Get in Touch

Data Breach Response Policy

Effective Date: January 15, 2026

1. Introduction and Purpose

This Data Breach Response Policy (Policy) establishes the procedures and protocols that ION Video Limited (ACN 149 796 332) (ION, we, us, or our) follows when responding to confirmed or suspected data breaches involving personal data, customer data, or sensitive information.

This Policy ensures:

  • Rapid detection and response to breaches
  • Lawful notification of affected parties
  • Compliance with legal requirements
  • Minimisation of harm to Data Subjects
  • Preservation of evidence for investigation
  • Communication transparency

Regulatory Framework:

  • General Data Protection Regulation (GDPR) Article 33
  • UK Data Protection Act 2018, Section 67
  • Australian Privacy Act 1988 (Cth)
  • Relevant state and international data breach laws

2. Definitions

“Data Breach” means a confirmed or reasonably suspected incident of unauthorised, accidental, or unlawful access, disclosure, alteration, loss, or destruction of personal data or sensitive information.

“Personal Data” means information relating to an identified or identifiable natural person, including customer names, email addresses, contact information, usage data, and any other identifying information.

“Sensitive Data” means personal data requiring heightened protection (health information, financial data, government IDs, biometric data, etc.).

“Data Subject” means the person to whom personal data relates.

“Incident” means the actual or suspected occurrence of a data breach.

“Affected Party” means any person or entity whose personal data may have been compromised.

“Supervisory Authority” means a data protection regulatory body (e.g., OAIC in Australia, ICO in the UK, DPA in the EU).

“72-Hour Rule” refers to the GDPR requirement to notify supervisory authorities within 72 hours of discovering a breach.

3. Incident Response Team

3.1 Response Team Composition

ION maintains a Data Breach Response Team consisting of:

Core Team:

  • Chief Information Security Officer (CISO) or delegated Security Lead – Overall response coordination
  • Incident Response Manager – Day-to-day incident coordination
  • Security Engineer – Technical investigation and containment
  • Legal Counsel – Legal compliance and notification requirements
  • Privacy Officer – Privacy impact assessment and compliance
  • Communications Manager – Internal and external communications

Support Functions:

  • Cloud Infrastructure Team – AWS access and system investigation
  • Database Administrators – Data recovery and forensic analysis
  • Customer Support Lead – Customer communication and support
  • Executive Leadership – Strategic decision-making and oversight

3.2 Team Responsibilities

CISO/Security Lead:

  • Declare incident response activation
  • Oversee overall response
  • Coordinate with legal and leadership
  • Approve external notifications
  • Conduct post-incident review

Incident Response Manager:

  • Activate response procedures
  • Maintain incident timeline
  • Coordinate team activities
  • Manage communications
  • Document decisions and actions

Security Engineers:

  • Investigate technical details
  • Identify attack vectors
  • Contain the breach
  • Gather evidence
  • Determine scope of exposure

 

Legal Counsel:

  • Assess legal obligations
  • Determine notification requirements
  • Manage regulatory communication
  • Assess liability and insurance
  • Guide privileged communications

Privacy Officer:

  • Assess privacy impact
  • Determine affected Data Subjects
  • Prepare privacy impact assessment
  • Oversee GDPR compliance
  • Manage regulatory coordination

3.3 Contact Information

Security Incident Hotline: security-incident@ion.video  (monitored 24/7)

Escalation to CISO: ciso@ion.video

Legal Counsel: legal@ion.video

Emergency Contact: +61 3 8672 7186 (after-hours emergency dispatch)

4. Incident Detection and Reporting

4.1 Detection Methods

ION detects data breaches through:

Automated Systems:

  • Intrusion detection systems (IDS)
  • Intrusion prevention systems (IPS)
  • Security information and event management (SIEM)
  • Log analysis and anomaly detection
  • System monitoring and alerting
  • Endpoint detection and response (EDR)

Manual Detection:

  • Security team reviews and analysis
  • Customer reports of suspicious activity
  • Regulatory or third-party notifications
  • Forensic investigations
  • Threat intelligence

Third-Party Detection:

  • Notifications from cloud providers (AWS)
  • Notifications from security partners
  • Dark web monitoring for data sales
  • Public breach databases

4.2 Internal Reporting

Any ION employee, contractor, or partner who discovers or suspects a data breach shall immediately report it:

Internal Reporting Channels:

  1. Direct: Email
  2. security-incident@ion.video
  3.  with:
  • Description of the incident
  • Date and time discovered
  • Systems or data potentially affected
  • Number of potential Data Subjects
  • Contact information of reporter
  1. Escalation: If no response within 1 hour, contact CISO at
  2. ciso@ion.video
  3. Confidentiality: Reports are handled confidentially and protected by attorney-client privilege (when involving legal counsel)

