Last updated: 1 January 2026

Our position

Lepton handles sensitive client data — actuarial valuations, claims information, financial records, and protected health information (PHI). We maintain administrative, technical, and physical safeguards proportionate to the sensitivity of that data.

Response procedure

  1. Detection & triage — Within 24 hours of identification, the incident is escalated to the principal-level incident response team for triage and initial containment.
  2. Containment & investigation — Within 72 hours, we initiate forensic investigation to determine scope, cause, and affected data.
  3. Notification & disclosure — We notify affected clients and individuals consistent with applicable law (HIPAA, GDPR, state breach notification statutes, sectoral regulations).
  4. Remediation & review — Following resolution, we conduct a post-incident review and update controls.

Notification standards

  • Affected clients directly
  • Individual data subjects when required by law
  • Regulators as required by jurisdiction
  • Law enforcement where criminal activity is suspected

Reporting a suspected breach

Email security@leptonactuarial.com with subject line “Security Incident”. We acknowledge security reports within one business day.