Data Breach Policy - Art to Remember Skip to main content

Enter Order Code

Help

Toll Free: (800) 895-8777

Hours: Mon-Fri – 8:00 AM – 5:00 PM, EST

Data Breach Policy

Data Breach Policy 

Last modified: August 2025 

The Company takes the security of your information seriously. In the event of a data breach involving personal data, we will promptly investigate and take appropriate steps to mitigate the impact. Affected individuals and institutions will be notified in accordance with applicable state and federal laws. Notification timeframe will not exceed 15 days after the event is detected. We maintain technical and organizational safeguards to help prevent unauthorized access, disclosure, or misuse of personal information. 

The Company implements a range of administrative, technical, and physical safeguards to protect personal information, including: 

  • Encryption of data in transit and at rest 
  • Secure access controls to restrict information to authorized personnel only 
  • Routine system monitoring for unauthorized activity 
  • Firewall and intrusion detection systems 
  • Regular employee training on data protection, privacy practices, and PCI compliance 
  • Data minimization practices to limit the collection of personal information 

In the event of a breach, we follow documented incident response protocols to contain, assess, and notify affected parties in accordance with legal requirements. 

Incident Response Checklist 

  1. Identify & Contain
    1.  Detect breach (automated alert, employee report, etc.) 
    2. Immediately isolate affected systems
    3. Preserve logs and evidence 
  2. Assess the Scope 
    1. Determine what data was exposed (type, volume, PII) 
    2. Identify affected individuals or school partners 
    3. Assess risks (identity theft, reputational, regulatory) 
  3. Notify Stakeholders 
    1. Alert internal leadership and legal counsel 
    2. Notify affected schools, parents, or users 
    3. Report to authorities if legally required (e.g., state AG, FTC) 
  4. Remediate 
    1. Patch vulnerabilities 
    2. Reset compromised credentials 
    3. Review third-party access 
  5. Communicate Transparently 
    1. Draft and send notifications with clear guidance to affected parties 
    2. Post incident FAQs if applicable 
  6. Document & Improve 
    1. Complete a breach report and root cause analysis 
    2. Update policies or training based on findings 
    3. Conduct a postmortem with the team