Notice of Data Privacy Event (2023)

, /PRNewswire/ -- H&K Perforating, LLC ("H&K Perforating") is notifying individuals of a data privacy event. To date, we have no evidence of actual or attempted misuse of information as a result of this incident. This notice provides details about the incident, H&K Perforating's response, and resources available to help protect information.

What Happened? On or about March 5, 2022, H&K Perforating became aware of suspicious activity on its servers. H&K Perforating immediately took steps to secure its network, and with the assistance of third-party forensic specialists, deployed countermeasures to contain the event. H&K Perforating further began an investigation to determine the nature and scope of the activity. The investigation found suspicious activity occurred within H&K Perforating system between March 2 and March 5, 2022, including potential access to certain files.

Given that certain information was potentially accessed without authorization, H&K Perforating undertook a comprehensive review of the data to understand the specific information potentially impacted and to whom it related. H&K completed those efforts on June 13, 2022, and thereafter worked to provide notification not potentially impacted individuals as quickly as possible.

What Information Was Involved? The impacted information varied by individual but may include name, address, Social Security number, driver's license, financial accounting information, medical/health information, username/email and password, and digital/electronic signature.

What We Are Doing. H&K Perforating takes this event and the obligation to safeguard the information in its care very seriously. After discovering the suspicious activity, H&K Perforating promptly took steps to confirm its system security, and engaged third-party forensic specialists to assist in conducting a comprehensive investigation of the event to confirm its nature, scope, and impact. H&K Perforating also promptly notified federal law enforcement. Further, as part of its ongoing commitment to the privacy and security of personal information in its care, H&K Perforating is reviewing and enhancing existing policies and procedures relating to data protection and security. H&K Perforating instituted additional security measures to better protect against future similar events. H&K Perforating is also notifying relevant regulatory authorities, as required.

What Affected Individuals Can Do. Individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and credit reports for unusual activity and report any suspicious activity immediately to their financial institution. Additional detail can be found below in the Steps You Can Take to Help Protect Personal Information.

For More Information. H&K Perforatingunderstands that you may have questions that are not addressed in this notice. If you have additional questions or concerns, please call our dedicated call center at 1-800-939-4170 which is available from 8:00 a.m. to 8:00 p.m. Central Time Monday through Friday (excluding major U.S. holidays). You may also write to H&K Perforating at 5420 W Roosevelt Rd, Suite 314, Chicago, IL 60644.

STEPS YOU CAN TAKE TO HELP PROTECT PERSONAL INFORMATION

Monitor Your Accounts

(Video) Data Privacy and Consent | Fred Cate | TEDxIndianaUniversity

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.comor call, toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.

Consumers have the right to place an initial or extended "fraud alert" on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer's credit file. Upon seeing a fraud alert display on a consumer's credit file, a business is required to take steps to verify the consumer's identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, consumers have the right to place a "credit freeze" on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer's express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:

  1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);

  2. Social Security number;

  3. Date of birth;

  4. Addresses for the prior two to five years;

  5. Proof of current address, such as a current utility bill or telephone bill;

  6. A legible photocopy of a government-issued identification card (state driver's license or ID card, etc.); and

    (Video) Privacy 101: Data Breach Notification

  7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.

Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:

Equifax

Experian

TransUnion

https://www.equifax.com/personal/credit-report-services/

https://www.experian.com/help/

https://www.transunion.com/credit-help

(Video) The Convergence of Data and Events | Navigating Privacy and Security for Event Marketers [WEBINAR]

888-298-0045

1-888-397-3742

833-395-6938

Equifax Fraud Alert, P.O. Box 105069
Atlanta, GA 30348-5069

Experian Fraud Alert, P.O. Box
9554, Allen, TX 75013

TransUnion Fraud Alert, P.O. Box
2000, Chester, PA 19016

Equifax Credit Freeze, P.O. Box 105788
Atlanta, GA 30348-5788

Experian Credit Freeze, P.O.
Box 9554, Allen, TX 75013

TransUnion Credit Freeze, P.O.
Box 160, Woodlyn, PA 19094

(Video) Data Privacy Day 2019: A New Era in Privacy

Additional Information

You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.

For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, DC 20001; 202-727-3400; and oag@dc.gov.

For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-528-8662 or 1-888-743-0023; and www.oag.state.md.us.

For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit "prescreened" offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.

For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; orhttps://ag.ny.gov/.

For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.

