Breach or Loss of Information

Data Security Breach or Loss of Confidential or Private Information – Emergency Response Plan

Information Security Response Team

For any event involving a possible data security breach or loss of student, faculty or staff confidential or private information, immediately notify the Information Security Response Team (ISRT) for evaluation. This group consists of:

• Chief Information Officer (3468)
• General Counsel (3283)
• Director of Human Resources (3398)
• Registrar (3248)
• Executive Director of Communications (3112)
• Associate Vice President for Business and Finance (3560)

Responsible User

• Notify a member of the response team of the perceived incident involving information security and potential loss or breach of SSU institutional data, communicating the general nature of the event, date and time of the occurrence, information perceived to be lost or stolen and the storage device associated with the loss. Leave contact information (if off-campus during the occurrence).
• Identify any missing hardware or software associated with the data loss.
• Immediately complete and submit the form titled Confidential Information-Data Loss or Breach of Security Incident Notification Report accessed from here.

Information Security Response Team Member

• The Chief Information Officer will submit a communication to the Information Security Response Team distribution list to ensure each member is aware of the event disclosure. Each member should immediately contact ITS to communicate his/her availability to organize and meet in person at the scheduled day/time. If the Chief Information Officer is not available the Associate Director of ITS will serve as the backup member on the Information Security Response Team, to review and evaluate the communicated event to the ISRT.
• Meet with other Information Security Response Team members to determine if notification to impacted individuals is necessary. Decision criteria include:
  1. A confirmation that an incident occurred, involving confidential or private data loss.
  2. An interpretation by General Counsel in terms of applicable laws.
  3. An analysis of data in scope of event and qualification of whether data is useable if accessed, i.e. unencrypted or non-redacted.
  4. A reasonable belief that data in question was or can be acquired by unauthorized individuals for misuse.
• Communicate to other emergency response constituents, i.e. Cabinet, Security, Facilities regarding developments, issues, actions taken and path forward, in accordance with the broader Emergency Response plan.
• Enforce necessary campus policies and procedures to limit exposure of loss.
• Contact Beasley Breach Response to engage support within service level agreement.

Chief Information Officer

• Upon notification of a suspected breach in data security review the information submitted by the Responsible User or Information Security Response Team member contacted. Alert the Information Security Response Team of the suspected loss of data, providing a preliminary assessment of the event based on known information.
• Convene the Information Security Response Team to review and evaluate the communicated event.
• Enforce necessary technical procedures to limit exposure of loss.
• Secure evidence for analysis by state and local authorities if necessary.
• Communicate with leadership for input and followup.

Executive Director of Communications

• Develop a notification plan based on action steps recommended by the Information Security Response Team. This potentially includes but is not limited to:
  1. Communication to campus
  2. Written notifications to individuals impacted
  3. Dedicated telephone assistance and critical contact information via Help Lines
  4. Dedicated web site communications
  5. Press releases to public
  6. Credit file monitoring and expenses of impacted individuals
  7. Legal requirements and campus policies
  8. Managing news media