University of Minnesota  Administrative Policy

Data Security Breach

Policy Statement

The University will provide timely and appropriate notice to affected individuals when there has been a breach of security involving private data about them.

University employees and students, or other individuals, must report incidents where a breach of University data is suspected to University Information Security ([email protected]), by following Administrative Procedure: Report Information Security Incidents.

Additionally, all suspected data breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University Health Information Privacy and Compliance Office at [email protected].

The Chief Information Security Officer (CISO), in consultation with the Office of the General Counsel and appropriate privacy officers, is responsible for determining whether a breach of information security or University private data has occurred and whether notification to affected individuals is required.  The CISO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit. 

The CISO and University Information Security work with the responsible departments to send any required notifications in accordance with Administrative Procedure: Notification of a Data Security Breach. All notifications must be reviewed and approved by University Information Security prior to making notification.

Reason for Policy

This policy requires communication regarding data breaches in order to protect individuals from potential harm arising from unauthorized access or acquisition of private data about them, and to comply with notifications required by state, federal privacy and data security laws, and contractual and regulatory obligations.

Contacts

SubjectContactPhoneEmail
Primary Contact(s)Brian Dahlin612-625-1505[email protected]
Information Security BreachMandy Winegarden
Charlie Morrison
 [email protected]
[email protected]
Information SecurityBrian Dahlin, University Chief Information Security Officer (CISO)612-625-1505[email protected]
Medical records/PHI 
HIPAA Privacy Office
Lauren Popp,  
University Chief Health Information Compliance Officer
 [email protected] 
[email protected]
PCI DSS/Credit cardsDavid Laden612-624-0929

[email protected]

[email protected]

Student recordsStacey Tidball612-626-0075[email protected]
LegalDan Herber612-626-2716[email protected]
Responsible Individuals
Responsible Officer Policy Owner Primary Contact
  • Vice President and Chief Information Officer, Office of Information Technology
  • Chief Information Security Officer, Office of Information Technology
  • Brian Dahlin
    Chief Information Security Officer, Office of Information Technology

Definitions

Breach of security

For purposes of this policy this means unauthorized access to, acquisition, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University, if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving data that has been de-identified in compliance with applicable legal requirements.

Business Associate

An individual (other than an employee or member of the workforce of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a Covered Entity and where the provision of the service involves the use or disclosure of PHI.

Covered Entity

A Health Care Provider, Health Plan, or health care clearinghouse. A Covered Entity also includes those units or components designated as a Hybrid Entity.

Information

Data collected, stored, transferred or reported for any purpose, whether in electronic, paper, oral, or other media.

Private data

University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. PCI DSS for credit cards, some research contracts). See appendix: Examples of Public, Private and Confidential Information.

Protected health information ("PHI")

Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Covered Entity, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is reasonable basis to believe can be used to identify an individual. PHI specifically excludes information of individuals who have been deceased for more than 50 years.

The following records are exempted from the definition of PHI as defined by HIPAA:

  • Student records maintained by an educational institution;
  • Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232g (4)(B)(iv); and
  • Employment records held by a covered entity in its role as employer.

Unauthorized acquisition

For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-University purposes.

Responsibilities

All Individuals

Report concerns regarding suspected security breaches of private data to University Information Security at [email protected]

Vice President and Chief Information Officer (VP CIO)

  • Delegate to the Chief Information Security Officer the authority and responsibility for the suspected information security and data breach investigation, oversight of the notification process, and breach determination, where appropriate.

University Chief Information Security Officer (CISO)

  • Accountable for making determinations, in consultation with the General Counsel's Office and appropriate privacy officers, as to whether a breach of information security or private data has occurred and whether notification is required, and direct responsible departments in complying with notification obligations.
  • Delegate the authority and responsibilities for investigation of the suspected information security and data breach, and oversight of the notification process.
  • Inform the appropriate privacy officers of suspected data breaches.
  • Report breach information to the VP CIO.

Office of Information Technology (OIT) – University Information Security (UIS)

  • Investigate the suspected information security or data breach.
  • Report breach information and status to University Chief Information Security Officer.
  • Report suspected information security and data breach to the appropriate privacy office.
  • Ensure that appropriate and timely action is taken on a suspected information security or data breach.
  • Provide oversight of the notification process.

Collegiate/Unit Administrators

Provide timely and effective notification to individuals as directed by the CISO when there has been a security breach of private data in their area. Direct expenses related to the breach notification process are the responsibility of the affected unit.

Privacy Officer

  • Notify external entities in accordance with the respective privacy law or contract (e.g., Federal Department of Health and Human Services for PHI).
  • Provide privacy advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with breach determination and notification obligations under the privacy law or contract they are responsible for.

General Counsel

Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with breach determination and notification obligations under the law.

Related Information

Related Policies

Laws, Regulations and Contracts

Other Related Information

History

Amended:

December 2019 - Comprehensive Review, Minor Revision:

  • Change the policy title to Data Security Breach. This aligns with commonly used language.
  • Align the policy statement and procedures with responsibilities for VP CIO and CISO.
  • Update responsibilities, definitions and related information sections.
  • Update the FAQ for improved readability.
  • Update the Report Information Security procedure to clarify how to report.
  • Update the Notification of a Data Security Breach procedure to align with the responsibilities.

Amended:

December 2015 - Comprehensive Review, Major Revision: 1. Revises the policy title to Reporting and Notifying Individuals of Information Security Breaches which clarifies the type of security breaches are information security breaches. 2. Clarifies the reporting and notification process with links to the relevant procedure for more information. 3. Includes two new procedures for reporting incidents and notification in the event of an information security breach.

Amended:

February 2010 - Policy and Procedure updated to comply with HITECH regulations.

Effective:

May 2006