Breach notification procedures

Notification is required when the security of high risk, personal non-public information is compromised.

The University's breach notification procedures are in place to ensure that University community members are informed when there is a breach in the security of their highly sensitive personal information—e.g., when there is a risk of identity theft. Following the discovery of a breach in the security of a system—including theft of a computer—in which a computer forensic analysis indicates there is a reasonable expectation that unencrypted high risk, personal non-public information has been viewed or taken, University policy is to notify all persons whose personal information might have been acquired by unauthorized person(s) of the breach.

What is high-risk, personal non-public information?

Personal non-public information is any information that uniquely identifies a person and provides confidential information (e.g. academic, financial, medical records) about that individual. High risk, personal non-public information provides confidential information that can be used to commit identity theft or cause financial loss to the individual if improperly disclosed, or is highly sensitive for other reasons. Examples include, but are not limited to:

  • Social Security number, taxpayer ID number, or identification number derived from Social Security number;
  • Credit card or other financial account number combined with password or access code that would permit access to a financial account;
  • Driver's license number.

Personal non-public information does not include published directory information or information that is lawfully made available to the general public from federal, state, or local governmental records.

What is a breach of the security of a system?

A computer security breach is any incident in which the security of a computer system is compromised, including theft or loss of a computer, or storage device or medium, where unauthorized person(s) might have been able to access, copy or read data files on it. It does not include normal business use by employees or University business partners.

What are the department's responsibilities?

Whenever possible, personal non-public information, including Social Security and credit card numbers, should not be stored on unit-administered computers. University departments are responsible for the security of information in their possession, and must be vigilant in safeguarding it. For more information see Protecting personal non-public information.

When a University department becomes aware of a breach of the security of any of its computer systems that contain unencrypted high risk personal non-public information it must:

  1. advise Information Technologies-System Security and Access (secadmin@udel.edu) and the Dean or Vice President to which the department reports. If a computer has been stolen, Public Safety must also be notified;
  2. notify affected individuals whose highly sensitive personal information is at risk. The department will work with its Dean's or Vice President's office and the Office of Communications & Marketing to provide notification. Notices must be given in writing by US Mail. The final text that is used in any breach notification must be reviewed by the Office of Communications & Marketing.
  3. advise Information Technologies-System Security and Access when notification is complete.

What should notices include?

The final text that is used in any breach notification must be reviewed by the Office of Communications & Marketing.

Notifications will vary depending on the circumstances of each system breach and could include the following elements:

  • purpose of the letter;
  • identity of the university department;
  • what happened in general terms, including the dates of the security breach and of its discovery;
  • what kind of personal information was involved;
  • what they should do to protect themselves;
  • where to go for more information;
  • what you are doing, if anything, to investigate further;
  • who to contact for more info

Sample notification text is intended to provide guidance to university departments in developing a notice to individuals whose personal information might have been involved in a computer security breach.