Printed on: 12/14/2019. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
University of Minnisota  Administrative Policy

Data Security Breach

Responsible University Officer(s):
  • Vice President for Information Technology
Policy Owner(s):
  • Chief Information Security Officer
Policy contact(s):
  • Brian Dahlin
Date Revised:
Dec 3, 2019
Effective Date:
May 1, 2006

Policy Statement

The University will provide timely and appropriate notice to affected individuals when there has been a breach of security involving private data about them.

University employees and students, or other individuals, must report incidents where a breach of University data is suspected to University Information Security (security@umn.edu), by following Administrative Procedure: Report Information Security Incidents.

Additionally, all suspected data breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University Health Information Privacy and Compliance Office at privacy@umn.edu.

The Chief Information Security Officer (CISO), in consultation with the Office of the General Counsel and appropriate privacy officers, is responsible for determining whether a breach of information security or University private data has occurred and whether notification to affected individuals is required.  The CISO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit. 

The CISO and University Information Security work with the responsible departments to send any required notifications in accordance with Administrative Procedure: Notification of a Data Security Breach. All notifications must be reviewed and approved by University Information Security prior to making notification.

Reason for Policy

This policy requires communication regarding data breaches in order to protect individuals from potential harm arising from unauthorized access or acquisition of private data about them, and to comply with notifications required by state, federal privacy and data security laws, and contractual and regulatory obligations.

Procedures

Forms/Instructions

Appendices

Frequently Asked Questions

Contacts

SubjectContactPhoneEmail
Primary Contact(s) Brian Dahlin 612-625-1505 bdahlin@umn.edu
Information Security Breach Natascha Shawver 612-625-7885 nshawver@umn.edu
Information Security Brian Dahlin, University Chief Information Security Officer (CISO) 612-625-1505 bdahlin@umn.edu
Medical records/PHI 
HIPAA Privacy Office
Lori Ketola,  
University Chief Health Information Compliance Officer
612-626-5844 ljketola@umn.edu 
privacy@umn.edu
PCI DSS/Credit cards David Laden 612-624-0929

laden003@umn.edu

pmtcard@umn.edu

Student records Stacey Tidball 612- 626-0075 tidball@umn.edu
Legal Paul Savereide 612-626-9798 save0003@umn.edu

Definitions

Breach of security
For purposes of this policy this means unauthorized access to, acquisition, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University, if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving data that has been de-identified in compliance with applicable legal requirements.
Business Associate
An individual (other than an employee or member of the workforce of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a Covered Entity and where the provision of the service involves the use or disclosure of PHI.
Covered Entity
A Health Care Provider, Health Plan, or health care clearinghouse. A Covered Entity also includes those units or components designated as a Hybrid Entity.
Information
Data collected, stored, transferred or reported for any purpose, whether in electronic, paper, oral, or other media.
Private data
University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. PCI DSS for credit cards, some research contracts). See appendix: Examples of Public, Private and Confidential Information.
Protected health information ("PHI")
Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Covered Entity, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is reasonable basis to believe can be used to identify an individual. PHI specifically excludes information of individuals who have been deceased for more than 50 years.
The following records are exempted from the definition of PHI as defined by HIPAA:
  • Student records maintained by an educational institution;
  • Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
  • Employment records held by a covered entity in its role as employer.
Unauthorized acquisition
For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-University purposes.

Responsibilities

All Individuals
Report concerns regarding suspected security breaches of private data to University Information Security at security@umn.edu
Vice President and Chief Information Officer (VP CIO)
  • Delegate to the Chief Information Security Officer the authority and responsibility for the suspected information security and data breach investigation, oversight of the notification process, and breach determination, where appropriate.
University Chief Information Security Officer (CISO)
  • Accountable for making determinations, in consultation with the General Counsel's Office and appropriate privacy officers, as to whether a breach of information security or private data has occurred and whether notification is required, and direct responsible departments in complying with notification obligations.
  • Delegate the authority and responsibilities for investigation of the suspected information security and data breach, and oversight of the notification process.
  • Inform the appropriate privacy officers of suspected data breaches.
  • Report breach information to the VP CIO.
Office of Information Technology (OIT) – University Information Security (UIS)
  • Investigate the suspected information security or data breach.
  • Report breach information and status to University Chief Information Security Officer.
  • Report suspected information security and data breach to the appropriate privacy office.
  • Ensure that appropriate and timely action is taken on a suspected information security or data breach.
  • Provide oversight of the notification process.
Collegiate/Unit Administrators
Provide timely and effective notification to individuals as directed by the CISO when there has been a security breach of private data in their area. Direct expenses related to the breach notification process are the responsibility of the affected unit.
Privacy Officer
  • Notify external entities in accordance with the respective privacy law or contract (e.g., Federal Department of Health and Human Services for PHI).
  • Provide privacy advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with breach determination and notification obligations under the privacy law or contract they are responsible for.
General Counsel
Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with breach determination and notification obligations under the law.

Related Information

Related Policies

Laws, Regulations and Contracts

Other Related Information

History

Amended:
December 2019 - Comprehensive Review, Minor Revision:
  • Change the policy title to Data Security Breach. This aligns with commonly used language.
  • Align the policy statement and procedures with responsibilities for VP CIO and CISO.
  • Update responsibilities, definitions and related information sections.
  • Update the FAQ for improved readability.
  • Update the Report Information Security procedure to clarify how to report.
  • Update the Notification of a Data Security Breach procedure to align with the responsibilities.
Amended:
December 2015 - Comprehensive Review, Major Revision: 1. Revises the policy title to Reporting and Notifying Individuals of Information Security Breaches which clarifies the type of security breaches are information security breaches. 2. Clarifies the reporting and notification process with links to the relevant procedure for more information. 3. Includes two new procedures for reporting incidents and notification in the event of an information security breach.
Amended:
February 2010 - Policy and Procedure updated to comply with HITECH regulations.
Effective:
May 2006

Document Feedback

Information Technology