Data Breach Notification Standard
Date of Current Revision or Creation: October 1, 2021
The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to specify the data breach notification requirements for Â鶹´«Ã½ by identifying the triggering factors and necessary responses to unauthorized release of unencrypted sensitive information.
Definitions
Data Breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen and/or used by an individual unauthorized to do so.
Personal Information is any piece of data that can potentially be used to identify a single person. Generally, NAME and one or more personal information data elements are necessary to place identity at serious risk.
Standards Statement
Â鶹´«Ã½ will identify all University systems, processes, and logical and physical data storage locations, including those held by third parties, which contain Class 1,2, and 3 regulated data as described in the ITS Standard 02.3.0 Data Administration and Classification.
Â鶹´«Ã½ will include provisions in third-party contracts that involve Class 1,2 and 3 regulated data, requiring that the third party and third-party subcontractors:
- Provide timely notification to the agency of suspected breaches
- Allow the agency both to participate in the investigation of incidents and exercise control over decisions regarding external reportings.
Â鶹´«Ã½ will provide appropriate notice to affected individuals upon the unauthorized release of any unencrypted Class 1,2, and 3 regulated data by any mechanism, including, but not limited to:
- Theft or loss of digital media including laptops, desktops, flash drives, smart phones, tablets, CD's, DVD's, tapes, etc.
- Theft or loss of physical hardcopy
- Security compromise of any system containing Class 1,2, and 3 regulated data
- Encrypted data in which the encryption key is also compromised
Â鶹´«Ã½ will provide this notice without undue delay as soon as verification of the unauthorized release is confirmed, except as delineated below.
Â鶹´«Ã½ will provide notification that consists of:
- A general description of what occurred and when
- The type of personal information was involved
- Whether actions have been taken to protect the individual's personal information from further unauthorized disclosure
- What, if anything, Â鶹´«Ã½ will do to assist affected individuals, including contact information for more information and assistance
- What actions Â鶹´«Ã½ recommends that the individual take
Â鶹´«Ã½ will provide this notification by one or more of the following methods, listed in order of preference:
- Standard mailing to any affected individuals whose mailing addresses are available
- Electronic mail to any affected individuals whose email address has been provided to the agency as a contact mechanism
- In the case of large-scale breaches or data breaches where neither form of communication listed above is available or feasible, public communications channels, including:
- Conspicuous notification on the agency website
- Notification by statewide public media, including newspaper, radio and television
Â鶹´«Ã½ will not provide notification immediately following verification of unauthorized data disclosure only if requested by:
- Law Enforcement entities where it would interfere with an ongoing investigation
- CIO, ISO or designee where it would interfere with a determination of the scope of the data breach or investigation of root cause
Procedures, Guidelines & Other Related Information
- Federal and State Law
- Data and System Breach Response Framework
- University Policy 3505 - Information Technology Security Policy
- IT Standard 02.3.0 - Data Administration & Classification Standard
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2009 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
October 2012 |
ITAC/CIO |
Reaffirmed |
December 2012 |
IT Policy Office |
Minor rewording for clarity Link updated; departmental name update; numbering revision |
December 2016 | IT Policy Office | Minor rewording for clarity |
December 2019 | IT Policy Office | Minor rewording for clarity |
October 2021 | CISO | Minor edits for clarification |