Background:  The DURSA requires Participants to promptly notify the Coordinating Committee and other impacted Participants of Breaches which involve the unauthorized disclosure of data through the Exchange, take steps to mitigate the Breach and implement corrective action plans to prevent such Breaches from occurring in the future.  Suspected Breaches must be reported to the Coordinating Committee and other potentially impacted Participants within one (1) hour of discovering information that leads the Participant to reasonably believe that a breach may have occurred.  As soon as reasonably practicable, but no later than twenty-four (24) hours, after determining that a Breach did occur, Participants must notify other affected Participants and the Coordinating Committee.  This process is not intended to address any obligations for notifying consumers of breaches, but simply establishes an obligation for Participants to notify each other when Breaches occur to facilitate an appropriate response.

The Coordinating Committee adopted an Operating Policy and Procedure (OP&P 7) to further explain the mechanisms for Participants to notify other Participants and the Coordinating Committee of suspected or actual Breaches.  OP&P 7 also sets forth the process that the Coordinating Committee will use to respond to a Breach alert or notification.