A. Reason for Procedure
Federal and state statutes require the notification of governmental agencies and affected individuals when there is reason to believe that legally protected data held by or for the University in certain circumstances was acquired by someone without valid authorization.
The purpose of this policy is to establish procedures to prepare and respond to data breach incidents including the determination of the systems or applications affected, if data has been corrupted, what specific data was compromised, and what actions are required for forensic investigation and legal compliance.
B. Responsible Officer and Office
Computing and Information Services (CIS)
Any suspected or confirmed compromise of protected electronic data must be reported to the Director of Information Technology and to the local system administrator.
Any individual responsible for a system containing protected data that may have been compromised must take immediate steps to secure that system and preserve it without change according to the appended procedure.
The VP for Finance and Administration will convene a response team, including as appropriate, the General Counsel, the Director of IT, the Associate VP of External Affairs, the Director of Public Safety, the Vice Provost, and others.