Breach Notifications
We use investor information to notify investors of a breach through the like means used to deliver routine communications such as issuer vote notices. When an investor adds their email and marks that it can be used for written account notifications, we email the investor regarding the breach. If a valid address is not known or otherwise opted out of official notices, the communication is sent to their mailing address on file.
If mail is not deliverable at any known investor addresses, the account enters our lost investor search policy.1 Emails that soft bounce will be retried until succeeding or falling back to physical mail. Letters will be printed at the TA-1 location in fully opaque envelopes which reveal no personal content information.
Notices must be sent within 30 days of the incident issue creation date, should no exception or dismissal apply. The contents of this notice shall be scoped by 17 C.F.R. § 248.30(a)(4)(iv) and adapted to the circumstances of the breached information. If unable to narrow down what investor data was stolen, the notice shall presume all investor information held by the company was breached.
If there is a substantial difference of more than a few hours before the breach itself and the creation of an incident issue, the issue author may state plainly an earlier starting timestamp for the determination clock. Notwithstanding, the team will work as fast as possible to alert investors once it is clear that an individual has been harmfully revealed. Service providers are not presently maintained for the distribution of notifications.