The University will provide timely and appropriate notice to affected individuals when there has been a breach of security involving private data about them.
University employees and students, or other individuals, must report incidents where a breach of University data is suspected to University Information Security ([email protected]), by following Administrative Procedure: Report Information Security Incidents.
Additionally, all suspected data breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University Health Information Privacy and Compliance Office at [email protected].
The Chief Information Security Officer (CISO), in consultation with the Office of the General Counsel and appropriate privacy officers, is responsible for determining whether a breach of information security or University private data has occurred and whether notification to affected individuals is required. The CISO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit.
The CISO and University Information Security work with the responsible departments to send any required notifications in accordance with Administrative Procedure: Notification of a Data Security Breach. All notifications must be reviewed and approved by University Information Security prior to making notification.
Reason for Policy
This policy requires communication regarding data breaches in order to protect individuals from potential harm arising from unauthorized access or acquisition of private data about them, and to comply with notifications required by state, federal privacy and data security laws, and contractual and regulatory obligations.