4.3 False Alarm Procedures

If an incident is reported but later determined to be a false alarm:

  • Documentation is maintained for audit purposes
  • Team debriefs on lessons learned
  • Security controls are reviewed for improvements
  • No external notification is issued (unless legally required)

5. Incident Assessment and Classification

5.1 Severity Assessment

Upon receiving a breach report, ION immediately assesses severity:

Severity Levels:

CRITICAL (Level 1):

  • Widespread exposure (1,000+ Data Subjects)
  • Sensitive data exposed (financial, health, government ID)
  • Active exploitation or ongoing unauthorised access
  • Evidence of data exfiltration or sale
  • System completely compromised
  • Response time: Immediate (declare incident within 30 minutes)

HIGH (Level 2):

  • Significant exposure (100-1,000 Data Subjects)
  • Personal identifiable information exposed
  • Possible unauthorised access confirmed
  • System unavailable or severely degraded
  • Temporary data loss confirmed
  • Response time: <2 hours (declare incident within 1 hour)

MEDIUM (Level 3):

  • Limited exposure (10-100 Data Subjects)
  • Limited personal data at risk
  • Suspected unauthorised access
  • Temporary system disruption
  • Response time: <24 hours

LOW (Level 4):

  • Minimal exposure (<10 Data Subjects)
  • Non-sensitive data only
  • Possible but unconfirmed unauthorised access
  • Response time: <48 hours

5.2 Impact Assessment

The assessment determines:

  • Scope: What data was exposed? How many Data Subjects?
  • Type of data: Personal, sensitive, financial, health, government ID?
  • Type of breach: Unauthorised access, theft, loss, modification?
  • Evidence: Is unauthorised access confirmed or suspected?
  • Likelihood of harm: What is the risk to affected Data Subjects?
  • Control failure: What security control failed?

6. Incident Containment

6.1 Immediate Containment Actions

Upon incident confirmation, ION immediately takes steps to contain the breach:

Technical Containment:

  1. Isolate affected systems from network or internet access
  2. Disable compromised accounts (reset passwords, revoke credentials)
  3. Block malicious IP addresses or user agents
  4. Patch vulnerabilities used in the attack
  5. Close unauthorised access points (exposed APIs, databases, backdoors)
  6. Reset encryption keys if potentially compromised
  7. Monitor for further unauthorised access using enhanced monitoring

Operational Containment:

  1. Preserve evidence – Do not immediately overwrite logs or backups
  2. Secure backup systems – Ensure backups are isolated and intact
  3. Maintain audit trails – Document all containment actions
  4. Restrict access – Limit access to affected systems to investigation team
  5. Communicate internally – Brief affected teams of containment status

6.2 Investigation Procedures

ION conducts a thorough investigation to determine:

Investigation Timeline:

  • When did the breach begin?
  • When was it discovered?
  • How long was data exposed?
  • When was access stopped?

Attack Vector:

  • How did the attacker gain access? (phishing, malware, vulnerability, insider threat, etc.)
  • What credentials or systems were compromised?
  • Were multiple systems exploited?

Scope of Exposure:

  • What systems were accessed?
  • What data was accessed, modified, or exfiltrated?
  • How many Data Subjects are affected?
  • What specific data categories were exposed?

Attacker Identity:

  • Is the attacker identified?
  • Is the attack continuing?
  • Are there indicators of known threat actors?

6.3 Forensic Investigation

For significant breaches, ION engages forensic experts to:

  • Preserve evidence in forensic format
  • Conduct forensic imaging of affected systems
  • Analyse system logs, network traffic, and file systems
  • Determine timeline of unauthorised access
  • Identify attacker actions and modifications
  • Document findings for regulatory and legal purposes

7. Notification Requirements and Timeline

7.1 GDPR 72-Hour Rule

For breaches involving personal data of EU/UK residents:

Supervisory Authority Notification:

  • Deadline: Within 72 hours of discovering the breach
  • Recipient: Relevant data protection authority (ICO, DPA, etc.)
  • Required information:
    • Description of the breach
    • Categories and approximate number of Data Subjects
    • Categories and approximate number of personal data records
    • Name and contact of DPO/privacy officer
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach

Data Subject Notification:

  • Deadline: Without undue delay (as soon as practicable)
  • Recipient: All affected Data Subjects
  • Required information: (see Section 7.3 below)

7.2 Australian Privacy Act Requirements

For breaches involving Australian residents:

Assessment Requirement:

  • ION assesses whether breach is likely to result in “serious harm”
  • Factors: Sensitivity of data, vulnerability of Data Subjects, likelihood of unauthorised use

Notification Requirement:

  • If serious harm is likely, notify affected individuals without undue delay
  • Notify Office of the Australian Information Commissioner (OAIC) if 1,000+ Australians affected
  • Notification should include practical information about remedial action

