Breach notification procedures
Notification is required when the security of high-risk confidential or personally identifiable information (PII) is breached.
The University's breach notification procedures are in place to ensure that University community members and stakeholders are informed when there is a breach in the security of their highly sensitive confidential information—e.g., when there is a risk of identity theft or unauthorized disclosure of sensitive intellectual property, research, or personal information. Following the discovery of a breach in the security of a system—including theft of a computer—in which a computer forensic analysis indicates there is a reasonable expectation that unencrypted high-risk confidential or PII information has been viewed or taken without authorization, University policy is to notify all persons and entities whose information might have been disclosed.
Confidential PII is any information that uniquely identifies a person and provides confidential information (e.g., academic, financial, medical records) about that individual. Confidential, high-risk, PII provides confidential information that can be used to commit identity theft or cause financial loss to the individual if improperly disclosed, or is highly sensitive due to privacy concerns. High-risk confidential information is sensitive because of legal, regulatory, contractual or funding agency restrictions. Examples include, but are not limited to:
- Social Security number, taxpayer ID number, or identification number derived from Social Security number;
- Credit card or other financial account number combined with password or access code that would permit access to a financial account;
- Driver's license number;
- Sensitive medical, educational, proprietary, research, or other information where privacy, confidentiality, or disclosure restrictions are critical.
Confidential PII does not include published directory information or information that is lawfully made available to the general public from federal, state, or local governmental records.
What is a breach of the security of a system?
A computer security breach is any incident in which the security of a computer system is compromised, including theft or loss of a computer, or storage device or medium, where unauthorized person(s) might have been able to access, copy or read data files on it. It does not include normal business use by employees or University business partners.
What are the department's responsibilities?
Whenever possible, confidential high-risk PII, including Social Security and credit card numbers, should not be stored on unit-administered computers. University departments are responsible for the security of information in their possession, and must be vigilant in safeguarding it. For more information see Classify and protect personally identifiable information.
When a University department becomes aware of a breach of the security of any of its information systems that contain unencrypted high-risk confidential PII it must:
- advise IT Information Security (email@example.com) and the Dean or Vice President to which it reports. If a computer has been stolen, Public Safety must also be notified;
- preserve all information related to the breach. The machine must NOT be rebooted, turned off, or plugged into another network port. NO attempts should be made to repair the system. Nothing is to be removed or altered as to make it impossible to know whose Social Security or credit card numbers, or other high-risk personal information might have been take (e.g., data files, system logs and other data that might be useful in investigating the extent of PII stolen during breach);
- IT will work with the department to conduct an assessment of the incident to determine the likelihood that confidential high-risk PII was viewed or taken. When the investigation is complete, IT Client Support and Services will assist the department in cleaning the system;
- if the results of the investigation conclude that there is a reasonable expectation that confidential high-risk PII was viewed or taken, the department must notify affected individuals or entities whose highly sensitive information is at risk. The department will work with its Dean's or Vice President's office, Vice President & General Counsel, and the Office of Communications and Marketing to provide notification. Notices must be given in writing by US Mail or by email or other appropriate electronic means. The final text that is used in any breach notification must be reviewed and approved by the Office of Communications and Marketing and the Vice President & General Counsel.
- advise the IT Information Security office when notification is complete.
What should notices include?
The final text that is used in any breach notification must be reviewed by the Office of Communications & Marketing.
Notifications will vary depending on the circumstances of each system breach and could include the following elements:
- purpose of the letter;
- identity of the university department;
- what happened in general terms, including the dates of the security breach and of its discovery;
- what kind of personal information was involved;
- what they should do to protect themselves;
- where to go for more information;
- what you are doing, if anything, to investigate further;
- who to contact for more info
Sample notification text is intended to provide guidance to university departments in developing a notice to individuals whose personal information might have been involved in a computer security breach.