Information Security Breach
Frequently Asked Questions
- Where do I report a breach of information security?
- Will I get in trouble for reporting a breach?
No. Employees may not be retaliated against for reporting concerns at the University. See Administrative Policy: Reporting Suspected Misconduct
- What are examples of breaches of information security?
In the case of electronic data, a breach of security may occur, for example, when a computer containing private data has been hacked and the data has been downloaded, when electronic files have been mistakenly posted on the Web or e-mailed to the wrong recipients, or when a laptop, tablets, smartphones, or other electronic storage device has been stolen or lost. In the case of paper data, a breach of security may occur when documents are stolen, lost, misdirected, or left vulnerable to unauthorized acquisition.
- Does this policy only apply to electronic information?
No. This policy applies not only to electronic information, but to all University information, regardless of the medium.
- What if I am aware of a possible incident, but can't tell whether someone has actually acquired the information?
You must report the incident, even if you don't know whether someone has acquired the information. The VP CIO or delegate is responsible for determining whether the information has been acquired.
- Who makes the notification when there has been a breach?
Generally, the department responsible for the data/information is responsible for preparing the list of addressees and making the notification, although depending on circumstances the notification may come from someone else at the University. The manner of notification is determined as part of the consultation process with administrators and the VP CIO.
- Why do we report breaches?
For several reasons: to be honest with people about whom we hold data/information, to help people prevent identify theft when their information is taken, and to comply with legal obligations, including a state law implemented in 2005 requiring notification in certain circumstances.
- What should I do if I think my unit is at risk of a breach due to a lack of security?
If you think your unit lacks physical or technical security, contact University Information Security (firstname.lastname@example.org).