Notice of Data Privacy Event (1)

(Video) Privacy notices webinar video--revise 5 9 22

View original content:https://www.prnewswire.com/news-releases/notice-of-data-privacy-event-301609457.html

SOURCE H&K Perforating, LLC

FAQs

How do you respond to a data access request? ›

How to respond to a subject access request: a step by step guide for organisations
  1. Recognise the subject access request.
  2. Identify the individual making the subject access request.
  3. Act swiftly and clarify the subject access request.
  4. identify personal data to be disclosed. ...
  5. Identify personal data exemptions.
30 Apr 2019

What should be included in a data privacy notice? ›

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller's legal basis for processing.

How do you respond to a GDPR request? ›

You should keep a record of any conversation with an individual about the scope of their request and the date when you sought and received any further explanation. In all circumstances, you should explain to the individual why you are seeking further details and be able to justify your position to the ICO, if asked to.

What is the minimum a privacy notice should do? ›

A privacy notice tells people from whom you are taking data:

At minimum, a privacy notice must contain those three key things. GDPR requires a privacy notice to be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language, appropriate for the audience, and free of charge.

Can you refuse to comply with data request? ›

The ICO guidelines state that a DSAR can be refused if it is manifestly unfounded or excessive. It is important to remember that the application of exemptions for a request must be decided on a case-by-case basis.

How long does a company have to respond to a data request? ›

How long does an organisation have to respond? An organisation normally has to respond to your request within one month. If you have made a number of requests or your request is complex, they may need extra time to consider your request and they can take up to an extra two months to respond.

How do you write a privacy statement? ›

Your privacy statement must accurately reflect your site's data collection and use. Your privacy statement should be clear, direct, and easy to understand. Keep technical jargon and legal terminology to a minimum. If you decide to modify how you use personal information, you must inform your users.

When must a privacy notice be given to a customer? ›

You provide a notice annually if you define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice.

What does a privacy notice disclose? ›

The privacy notice is what informs your visitors of their rights and how their private information will be collected and used. Digital privacy laws require you to post a privacy notice and to make it clearly apparent to visitors. Visitors to your website don't need the information included in your privacy policy.

How long do I have to respond to a GDPR request? ›

If you exercise any of your rights under data protection law, the organisation you're dealing with must respond as quickly as possible. This must be no later than one calendar month, starting from the day they receive the request.

Who must respond to requests from individuals concerning their personal data? ›

Your company/organisation must reply to their request without undue delay, and in principle within 1 month of the receipt of the request. It can ask them for additional information in order to confirm the identity of the person making the request.

Who can reject the data subject rights request? ›

If, in addition, further copies are requested, one can request a reasonable payment which reflects administrative costs. The controller is also allowed to refuse a data subject's requests to right of access if it is unjustified or excessive.

Are privacy notices mandatory? ›

In the US, there are no federal laws that require a business to have a Privacy Policy (except COPPA). But there are several laws, including federal and state laws, that have provisions on data privacy.

Is a privacy notice is mandatory for all organisations? ›

If your organisation is subject to the GDPR (General Data Protection Regulation), you must create and distribute a privacy notice.

Can personal data be shared without permission? ›

No. Organisations don't always need your consent to use your personal data. They can use it without consent if they have a valid reason. These reasons are known in the law as a 'lawful basis', and there are six lawful bases organisations can use.

How do you respond to a data protection complaint? ›

Respond as soon as possible to let the customer know you've received their data protection complaint and are looking into it. Your response should include information about what you'll do at each stage. Let them know when they can expect further information from you and give them a point of contact.

How do I reject a data subject request? ›

If you are refusing all or any part of a request, you must send the requester a written refusal notice. You will need to issue a refusal notice if you are either refusing to say whether you hold information at all, or confirming that information is held but refusing to release it.

What happens if you ignore a subject access request? ›

If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. It is a matter for the court to decide, in each particular case, whether to make such an order.

What is the time limit for responding to a subject access request? ›

You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals' rights.

What action must you take if personal data is found to be inaccurate? ›

If personal data is identified as inaccurate as a matter of fact, or incomplete, you must seek to amend this by rectifying or completing the data. If you are unable to correct it, you could provide a supplementary statement to rectify personal data which is inaccurate if appropriate.

Do individuals have the right to request to see all personal data held? ›

You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access

right of access
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
https://ico.org.uk › individual-rights › right-of-access
and is commonly known as making a subject access request or SAR.

What is data privacy consent? ›

Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means.

What is a good privacy policy? ›

A good privacy policy will describe how your information will be used and will make it clear that the company collecting it will not use your contact information in a predatory way. If you aren't comfortable with how your information will be treated, don't enter, even if the prize is enticing.

What is Data Privacy Statement job application? ›

This Privacy Statement (“Privacy Statement”) describes the handling of personal information obtained from and about job applicants or potential job applicants. It applies to personal information submitted directly by you as well as by third party agencies and recruiters on your behalf.

