LoanBot LLC Data Breach Response Plan
Effective Date: November 10, 2025
Owner: Incident Response Team (IRT), LoanBot.com
Contact: info@loanbot.com
Classification: Restricted
1. Purpose
This Data Breach Response Plan (DBRP) defines the process to detect, contain, eradicate, recover from, and report security incidents involving unauthorized access, disclosure, alteration, or destruction of Confidential or Restricted data on https://www.loanbot.com/, in compliance with U.S. federal and state laws (HIPAA, GLBA, CCPA/CPRA, NY SHIELD, etc.).
2. Scope
Applies exclusively to:
- Incidents impacting PII, NPI, PHI, SSN, financial account numbers, or authentication credentials.
- All personnel, contractors, and third-party vendors
3. Definitions
| Term | Definition |
|---|---|
| Data Breach | Unauthorized acquisition of unencrypted PII likely to cause substantial harm (per state laws). |
| Incident | Any event compromising CIA triad. |
| IRT | Incident Response Team. |
| RPO | ≤ 4 hours |
| RTO | ≤ 12 hours (critical systems) |
4. Incident Response Team (IRT)
| Role | Responsibility |
|---|---|
| IRT Lead (CISO) | Overall coordination, exec escalation |
| Technical Lead | Containment, forensics |
| Legal Counsel (U.S.) | State AG liaison, HIPAA/GLBA compliance |
| Comms/PR | U.S. customer & media messaging |
| Customer Support (U.S.) | Impacted user liaison |
5. Incident Severity Levels
| Level | Criteria | Notification Timeline |
|---|---|---|
| SEV-1 (Critical) | >1,000 records, SSN/financial data, ransomware | Immediate (exec + board) |
| SEV-2 (High) | 100–1,000 records, credential exposure | Within 1 hour |
| SEV-3 (Medium) | <100 records, no SSN | Within 4 hours |
| SEV-4 (Low) | Internal compromise, no PII | Within 4 hours |
6. Response Phases (NIST 800-61)
Phase 1: Preparation (Ongoing)
- Tools: Splunk (U.S. region), CrowdStrike Falcon, forensic VM (us-east-1).
- Playbooks: Credential dump, SSN exposure, ransomware.
- Backups: Daily, encrypted, immutable (S3 Object Lock – us-west-2), tested quarterly.
- Comms Templates: English only (state-specific variants).
Phase 2: Identification (≤ 15 mins to triage)
| Action | Owner | Tool |
|---|---|---|
| Alert ingestion | SOC/SIEM | Splunk SOAR |
| Initial triage | Technical Lead | CrowdStrike console |
| Scope assessment | IRT | AWS GuardDuty, CloudTrail, DB audit logs |
| Decision: Breach? Yes → Activate DBRP | IRT Lead | — |
Indicators:
- Mass SSN downloads
- ACH/wire data exfil
- Ransom note in S3 (us-east-1)
Phase 3: Containment (≤ 1 hour for SEV-1)
| Short-Term | Long-Term |
|---|---|
| Isolate VPC (disable egress) | Rebuild via Terraform |
| Revoke tokens (Okta SCIM) | Rotate all Vault secrets |
| Block IPs (WAF + AWS Network Firewall) | Enforce MFA globally |
| Snapshot evidence | — |
Phase 4: Eradication (≤ 24 hours)
- Remove malware.
- Patch root cause.
- Mandatory password + MFA reset for affected users.
- Re-validate all service principals.
Phase 5: Recovery (≤ 12 hours RTO)
- Restore from last clean backup (us-west-2).
- Canary rollout: 10% → 100% traffic.
- 72-hour heightened monitoring.
Phase 6: Post-Incident (≤ 72 hours)
| Deliverable | Owner | Deadline |
|---|---|---|
| Root Cause Analysis (RCA) | Technical Lead | +48h |
| Impact Report (records, states, data types) | Legal | +60h |
| Lessons Learned | IRT Lead | +72h |
| Executive Briefing | CISO | +72h |
7. Legal & Regulatory Notifications
| Law | Trigger | Deadline | Channel |
|---|---|---|---|
| CCPA/CPRA | >500 CA residents | As soon as practicable | Email + website |
| NY SHIELD Act | NY resident PII | As soon as practicable | Certified mail to NY AG |
| Massachusetts 201 CMR 17 | MA resident PII | As soon as practicable | MA AG + OCR |
| HIPAA (if PHI) | Unsecured PHI | 60 days to HHS OCR | OCR portal |
| GLBA (financial data) | Customer financial info | Prompt to CFPB | CFPB portal |
| All 50 States | Per state breach laws | Varies (30–60 days) | See Appendix B |
8. Customer Communication
- English only, clear, actionable.
- What happened | What data | What we’re doing | What you should do.
- Free identity monitoring (Experian IdentityWorks) if SSN/financial data exposed.
9. Evidence Preservation
- Chain of Custody (DocuSign).
- Forensic images: S3 (us-east-1, Glacier Instant Retrieval, 180-day legal hold).
- Litigation Hold: Auto-triggered on SEV-1.
10. Third-Party Coordination
| Partner | Role | SLA |
|---|---|---|
| AWS Enterprise Support | Logs | 1-hour |
11. Testing & Maintenance
- Tabletop Exercise: Quarterly (next: February 12, 2026).
- Full Simulation: Annually.
- Plan Review: After every incident or annually.
12. Appendices
Appendix A: U.S. Breach Notice Template (English)
Subject: Security Incident Notification – Action Required
Dear [Name],
On [date], we detected unauthorized access to our systems that may have exposed your [data types, e.g., SSN, mortgage docs].
**Immediate Actions:**
1. Change your password on LoanBot.com and any site using the same.
2. Enable two-factor authentication (2FA).
Support: info@loanbot.com
Sincerely,
Security Team
LoanBot.com
Appendix B: State Notification Matrix (Top 10 by User Volume)
| State | Threshold | Deadline | AG Portal |
|---|---|---|---|
| CA | >500 | Prompt | oag.ca.gov |
| NY | 1 | Prompt | ag.ny.gov |
| TX | 1 | Prompt | texasattorneygeneral.gov |
| FL | 1 | 30 days | myfloridalegal.com |
| IL | 1 | Prompt | ag.state.il.us |
(Full 50-state table maintained in Confluence – restricted access)
Accelerate your lead conversion
Start giving your leads what they really want — clarity and speed.
