Incident Response Plan — Act Now Button LLC
Prepared by: Raymond Chooi (Privacy Officer)
Date: March 15, 2026
Regulation: Quebec Law 25, PIPEDA
1. Scope
This plan covers any confidentiality incident involving personal information held by Act Now, including unauthorized access, use, disclosure, loss, or breach.
2. Incident Classification
| Severity | Description | Examples |
|---|---|---|
| Critical | Confirmed breach of sensitive personal or financial data | Database breach exposing supporter emails; Stripe credentials compromised |
| High | Potential breach or unauthorized access detected | Suspicious login to admin account; unusual data export patterns |
| Medium | Security vulnerability identified, no confirmed breach | Unpatched dependency; misconfigured RLS policy |
| Low | Minor security event, no data exposure | Failed login attempts; rate limit triggered |
3. Response Steps
Step 1: Contain (Within 1 hour of detection)
- Isolate affected systems (disable compromised accounts, revoke API keys)
- Preserve evidence (logs, database snapshots)
- Notify Privacy Officer (Raymond Chooi)
Step 2: Assess (Within 24 hours)
- Determine what personal information was affected
- Determine number of affected individuals
- Determine whether the incident presents a risk of serious injury
- Document findings
Step 3: Notify (Within 72 hours if risk of serious injury)
- Commission d'accès à l'information du Québec (CAI): Required if the incident presents a risk of serious injury to affected individuals
- Affected individuals: Notify with description of incident, data affected, steps taken, and contact information
- Other regulators: As required (e.g., federal Privacy Commissioner under PIPEDA if applicable)
Step 4: Remediate
- Fix the vulnerability or access issue
- Update security controls
- Review and update RLS policies, API keys, access controls
- Document lessons learned
Step 5: Record
- Log the incident in an internal incident register
- Include: date, description, data affected, individuals affected, containment steps, notifications made, remediation actions
4. Notification Templates
To CAI:
- Organization name and contact
- Description of the incident
- Types of personal information involved
- Number of individuals affected
- Measures taken to reduce risk
- Contact information for the Privacy Officer
To Affected Individuals:
- Description of what happened
- What personal information was involved
- What we are doing about it
- What they can do to protect themselves
- Contact information: privacy@actnowbutton.com
5. Key Contacts
- Privacy Officer: Raymond Chooi — privacy@actnowbutton.com
- Technical Response: Raymond Chooi
- CAI: https://www.cai.gouv.qc.ca
6. Review
This plan is reviewed annually and tested via a tabletop exercise at least once per year.