DATA BREACH NOTIFICATION

About This Policy

Policy Statement

The university will disclose any breach of its data to any person whose sensitive, personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure will be made in the timeliest manner possible. It is the university’s sole discretion to determine the scope of the breach. The university will provide information about data breaches as required by federal and state laws, and regulations and/or policies.

The disclosure may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

The university will make every reasonable effort to contact individuals impacted. Contact may be made in person, by mail, and/or by e-mail. If the university does not have sufficient contact information, a general disclosure will be posted on a North Central University web site and appropriate news media outlets will be notified.

University employees and students, or other individuals, must report incidents where a breach of university data is suspected to university Information Security (cybersecurity@northcentral.edu), by following university procedure: Reporting Information Security Incidents.

The Information Security Program Administrator (Program Administrator), in consultation with the university counsel and appropriate university administrators, is responsible for determining whether a breach of information security or university private data has occurred and whether notification to affected individuals is required.  The Program Administrator may also seek advice from other key administrators responsible for security and privacy at the university and consult with responsible administrators in the affected area, department, or other university stakeholders.

The Program Administrator and university Information Security works with the responsible departments to send any required notifications in accordance with university procedure: Notification of a Data Security Breach. All notifications must be reviewed and approved by university Information Security prior to making notification.

Reason For Policy

This policy defines the steps that personnel must use to ensure that information security incidents are identified, contained, investigated, and remedied. It also provides a process for documentation, appropriate reporting internally and externally, and communication so that organizational learning occurs. Finally, it establishes responsibility and accountability for all steps in the process of addressing information security incidents.

Policy Scope

This policy applies to all users of all university data, whether faculty, staff, student, contractor, consultant, or agent thereof. This policy further applies to any computing or data storing devices owned or leased by the university that experience a security incident, as well as any computing or data storing device, regardless of ownership, which is used to store university data, or which, if lost, stolen, or compromised, and based on its privileged access, could lead to the unauthorized disclosure of protected data.

Procedures

• Notification of a Data Security Breach
• Reporting Information Security Incidents

Forms

• Information Security Incident Form

Appendices

• There are no appendices associated with this policy.

Additional Contacts

Definitions

Acceptable Use

Use of IT resources that is always ethical, reflects academic honesty, and shows restraint in the consumption of shared resources. Acceptable use demonstrates respect for intellectual property, ownership of data, system security mechanisms, and individuals’ rights to privacy and to freedom from libel, slander, intimidation, discrimination, and harassment.

Authorized Use

Use that the university determines, in its sole and exclusive discretion, is consistent with the education, research, and mission of the university, consistent with effective departmental or divisional operations, and consistent with this policy.

Authorized User

Individuals or entities permitted to make use of university information technology resources, including students, staff, faculty, alumni, guests, sponsored affiliates, and other individuals who have an association with the university.

Breach of Security

For purposes of this policy this means unauthorized access to, acquisition, use, or disclosure of data maintained by the university, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the university, if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving data that has been de-identified in compliance with applicable legal requirements.

Business Associates

An individual (other than an employee or member of the workforce of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a Covered Entity and where the provision of the service involves the use or disclosure of PHI.

Information

Data collected, stored, transferred or reported for any purpose, whether in electronic, paper, oral, or other media.

Notification

The act of informing persons affected by a breach of university data that their information was included in the breach and the steps they can take to protect themselves and their privacy. Notification also includes required noticing to federal and state agencies. Notification to affected individuals will be overseen by Program Administrator, and depending on the data breached, may include the following components:

1. A general description of the unauthorized access or acquisition.
2. The type of personal information affected.
3. A general description of the steps the university will take to protect the information from further unauthorized access or acquisition.
4. Instructions and necessary information for notifying the major credit agencies of suspected or potential identity theft as needed.

Personally Identifiable Information

Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or bio-metric records; and any other information that is linked or link-able to an individual, such as medical, educational, financial, and employment information.”

Examples of PII include, but are not limited to:

• Name: full name, maiden name, mother’s maiden name, or alias
• Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
• Personal address information: street address, or email address
• Personal telephone numbers
• Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
• Biometric data: retina scans, voice signatures, or facial geometry
• Information identifying personally owned property: VIN number or title number
• Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

The following examples on their own do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:

• Date of birth
• Place of birth
• Business telephone number
• Business mailing or email address
• Race
• Religion
• Geographical indicators
• Employment information
• Medical information
• Education information
• Financial information

Private Data

University data protected by federal or state law (e.g., FERPA, HIPAA), regulation, or contract (e.g. PCI DSS for credit cards, some research contracts).

Program Administrator

Individual responsible for the management of the Information Security Program. Executive Director of Information Technology.

Protected Heath Information (“PHI”)

Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Covered Entity, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is reasonable basis to believe can be used to identify an individual. PHI specifically excludes information of individuals who have been deceased for more than 50 years.

The following records are exempted from the definition of PHI as defined by HIPAA:

• Student records maintained by an educational institution;
• Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232g (4)(B)(iv); and
• Employment records held by a covered entity in its role as employer.

Unauthorized Acquisition

For the purposes of this policy, this means that a person has obtained university private data without statutory authority, authorization from an appropriate university official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-university purposes.

Responsibilities

All Individuals

• Report concerns regarding suspected security breaches of private data to University Information Security at cybersecurity@northcentral.edu

Program Administrator (Executive Director of Information Technology)

• Accountable for making determinations, in consultation with the university counsel and appropriate privacy officers, as to whether a breach of information security or private data has occurred and whether notification is required, and direct responsible departments in complying with notification obligations.
• Delegate the authority and responsibilities for investigation of the suspected information security and data breach, and oversight of the notification process.
• Inform the appropriate officers of suspected data breaches.
• Oversight of the notification process, and breach determination.

Office of Information Technology (OIT) – University Information Security

• Investigate the suspected information security or data breach.
• Report breach information and status to the Director of Information Technology
• Ensure that appropriate and timely action is taken on a suspected information security or data breach.

General Counsel

• Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with breach determination and notification obligations under the law.

RELATED INFORMATION

Related Policies & Procedures

• University Policy: Acceptable Use of Information Technology Resources
• University Policy: Information Security
• University Policy: Managing Student Records
  

Related Legislation

• HIPAA Regulations, 45 CFR Part 164, Subpart D
• Family Educational Rights and Privacy Act (FERPA)
• Payment Card Industry Data Security Standard (PCI DSS)
• Gramm–Leach–Bliley Act (GLBA)

History

Issued
2021-04-21