What are the two types of privacy notices? ›

There are three types of privacy notices defined in the regulations: an initial notice, an annual notice, and a revised notice. The regulation specifies when and to whom a bank is required to give each type of privacy notification. Let's look at the when and who for each type of privacy notice.

What are the three rights under the Privacy Act? ›

The Privacy Act provides protections to individuals in three primary ways. It provides individuals with: the right to request their records, subject to Privacy Act exemptions; the right to request a change to their records that are not accurate, relevant, timely or complete; and.

Are there exceptions to the requirement to provide annual privacy notices? ›

The rule provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers.

Does a privacy notice authorize the release of information? ›

What is in the Notice? The notice must describe: How the Privacy Rule allows provider to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason.

What is the difference between privacy notice and privacy statement? ›

Privacy Notice: A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.

How often must privacy notices be sent? ›

You must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists.

What do I do if I receive a subject access request? ›

You must comply with a SAR without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals' rights.

How long do I have to respond to a GDPR request? ›

If you exercise any of your rights under data protection law, the organisation you're dealing with must respond as quickly as possible. This must be no later than one calendar month, starting from the day they receive the request.

Who must respond to request from individuals concerning their personal data? ›

Your company/organisation must reply to their request without undue delay, and in principle within 1 month of the receipt of the request. It can ask them for additional information in order to confirm the identity of the person making the request.

What is a data request? ›

Data request means a discovery procedure in which the requesting party asks another person for specified information or requests the production of documents.

What happens if you don't comply with a subject access request? ›

If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. It is a matter for the court to decide, in each particular case, whether to make such an order.

On what grounds can you refuse a subject access request? ›

You can refuse an entire request under the following circumstances: It would cost too much or take too much staff time to deal with the request. The request is vexatious. The request repeats a previous request from the same person.

Can you refuse a SAR request? ›

Can we refuse to comply with a SAR? The ICO guidance says that you can only refuse to comply with a SAR where it is manifestly unfounded or excessive, taking into account whether it is repetitive. If you conclude you do not need to respond, you must to be able to justify your decision.

How do you respond to a data protection complaint? ›

Respond as soon as possible to let the customer know you've received their data protection complaint and are looking into it. Your response should include information about what you'll do at each stage. Let them know when they can expect further information from you and give them a point of contact.

What is the maximum fine for a GDPR breach? ›

If there is one thing that people know about the GDPR it's that GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global!) turnover, whichever of both is highest.

Do individuals have the right to request to see all personal data held? ›

You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access

right of access
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
https://ico.org.uk › individual-rights › right-of-access
and is commonly known as making a subject access request or SAR.

Who can reject the data subject rights? ›

As a rule, the information has to be provided free of charge. If, in addition, further copies are requested, one can request a reasonable payment which reflects administrative costs. The controller is also allowed to refuse a data subject's requests to right of access if it is unjustified or excessive.

What is needed before data is disclosed to other parties? ›

Consent must be given by the individual before their personal information can be shared. This is usually part of the privacy notice issued when the data is first collected. This applies whether you are sharing data between people or online, such as photographs on the school's Facebook page.

What is an example of sensitive data? ›

genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.

What is a data request document? ›

A data request form is used to gather information about a product, service, or company. Use a data request form to collect information from clients, partners, or contractors when you need to update records, find contact information, or get other info about an organization, product, or service.

How many rights are there under data protection law? ›

The EU GDPR (General Data Protection Regulation) gives individuals eight rights relating to their personal data. Organisations must let individuals know how they can exercise these rights and meet requests promptly. Failure to do so is a violation of the GDPR and could lead to disciplinary action.

Who is responsible for fulfilling the data request? ›

An organisation's data protection officer (DPO) will generally be responsible for fulfilling a DSAR, provided the organisation has appointed one.

Videos

1. Data Privacy: It’s More Than Being Privacy Compliant | RampUp Conference
(RampUp)
2. Opening Keynote Speeches: 10th Annual European Data Protection & Privacy Conference
(Forum Europe)
3. MGPS Data Privacy Protection Privacy Notice Part II YouTube
(Müggenburg, Gorches y Peñalosa, S.C.)
4. FTC Hearing: Panel Discussions on the Role of Notice and Choice... - April 10, 2019 - Session 1
(FTCvideos)
5. 12th Annual Privacy Papers for Policymakers 2022
(FutureofPrivacy)
6. Data Privacy Day 2022, US Privacy Bills, & DCMS International Data Transfer Expert Council
(OneTrust)
Top Articles
Latest Posts
Article information

Author: Mrs. Angelic Larkin

Last Updated: 02/26/2023

Views: 6519

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.