1. In their disclosure to the public of breaches of security or losses of integrity referred to in Section I, undertakings are required to:
a) Ensure that the content of the disclosure is clear, accessible and as precise as possible and includes, among other relevant information:
i) Indication of the networks and services affected; and
ii) The length of time it is expected to take to resolve the occurrence or, if applicable, the date of resolution;
b) Provide, as a minimum, information on their respective web sites, as used in their relationship with users, through a hyperlink posted on the homepage of the website, which hyperlink shall be immediately visible and identifiable without scrolling;
c) Provide the information at the earliest opportunity and within four business hours following the deadline of the initial notification to ICP-ANACOM1,for this purpose, working hours means time elapsing between 09.00 and 19.00 on a working day;
d) Update the information whenever a significant alteration occurs and immediately after the breach of security or loss of integrity ceases; and
e) Ensure that the information provided on the Internet remains accessible to the public, in the same locations as referred to in point b), for a period of one month following the date on which the breach of security or loss of integrity ceases.
2. Companies are required to notify ICP-ANACOM, upon commencing their activity, as to the URL addresses2 of web pages which, for the purposes of point b) above, they will use to provide public disclosure of security breaches or losses of integrity occurring on their networks and as part of their services, and notify ICP-ANACOM as to any subsequent amendments thereto within a minimum of 5 working days subsequent to such amendments being implemented.
3. With a view to the proper performance of the provisions of this Annex A, it is incumbent upon the undertakings to implement all the means and procedures as are necessary to detect and evaluate security breaches or losses of integrity covered by the circumstances set out in Section I, assess their respective impact and undertake notification.
1 In accordance with the provisions of Section II of Annex A.
2 Uniform Resource Locator.
