Reporting Security Incidents and Making Notification

1. Who should report a breach?

   Any person who knows or reasonably believes that a breach of the security of private data has occurred should report their concern to the University. Any University employee with responsibility for data must report known or suspected breaches of security of private data. These reports will enable the University to investigate and address the concern and to make determinations about appropriate notification to the subjects of the private data.

2. How do you report a breach?

   Just send an e-mail to abuse@umn.edu or contact your campus help-desk. Tell them:
   • Your contact information
   • The department involved
   • A brief description of what happened
   • A general description of the type of data at issue

3. Who decides whether to notify individuals?

   The Chief Information Officer (CIO) or delegate, in consultation with the General Counsel's Office, will be responsible for determining whether a breach of security of data has occurred and whether notification to individuals is required. The CIO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit.

4. How is notification made?

   The CIO will work with the affected unit, responsible administrators, University Relations, and others as appropriate to deliver timely and effective notification to individuals. Direct expenses related to the breach notification process are the responsibility of the affected unit. While the content may vary, notification should include:
   • A general description of what happened
   • The type of private data at issue
   • Steps taken to prevent further disclosure of the individual's data
   • Contact information for further questions and assistance
   • Where appropriate, information to protect against identify theft