Data Security Breach
Frequently Asked Questions
- Where to report a suspected breach of security or University data?
- Will an individual get in trouble for reporting a suspected breach?
- What are examples of suspected breaches of University data?
These are examples of suspected electronic breaches of University private data:
- a device storing or accessing University private data has been accessed by an unauthorized party,
- electronic files have been mistakenly posted on the web or e-mailed to the wrong recipients, or
- a laptop, tablet, smartphone, or other electronic storage device has been stolen or lost.
These are examples of suspected paper-based breaches of University private data:
- documents containing University private data are stolen or lost; or
- documents containing University private data are misdirected, or left vulnerable to unauthorized acquisition.
- Does this policy only apply to electronic data?
No. This policy applies to all University private data, regardless of the medium.
- What if an individual is aware of a suspected incident, but can't tell whether someone has actually acquired the data?
Report the incident, even if unsure whether someone has acquired the data. The CISO is responsible for determining whether the data has been acquired.
- Who makes the notification when there has been a breach?
Generally, the department responsible for the data/information is responsible for preparing the list of addressees and making the notification, although depending on circumstances the notification may come from someone else at the University. The manner of notification is determined as part of the consultation process with administrators and the CISO.
- Why are suspected breaches reported?
For several reasons
- The University has the responsibility to be transparent with the University community and the people whom we hold data/information,
- To help people prevent identity theft when their private data is taken, and
- To comply with legal and regulatory obligations, including a Minnesota state law requiring notification.
- Where to report if a unit is at risk of a suspected breach due to a lack of security?
Contact University Information Security (firstname.lastname@example.org) to report suspected lack of physical or technical security controls for a unit.