and/or external legal counsel to determine the appropriate format for sending notices. based on applicable laws and costs However, this policy does not require notification through public channels (such as the website or national media), but it may contain legal requirements for notification of a personal data breach. or may be considered helpful in customer relations or other purposes in certain circumstances.

        If not able to notify according to this The Situational Department should consult the Legal and/or Immediate external legal counsel to consider using another appropriate notification method. Situational Affairs may delay the delivery of notifications if law enforcement deems that notifications to those affected might impede a criminal investigation.

      11. Answering questions.

        The Situational Department must plan a method for the Company's representatives to respond to inquiries from the media, government, or others. Inquiries should be directed to the Legal Department. or direct communication and corporate image for analysis and preparation of solutions.

    3. Phase 3: Post-Incident Measures.
      1. Documentation requirements.

        Regardless of whether or not the law on notification of infringement of personal information shall be applied in the event of a data breach or not. The Situational Department must provide sufficient records of data breach incidents. In particular, a legal assessment that does not apply the law on infringement of personal data is not enforced.

      2. Corrective measures.

        The Situational Division must coordinate with the Legal Department. and information technology group to determine the technical and organizational measures necessary to prevent future similar data breach incidents, which includes guidelines Training to build understanding Process for Employees/Contractors Situational Affairs should assess relationships with third parties that may be involved in a data breach incident. ready to take appropriate measures such as amending the contract Process remediation and/or training, improvement of safety measures selection of new service providers, etc. At the same time, third parties are contractually obligated to notify the Company immediately in the event of a data breach. Whether actual or suspected to occur, such third party parties will provide advice to the legal department and information technology group If any adjustments to the process involved in handling the data breach event need to be modified.