Notification of a data security breach
Administrative procedure
Determining if individual notification is needed:
Per Information Security Standard: Data Security Breach, The Senior Manager of Information Security (SMIS), in consultation with the Office of Legal Affairs, is responsible for determining:
- Whether a breach of information security or University sensitive data has occurred; and
- Whether notification to affected individuals is required, based upon state and federal laws.
The SMIS may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit.
All notifications must be reviewed and approved by University Information Security prior to the distribution of the notification.
Notifying individuals
The SMIS or delegate works with the affected unit, responsible administrators, and others as appropriate to deliver timely and effective notification to individuals.
- Draft the content of notification. While the content may vary, notification must always include these elements, to the extent possible:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of private data that were involved in the breach (e.g., full name, social security number, date of birth, home address, bank account number, personal financial information, grades, diagnosis, etc.
- Any steps individuals should take to protect themselves from possible harm resulting from the breach (e.g., identity theft)
- A brief description of what the University is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches
- Contact information for further questions and assistance, including a toll-free telephone number, an email address, website address, or postal address as appropriate.
- Determine the manner of notification The SMIS determines the appropriate manner of notification鈥攚hether first-class mail, email, or substitute notice鈥攁s required under the law.
- Review the notification. University Information Security reviews and approves all notifications prior to distribution of the notification.
- Determine if other actions are required. The SMIS determines whether other requirements apply, depending on the nature of the information that is the subject of the breach, as well as the scope of the breach. Such determinations may include but not be limited to:
- Notification required by the Ohio Revised Code Section 1349.19.
- Notification in accordance with other state and federal laws, contractual and regulatory obligations as applicable.
- Notification regarding protected health information that must comply with the notification provisions within HIPAA regulations. 45 C.F.R. Part 164, Subpart D. Additional requirements such as obligations to include posting on websites, notice to media outlets, and notification to the Secretary of Health and Human Services.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology: Ed Carter (Chair)
- Human Resources: Michael Courtney
- Faculty: Hans Kruse
- Finance and Administration: Chad Mitchell
- Associate Dean: Shawn Ostermann
- Regional Higher Education: Larry Tumblin
- Research and Sponsored Programs: Maureen Valentine
- Enterprise Risk Management and Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved November 20, 2020.