7.3 Data Subject Notification Content

Notification to affected Data Subjects must include:

Required Elements:

  1. Description of the breach: What happened in plain language
  2. Data affected: What personal data was compromised
  3. Categories of Data Subjects: Who is affected
  4. Likely consequences: Potential harm or risks
  5. Measures taken: What ION has done to address the breach
  6. Recommended actions: What Data Subjects should do
  7. Contact information: How to get more information
  8. Privacy resources: Information about monitoring for fraud

Tone: Clear, honest, direct, and avoiding technical jargon

Example:

“On [date], we discovered unauthorised access to our systems that may have exposed your email address and account information. We have immediately contained the breach, reset passwords, and are implementing enhanced security measures. While we have no evidence that your information was misused, we recommend you monitor accounts and enable multi-factor authentication. For more information, visit https://ion.video/breach or contact privacy@ion.video

7.4 Timing of Notifications

Discovery to Internal Notification: <30 minutes
Internal Notification to CISO Decision: <2 hours (Level 1), <24 hours (Level 2)
Decision to Supervisory Authority Notification: Within 72 hours (EU/UK), without undue delay (Australia)
Supervisory Authority Notification to Data Subject Notification: As soon as practicable (typically within 5-10 days)

Note: The 72-hour clock starts at “discovery” – defined as when ION first becomes aware of the breach, whether confirmed or suspected.

7.5 Notification Methods

Supervisory Authority:

  • Email to designated regulatory contact
  • Follow regulatory submission procedures
  • Include all required information
  • Maintain documentation of notification

Data Subjects:

  • Primary: Email notification to email address on file
  • Secondary: SMS or phone if email contact fails
  • Substitute: Public notice if individual contact information unavailable
  • Verification: Confirmation of delivery where possible

8. Regulatory and Law Enforcement Cooperation

8.1 Supervisory Authority Communication

ION cooperates fully with data protection authorities:

  • Timely and complete responses to inquiries
  • Cooperation with investigations
  • Provision of evidence and documentation
  • Implementation of recommendations
  • Transparency about response measures

8.2 Law Enforcement Notification

For serious breaches, ION may report to law enforcement:

Australian Law Enforcement:

  • Australian Federal Police (AFP)
  • State and territory police
  • Australian Cyber Security Centre (ACSC)

International:

  • Interpol or equivalent international bodies
  • EU law enforcement (if EU citizens affected)
  • US law enforcement (if US citizens affected)

Notification Includes:

  • Technical details of the attack
  • Evidence and forensic findings
  • Timeline of incident
  • Attacker identity or indicators (if known)
  • Cooperation with investigation

8.3 Coordination with Cloud Provider (AWS)

ION coordinates with AWS in case of infrastructure breach:

  • Immediate notification to AWS security team
  • AWS assistance with forensic investigation
  • AWS monitoring and additional security measures
  • Coordination on system remediation

9. Customer Notification and Support

9.1 Customer Notification Process

Affected customers receive notification including:

  • Description of what happened
  • What data may have been exposed
  • What measures ION has taken
  • What customers should do
  • Contact information for questions

9.2 Customer Support

ION provides dedicated support:

  • Dedicated support line: For affected customers
  • FAQs: Addressing common customer concerns
  • Credit monitoring: Offered for credit-related breaches
  • Legal assistance: Coordination for legal questions
  • Identity theft protection: Services to monitor for fraud

9.3 Public Communications

ION’s public statement addresses:

  • Incident description (at appropriate level of detail)
  • Impact on customers and Data Subjects
  • Investigation status
  • Security measures taken
  • Commitment to transparency

10. Post-Incident Actions

10.1 Evidence Preservation

ION preserves all evidence of the breach:

  • System logs and audit trails
  • Forensic images of affected systems
  • Network traffic captures
  • Email communications
  • Investigation notes

Retention: Evidence is retained for the period required by law and legal obligations (typically 3-7 years).

10.2 Root Cause Analysis

Within 30 days of breach confirmation, ION conducts root cause analysis:

Analysis determines:

  • What security control failed?
  • How was the control bypassed?
  • What vulnerability was exploited?
  • Could the breach have been prevented?
  • What systemic issues enabled the breach?

