← Back to TaxSnooze
🔒 This document outlines TaxSnooze's procedures for detecting, responding to, and recovering from data security incidents. As a tax filing service handling SSNs and financial data, rapid response is critical.
1. Purpose and Scope
This Data Breach Response Plan establishes procedures for responding to security incidents that may compromise the confidentiality, integrity, or availability of personal information — including Social Security Numbers (SSNs), Employer Identification Numbers (EINs), and financial data — processed by TaxSnooze.
This plan covers all systems, databases, and services operated by TaxSnooze, including production servers, backup systems, third-party integrations, and employee access points.
2. Incident Response Team
| Role | Responsibilities |
|---|
| Incident Commander | Overall coordination, decision-making, executive communication |
| Security Lead | Technical investigation, containment, forensic analysis |
| Legal Counsel | Regulatory notification requirements, liability assessment |
| Communications Lead | User notification drafting, public statements |
| Engineering Lead | System remediation, patch deployment, monitoring |
| Privacy Officer | Data impact assessment, regulatory compliance |
3. Incident Classification
| Severity | Description | Response Time | Examples |
|---|
| Critical |
Confirmed breach of SSN/EIN data or mass PII exposure |
Immediate (within 1 hour) |
Database exfiltration, SSN exposure, ransomware |
| High |
Confirmed unauthorized access to user accounts or financial data |
Within 4 hours |
Account takeover, payment data exposure, credential stuffing |
| Medium |
Suspected unauthorized access or system anomalies |
Within 24 hours |
Unusual login patterns, failed intrusion attempts, malware detection |
| Low |
Minor security events with no confirmed data exposure |
Within 72 hours |
Phishing attempts, policy violations, misconfiguration |
4. Response Phases
Phase 1
Detection and Identification
⏱ 0–1 hours
- Monitor automated alerts from intrusion detection systems, application logs, and audit trails
- Assess initial scope: What systems are affected? What data may be compromised?
- Classify incident severity per the table above
- Activate the Incident Response Team
- Begin incident documentation log with timestamps
Detection sources: Application audit logs, rate limit alerts, failed authentication spikes, database query anomalies, user reports, third-party vulnerability disclosures.
Phase 2
Containment
⏱ 1–4 hours
- Short-term containment: Isolate affected systems, revoke compromised credentials, block suspicious IPs
- Rotate all encryption keys (SSN_ENCRYPTION_KEY, JWT_SECRET) if key compromise is suspected
- Disable affected user accounts pending investigation
- Preserve forensic evidence (system images, logs, memory dumps)
- Ensure backup systems are unaffected
- Long-term containment: Deploy patches, update firewall rules, enable enhanced monitoring
Phase 3
Eradication and Recovery
⏱ 4–48 hours
- Remove threat actor access, malware, backdoors, or compromised components
- Patch vulnerabilities that enabled the breach
- Restore systems from verified clean backups
- Re-encrypt all sensitive data with new keys
- Force password resets for affected users
- Conduct thorough system verification before restoring service
- Implement additional monitoring for recurrence
Phase 4
Post-Incident Review
⏱ Within 2 weeks
- Conduct a post-mortem analysis with the full response team
- Document root cause, timeline, impact, and response effectiveness
- Update security controls, monitoring, and this response plan
- Provide a final incident report to leadership
- Identify training needs and process improvements
5. Notification Requirements
5.1 User Notification
Affected users will be notified within 72 hours of breach confirmation. Notification will include:
- Description of the incident and date of discovery
- Types of personal information involved
- Steps TaxSnooze is taking to address the breach
- Steps users should take to protect themselves
- Contact information for questions
- Information about identity protection services (if SSNs are compromised)
5.2 Regulatory Notification
| Authority | Deadline | Trigger |
|---|
| State Attorneys General | Per state law (30–60 days typical) | PII breach affecting state residents |
| FTC | As soon as practicable | Breach affecting 500+ individuals |
| IRS | As soon as practicable | Breach involving tax return data or SSNs |
| HHS (if applicable) | 60 days | If health-related data is involved |
Note: Many states have specific breach notification laws. We comply with the strictest applicable requirements, including California (CCPA/CPRA), New York (SHIELD Act), and others.
5.3 If SSNs Are Compromised
If the breach involves Social Security Numbers, we will additionally:
- Offer 12-24 months of free credit monitoring and identity theft protection
- Provide instructions for placing fraud alerts and credit freezes
- Report to the IRS Identity Protection Specialized Unit
- Assist users in filing IRS Form 14039 (Identity Theft Affidavit)
- Notify the three major credit bureaus (Equifax, Experian, TransUnion)
6. Preventive Measures
TaxSnooze maintains the following security controls to prevent breaches:
- Encryption: AES-256-GCM for SSNs/EINs at rest; TLS 1.2+ in transit
- Authentication: Bcrypt (12 rounds) password hashing; JWT tokens; optional 2FA
- Access control: Role-based access (individual, preparer, admin); principle of least privilege
- Rate limiting: Brute-force protection on authentication endpoints
- Input validation: Server-side validation on all endpoints; SSN format and validity checks
- Security headers: Helmet.js (CSP, HSTS, X-Frame-Options, etc.)
- Audit logging: All authentication events, data access, and administrative actions logged
- Dependency scanning: Regular updates and vulnerability scanning of dependencies
- Minimal data retention: Full SSNs purged after IRS transmission; only last 4 retained
7. Incident Response Checklist
- Incident detected and logged with timestamp
- Severity classified (Critical / High / Medium / Low)
- Incident Response Team activated
- Affected systems identified and isolated
- Forensic evidence preserved
- Encryption keys rotated (if applicable)
- Compromised accounts disabled
- Root cause identified
- Vulnerability patched
- Systems restored from clean backups
- Affected users notified (within 72 hours)
- Regulatory authorities notified (per requirements)
- Credit monitoring offered (if SSNs compromised)
- Post-incident review completed
- Response plan updated with lessons learned
8. Plan Maintenance
This Data Breach Response Plan is reviewed and updated:
- At least annually
- After every security incident
- When significant changes are made to systems or data handling practices
- When new regulatory requirements take effect
9. Contact Information