Reporting and Responding to Security Incidents

A. Who should report a security breach?

Any person who knows or reasonably believes that an incident of the security of private financial data has occurred should report their concern to the University. Any employee with the responsibility for data must report known or suspected breaches of private financial data. These reports will enable the University to investigate and address the concern and make the determinations about appropriate notification to the subject of the private data.

B. How do you report a security breach?

Make a report as soon as possible to OIT Assurance and Security at abuse@umn.edu and the Financial Security and Privacy Officer via the University Financial Helpline at fsshelp@umn.edu or 612-624-1617.

Provide the following information:

• Your contact information.
• The department involved.
• A brief description of what happened.
• A general description of the type of data at issue.

C. Who decides whether to notify individuals.

The Chief Information Officer (CIO) or delegate, in consultation with the General Counsel’s Office, is responsible for determining whether a breach of security of data has occurred and whether notification to individuals is required. The CIO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area or unit.

D. How is notification made?

The CIO works with the affected unit, responsible administrators, University Relations, and others as appropriate to deliver timely and effective notification to individuals.

While the content may vary, notification should include:

• A general description of what happened.
• The type of private data at issue.
• Steps taken to prevent further disclosure of the individual’s data.
• Contact information for further questions and assistance.
• Where appropriate, information to protect against identity theft.

Questions about this procedure? Email: fsshelp@umn.edu.