10.3 Remediation and Prevention

ION implements remediation measures:

Technical Measures:

  • Patch vulnerable systems
  • Update security controls
  • Enhance monitoring and detection
  • Improve encryption or access controls
  • Upgrade security tools and services

Process Measures:

  • Update incident response procedures
  • Enhance employee training
  • Improve audit and monitoring procedures
  • Adjust vendor management processes
  • Update business continuity/disaster recovery plans

Policy Measures:

  • Update security policies
  • Clarify security responsibilities
  • Strengthen access controls
  • Enhance data protection practices

10.4 Post-Incident Review

Within 60 days of breach resolution, ION conducts a post-incident review:

Review Participants:

  • Security team
  • Affected department leads
  • Executive leadership
  • External advisors (if appropriate)

Review Addresses:

  • Response effectiveness
  • Timeline accuracy
  • Communication quality
  • Technical investigation adequacy
  • Legal/regulatory compliance
  • Lessons learned
  • Improvements for future incidents

10.5 Documentation and Reporting

ION maintains comprehensive documentation:

  • Incident summary: One-page overview
  • Detailed timeline: Hour-by-hour account of discovery and response
  • Forensic report: Technical investigation findings
  • Legal analysis: Regulatory obligations and compliance
  • Notification records: Proof of regulatory and customer notification
  • Remediation plan: Detailed corrective actions and timeline
  • Lessons learned: Analysis and recommendations

11. Insurance and Financial Responsibility

11.1 Cyber Insurance

ION maintains cyber liability insurance covering:

  • Data breach liability
  • Notification costs
  • Credit monitoring costs
  • Regulatory fines (where insurable)
  • Crisis management and PR costs
  • Legal defence costs

11.2 Financial Responsibility

ION is responsible for:

  • Notification costs: Mailing, email, and SMS
  • Credit monitoring: Offered to affected Data Subjects
  • Regulatory fines: Up to applicable limits
  • Legal defence: Defence of claims
  • Remediation costs: System improvements, security measures

11.3 Customer Compensation

ION evaluates compensation claims for damages:

  • Affected customers may claim for out-of-pocket losses
  • Claims processed within 30 days
  • Payment from insurance or company funds

12. Transparency and Reporting

12.1 Regulatory Reporting

ION maintains transparency with regulators:

  • Timely breach notifications
  • Comprehensive responses to regulatory inquiries
  • Cooperation with regulatory investigations
  • Regular compliance reporting
  • Annual assessment of security program effectiveness

12.2 Transparency Report

ION publishes an annual transparency report including:

  • Number of incidents detected and investigated
  • Categories of breaches (by type, size, severity)
  • Data subjects affected
  • Notifications issued
  • Regulatory findings
  • Security improvements implemented

13. Special Circumstances

13.1 Multi-Party Breaches

If a breach affects multiple companies (customer data + ION data):

  • ION coordinates with affected customers
  • ION coordinates with other affected parties
  • Clear delineation of responsibilities
  • Unified customer messaging where appropriate

13.2 Third-Party Vendor Breaches

If a breach affects ION through a vendor/subprocessor:

  • Immediate assessment of impact on customers
  • Notification of affected customers
  • Investigation of vendor response
  • Evaluation of vendor contract compliance
  • Consideration of vendor replacement

13.3 Ransomware Attacks

For ransomware incidents:

  • ION does not pay ransoms (as policy)
  • Immediate law enforcement notification
  • Determination of whether backups are sufficient
  • Assessment of data exposure despite encryption
  • Communication with customers about recovery timeline

13.4 Insider Threats

For breaches involving employee or contractor misconduct:

  • Immediate suspension of access
  • Criminal referral to law enforcement
  • Cooperation with investigation
  • Employee termination procedures
  • Customer notification if applicable

14. Training and Awareness

14.1 Incident Response Training

ION conducts:

  • Annual tabletop exercises: Simulated breaches to test response
  • Quarterly drills: Technical team response procedures
  • New employee training: All employees receive breach response training
  • Specialised training: Incident response team receives detailed training
  • Post-incident training: Learning from real incidents

14.2 Employee Awareness

All ION employees receive training on:

  • How to recognise potential breaches
  • Internal reporting procedures
  • Confidentiality of breach information
  • Their role in incident response
  • Data protection best practices

15. Policy Review and Updates

15.1 Annual Review

This Policy is reviewed annually to assess:

  • Effectiveness of procedures
  • Changes in regulatory requirements
  • Lessons from incidents (internal or industry)
  • Technology and capability updates
  • Stakeholder feedback

15.2 Updates

ION updates this Policy to reflect:

  • Regulatory changes
  • Changes in incident response capabilities
  • Industry best practices
  • Lessons learned
  • Operational improvements

16. Contact Information

Data Breach Response Team:

Email: security-incident@ion.video  (monitored 24/7)

CISO: ciso@ion.email (escalation)

Mail: ION Level 2, 161 Collins Street
Melbourne, Victoria 3000
Australia

Phone: +61 3 8672 7186 (emergency dispatch after-hours)

Report suspected breach: https://ion.video/report-incident

17. Acknowledgment

By using ION’s Service, you acknowledge:

  • This Policy describes ION’s data breach response procedures
  • ION’s response will follow this Policy
  • Notification will be provided as required by law
  • Additional information is available upon request

 

Last Updated: January 15, 2026