Notification of an Information Security Breach
Determining if Individual Notification is Needed
The Vice President and Chief Information Officer (VP CIO) or delegate, in consultation with the General Counsel's Office, are responsible for determining whether a breach of information security has occurred and whether notification to individuals is required. The VP CIO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit.
The VP CIO or delegate works with the affected unit, responsible administrators, University Relations, and others as appropriate to deliver timely and effective notification to individuals.
- Draft the content of notification.
While the content may vary, notification must always include these elements, to the extent possible:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of private information that were involved in the breach (e.g., full name, social security number, date of birth, home address, account number, personal financial information, grades, diagnosis, disability code, etc.)
- Any steps individuals should take to protect themselves from possible harm resulting from the breach (e.g., identity theft)
- A brief description of what the University is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches
- Contact information for further questions and assistance, including a toll-free telephone number, an email address, Website address, or postal address
- Determine the manner of notification.
The VP CIO determines the appropriate manner of notification—whether first-class mail, email, or substitute notice—as required under the law.
- Review the notification.
All notifications must be reviewed with University Information Security (email@example.com).
- Determine if other actions are required.
The VP CIO must determine whether other requirements apply, depending on the nature of the information that is the subject of the breach, as well as the scope of the breach. Notifications required by the Minnesota Government Data Practices Act must comply with the provisions of that law. Minn. Stat. § 13.055, as well as subdivision 2. Notification regarding protected health information must comply with the notification provisions within HIPAA regulations. 45 C.F.R. Part 164, Subpart D. Additional requirements may include posting on websites, notice to media outlets, and notification to the Secretary of Health.