Notification of a Data Security Breach

Determining if Individual Notification is Needed

The Chief Information Security Officer (CISO), in consultation with the Office of the General Counsel and appropriate privacy officers, is responsible for determining whether a breach of information security or University private data has occurred and whether notification to affected individuals is required. The CISO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit.

Notifying Individuals

The CISO or delegate works with the affected unit, responsible administrators, University Relations, and others as appropriate to deliver timely and effective notification to individuals.

1. Draft the content of notification.

   While the content may vary, notification must always include these elements, to the extent possible:

   • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
   • A description of the types of private data that were involved in the breach (e.g., full name, social security number, date of birth, home address, bank account number, personal financial information, grades, diagnosis, etc.)
   • Any steps individuals should take to protect themselves from possible harm resulting from the breach (e.g., identity theft)
   • A brief description of what the University is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches
   • Contact information for further questions and assistance, including a toll-free telephone number, an email address, website address, or postal address as appropriate
2. Determine the manner of notification

   The CISO determines the appropriate manner of notification—whether first-class mail, email, or substitute notice—as required under the law.

3. Review the notification.

   University Information Security reviews and approves all notifications prior to making notification.

4. Determine if other actions are required.

   The CISO determines whether other requirements apply, depending on the nature of the information that is the subject of the breach, as well as the scope of the breach. Notification required by the Minnesota Government Data Practices Act must comply with the provisions of that law. Minn. Stat. § 13.055, as well as subdivision 2. Notification needs to comply with other state and federal laws, contractual and regulatory obligations as applicable. Notification regarding protected health information must comply with the notification provisions within HIPAA regulations. 45 C.F.R. Part 164, Subpart D. Additional requirements may include posting on websites, notice to media outlets, and notification to the Secretary of Health and Human Services.