Reporting and Notifying Individuals of Information Security Breaches
Responsible University Officer(s):
- Vice President for Information Technology
- Chief Information Security Officer
The University will provide timely and appropriate notice to affected individuals when there has been a breach of security of private information about them.
Report to University
University employees and students, or other individuals, must report all suspected information security breaches of University data to University Information Security (firstname.lastname@example.org), by following the Report Information Security Incidents procedure.
Additionally, all suspected information security breaches involving protected health information (PHI), including the data of any of the University's Business Associates, must be reported to the University Health Information Privacy and Compliance Office at email@example.com.
Notification to Individuals
The VP CIO or delegate, in consultation with the General Counsel's Office and appropriate privacy officers, is responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the notification obligation. See the Notification of an Information Security Breach procedure.
REASON FOR POLICY
This policy requires communication regarding information security breaches in order to protect individuals from potential harm arising from the unauthorized access or acquisition of private information about them, and to comply with state and federal privacy and data security laws.
|Primary Contact(s)||Brian Dahlinfirstname.lastname@example.org|
|Information Security breaches||Natascha Shawveremail@example.com|
|Information Security||Brian Dahlin, University Chief Information Security Officerfirstname.lastname@example.org|
HIPAA Privacy Office
University Chief Health Information Compliance Officer
|PCI DSS/Credit cards||David Ladenemail@example.com firstname.lastname@example.org|
|Student records||Stacey Tidball||612- email@example.com|
- Breach of information security
- For purposes of this policy this means unauthorized access to, acquisition, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University, if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving de-identified data.
- Business Associate
- An individual (other than an employee or member of the work force of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a Covered Entity and where the provision of the service involves the disclosure of PHI.
- Covered Entity
- A Health Care Provider, Health Plan or a health care clearinghouse.
- Data collected, stored, transferred or reported for any purpose, whether in electronic, paper, oral, or other media.
- Private data
- University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. PCI DSS for credit cards, some research contracts).
- Protected health information ("PHI")
- Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Health Care Provider, Health Plan or health care clearinghouse, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is reasonable basis to believe can be used to identify an individual. PHI specifically excludes information of individuals who have been deceased for more than 50 years.
The following records are exempted from the definition of PHI as defined by HIPAA:
- Student records maintained by an educational institution;
- Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
- Employment records held by a covered entity in its role as employer.
- Unauthorized acquisition
- For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, and with the intent to use the data for unauthorized or non-University purposes.
- All Individuals
- Report concerns regarding suspected security breaches of private information.
- Vice President and Chief Information Officer (VP CIO) or delegate
- Accountable for making determinations, in consultation with the General Counsel's Office and appropriate privacy officers, as to whether notification is required, and direct responsible departments in complying with notification obligations.
- Delegate to the Chief Information Security Officer the authority and responsibility for the suspected information security breach investigation, oversight of the notification process, and breach determination, where appropriate.
- University Chief Information Security Officer
- Delegate the authority and responsibilities for investigation of the suspected information security breach, and oversight of the notification process.
- Inform the appropriate privacy officers of suspected information security breaches.
- Report breach information to the VP CIO.
- Office of Information Technology (OIT) – University Information Security (UIS)
- Investigate the suspected information security breach.
- Report breach information and status to University Chief Information Security Officer.
- Report suspected information security breach to the appropriate privacy office.
- Ensure that appropriate and timely action is taken on a suspected information security breach.
- Provide oversight of the notification process.
- Collegiate/Unit Administrators
- Provide timely and effective notification to individuals as directed by the VP CIO when there has been a security breach of private data in their area. Direct expenses related to the breach notification process are the responsibility of the affected unit.
- Privacy Officer
- Notify external entities in accordance with the respective privacy law or contract (e.g., Federal Department of Health and Human Services for PHI).
- Provide privacy advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the privacy law or contract they are responsible for.
- General Counsel
- Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the law.
- Administrative Policy: Managing Student Records
- Administrative Policy: Protected Health Information
- Administrative Policy: Accepting Revenue via Payment Cards
- Administrative Policy: Reporting Suspected Misconduct
Laws and Regulations
- Minnesota Government Data Practices Act, including Stat. section 13.055
- Minnesota Statutes section 325E.61
- HIPAA Regulations, 45 CFR Part 164, Subpart D
Other Related Information
- December 2015 - Comprehensive Review, Major Revision. Comprehensive Review, Major Revision: 1. Revises the policy title to Reporting and Notifying Individuals of Information Security Breaches which clarifies the type of security breaches are information security breaches. 2. Clarifies the reporting and notification process with links to the relevant procedure for more information. 3. Includes two new procedures for reporting incidents and notification in the event of an information security breach.
- February 2010 - Policy and Procedure updated to comply with HITECH regulations.
- May 2006