Reporting and Notifying Individuals of Security Breaches
Last Update: December 2006
Responsible University Officer:
- Chief Information Officer
- Chief Information Officer
Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.
POLICY STATEMENT
The University will provide timely and appropriate notice to affected individuals when there has been a breach of security of private data about them. A breach in security occurs when there is an unauthorized acquisition of private information maintained in any form by the University. The Chief Information Officer or delegate, in consultation with the General Counsel's Office, will be responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the notification obligation. All known or suspected breaches of security must be reported to the CIO, to enable the CIO to determine whether notification is required. Suspected breaches can be reported at abuse@umn.edu or your campus help-desk.
REASON FOR POLICY
This policy protects individuals from potential harm arising from the unauthorized acquisition of private information about them, and promotes compliance with state and federal privacy laws.
PROCEDURES
FORMS/INSTRUCTIONS
There are no forms for this policy.
ADDITIONAL CONTACTS
| Subject | Contact | Phone | Fax/Email |
|---|---|---|---|
| Primary Contact(s) | Ken Hanna Tracy Smith | 612-625-1505 | k-hann1@umn.edu smith229@umn.edu |
| Breaches/electronic | Ken Hanna | 612-625-1505 | k-hann1@umn.edu |
| Security | Steve Cawley | 612-625-8855 | cawley@umn.edu |
| Medical records/PHI | Ross Janssen | 612-626-5844 | janss006@umn.edu |
| Student records | Tina Falkner | 612-625-1064 | rovic001@umn.edu |
| Legal | Tracy Smith | 612-624-9546 | tracysmith@mail.ogc.umn.edu |
| Campus | Help Desk | Phone |
|---|---|---|
| Help Desk Contacts Security questions, concerns, or suspected incidents E-mail: abuse@umn.edu | ||
| University of Minnesota - Twin Cities (TC) | TC Help Desk | 1-HELP (612) 301-4357 |
| University of Minnesota - Duluth (UMD) | UMD Help Desk | 218-726-8847 |
| University of Minnesota - Morris (UMM) | UMM Help Desk | 320-589-6391 |
| University of Minnesota - Crookston (UMC) | UMC Help Desk | 218-281-8000 |
DEFINITIONS
- Breach of security
- For purposes of this policy this means unauthorized acquisition of data maintained by the University, which compromises the security and classification of the data. Good faith acquisition of government data by an employee, contractor, or agent of the University is not a breach of the security of the data, if the data is not provided to an unauthorized person.
- Data
- Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files.
- Private data
- Data about individuals that is classified by law as private or confidential and is maintained by the University in electronic, paper, or other format or medium. Under the Minnesota Government Data Practices Act, " private data" means data classified as not public and available to the subject of the data, and "confidential data" means data classified as not public but not available to the subject of the data. See Appendix attached to this policy.
- Unauthorized acquisition
- For the purposes of this policy, this means that a person has obtained University data without statutory authority or the consent of the individual who is the subject of the data, and with the intent to use the data for non-University purposes.
RESPONSIBILITIES
- All Employees
- Report good faith concerns about security breaches of private data at the University.
- Chief Information Officer
- Make determinations, in consultation with the General Counsel's Office, as to whether notification is required, and direct responsible departments in complying with notification obligations.
- Collegiate/Unit Administrators
- Provide timely and effective notification to individuals as directed by the CIO when there has been a security breach of private data in their area.
- General Counsel
- Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the law.
APPENDICES
There are no appendices for this policy.
FREQUENTLY ASKED QUESTIONS
RELATED INFORMATION
Policies and Procedures
- Administrative Policy: Protecting the Privacy of Student Education Records
- Administrative Policy: Internal Access to University Information
- Administrative Policy: Acceptable Use of Information Technology Resources
- Administrative Procedure: Reporting Violations of Security, Acceptable Use, Technology Resources, and Threats of Violence (Twin Cities Campuses)
- Administrative Policy: User Authentication for Access to University Computer Resources
- Administrative Policy: Administration and Oversight for Protection of Individual Health Information
- Administrative Policy: Use and Disclosure of Individual Health Information for Research
- Administrative Policy: Protection of Individual Health Information by University Health Care Components (HIPAA)
- Administrative Policy: Accessing U-Wide Banking Services
- Administrative Policy: Financial Data and Systems Security
- Administrative Procedure: Reporting and Responding to Security Incidents
Statutes
- Minnesota Government Data Practices Act, including Minn. Stat. section 13.055
- Minnesota Statutes section 325E.61
Other Related Information
HISTORY
- Effective:
- May 2009
Procedure Feedback
Information Technology Policies
- Acceptable Use and Information Security
SEND FEEDBACK
Leave feedback or ask a question about the policy.
HOW TO USE
POLICIES
Here are tips on finding the information you need in University
Administrative Policies.
DOCUMENT COLOR
KEY
- POLICY
- PROCEDURE
- APPENDIX
- FAQ