Reporting and Notifying Individuals of Security Breaches FAQ

1. Where do I report a breach of security?

   At abuse@umn.edu or your campus help-desk. Look at the attached Procedure for more details on how to report.

2. What are examples of breaches of security?

   In the case of electronic data, a breach of security may occur, for example, when a computer containing private data has been hacked and the data has been downloaded, when electronic files have been mistakenly posted on the Web or e-mailed to the wrong recipients, or when a laptop, personal desk assistant, or other electronic storage device has been stolen or lost. In the case of paper data, a breach of security may occur when documents are stolen, lost, misdirected, or left vulnerable to unauthorized acquisition.

3. Does this policy only apply to electronic data?

   No, this policy applies to all University data, regardless of the medium.

4. What if I am aware of a possible incident, but can't tell whether someone has actually acquired the data?

   You should report the incident, even if you don't know whether someone has acquired the data. The CIO is responsible for determining whether the data has been acquired.

5. Who makes the notification when there has been a breach?

   Generally, the department responsible for the data will be responsible for preparing the list of addressees and making the notification, although depending on circumstances the notification may come from someone else at the University. The manner of notification will be determined as part of the consultation process with administrators and the CIO.

6. Why do we report breaches?

   For several reasons-to be honest with people about whom we hold data, to help people prevent identify theft when their data is taken, and to comply with legal obligations, including a state law implemented in 2005 requiring notification in certain circumstances.

7. What should I do if I think my unit is at risk of a breach due to a lack of security?

   If you think your unit lacks physical or technical security, contact abuse@umn.edu or your campus help-desk.

8. Will I get in trouble for reporting a breach?

   No-employees may not be retaliated against for reporting concerns at the University.