eDealsUS & SHWExpress is committed to protecting the privacy and confidentiality of Personal Information about its employees, customers, business partners and other identifiable individuals.  eDealsUS & SHWExpress’ policies, guidelines and actions support this commitment to protecting Personal Information.  Each employee bears a personal responsibility for complying with this Policy in the fulfillment of their responsibilities at eDealsUS & SHWExpress.

eDealsUS & SHWExpress’ data breach management and response plan is:
  • Confirm the Breach
  • Contain the Breach
  • Assess Risks and Impact
  • Report the Incident
  • Evaluate the Response & Recovery to Prevent Future Breaches
CONFIRM THE BREACH
The Data Breach Team (DBT) should act as soon as it is aware of a data breach. Where possible, it should first confirm that the data breach has occurred. It may make sense for the DBT to proceed Contain the Breach on the basis of an unconfirmed reported data breach, depending on the likelihood of the severity of risk.

 

CONTAIN THE BREACH
The DBT should consider the following measures to Contain the Breach, where applicable:
Shut down the compromised system that led to the data breach.
Establish whether steps can be taken to recover lost data and limit any damage caused by the breach. (eg: remotely disabling / wiping a lost notebook containing personal data of individuals.)
Prevent further unauthorized access to the system.
Reset passwords if accounts and / or passwords have been compromised.
Isolate the causes of the data breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system.

 

ASSESS RISKS AND IMPACT
Knowing the risks and impact of data breaches will help eDealsUS & SHWExpress determine whether there could be serious consequences to affected individuals, as well as the steps necessary to notify the individuals affected.
Risk and Impact on Individuals
How many people were affected?
A higher number may not mean a higher risk, but assessing this helps overall risk assessment.
Whose personal data had been breached?
Does the personal data belong to employees, customers, or minors? Different people will face varying levels of risk as a result of a loss of personal data.
What types of personal data were involved?
This will help to ascertain if there are risk to reputation, identity theft, safety and/or financial loss of affected individuals.
Any additional measures in place to minimize the impact of a data breach? eg: a lost device protected by a strong password or encryption could reduce the impact of a data breach.
Risk and Impact on organizations
What caused the data breach?
Determining how the breach occurred (through theft, accident, unauthorized access, etc.) will help identify immediate steps to take to contain the breach and restore public confidence in a product or service.
When and how often did the breach occur?
Examining this will help eDealsUS & SHWExpress better understand the nature of the breach (e.g. malicious or accidental).
Who might gain access to the compromised personal data?
This will ascertain how the compromised data could be used. In particular, affected individuals must be notified if personal data is acquired by an unauthorized person.
Will compromised data affect transactions with any other third parties?
Determining this will help identify if other organizations need to be notified.

 

REPORT THE INCIDENT
eDealsUS & SHWExpress is legally required to notify affected individuals if their personal data has been breached. This will encourage individuals to take preventive measures to reduce the impact of the data breach, and also help eDealsUS & SHWExpress rebuild consumer trust.
Who to Notify:
Notify individuals whose personal data have been compromised.
Notify other third parties such as banks, credit card companies or the police, where relevant.
Notify Management especially if a data breach involves sensitive personal data.
The relevant authorities (eg: police) should be notified if criminal activity is suspected and evidence for investigation should be preserved (eg: hacking, theft or unauthorized system access by an employee.)
When to Notify:
Notify affected individuals immediately if a data breach involves sensitive personal data. This allows them to take necessary actions early to avoid potential abuse of the compromised data.
Notify affected individuals when the data breach is resolved
How to Notify:
Use the most effective ways to reach out to affected individuals, taking into consideration the urgency of the situation and number of individuals affected (e.g. media releases, social media, mobile messaging, SMS, e-mails, telephone calls).
Notifications should be simple to understand, specific, and provide clear instructions on what individuals can do to protect themselves.
What to Notify:
How and when the data breach occurred, and the types of personal data involved in the data breach.
What eDealsUS & SHWExpress has done or will be doing in response to the risks brought about by the data breach.
Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused.
Contact details and how affected individuals can reach the organization for further information or assistance (e.g. helpline numbers, e-mail addresses or website)

 

Amazon Data Protection Policy Compliance
Amazon Web Services has implemented a compliance policy for all third-party integrated applications to remove all PII (Personally Identifiable Information) obtained directly from Amazon after 30 days of shipment.

 

PII consist of the following:
  • Customer or Seller’s name
  • Address
  • E-mail address
  • Phone number
What does this mean for Amazon users in eDealsUS & SHWExpress?
Your Amazon order data will be visible in eDealsUS & SHWExpress for 30 days after the order is marked as shipped or has a shipping label created.  After the 30 day threshold, eDealsUS & SHWExpress will remove all PII data from orders not in “Awaiting Fulfillment” to comply with Amazon’s Web Services Data Protection Policy.
eDealsUS & SHWExpress will not use Personally Identifiable Information about Customers for any purposes other than merchant fulfilled shipping or to meet legal requirements, including tax and regulatory requirements.