NOTIFICATION OF A DATA SECURITY BREACH

Related Policy – Data Breach Notification

About This Procedure

University Procedure

The Program Administrator or delegate works with the affected department, responsible administrators, university communications, and others as appropriate to deliver timely and effective notification to individuals.

1. Draft the content of notification.
2. While the content may vary, notification must always include these elements, to the extent possible:
   1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
   2. A description of the types of private data that were involved in the breach (e.g., full name, social security number, date of birth, home address, bank account number, personal financial information, grades, diagnosis, etc.)
   3. Any steps individuals should take to protect themselves from possible harm resulting from the breach (e.g., identity theft)
   4. A brief description of what the University is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches
   5. Contact information for further questions and assistance, including a toll-free telephone number, an email address, website address, or postal address as appropriate
3. Determine the manner of notification – The Director of Information Technology determines the appropriate manner of notification—whether first-class mail, email, or substitute notice—as required under the law.
4. Review the notification – University Information Security reviews and approves all notifications prior to making notification.
5. Determine if other actions are required – The Program Administrator determines whether other requirements apply, depending on the nature of the information that is the subject of the breach, as well as the scope of the breach. Notification regarding protected health information must comply with the notification provisions within HIPAA regulations. 45 C.F.R. Part 164, Subpart D.