Data Compromise Notice Procedure Summary and Guide

Similar documents
Information Classification & Protection Policy

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Cybersecurity in Higher Ed

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Keeping It Under Wraps: Personally Identifiable Information (PII)

Information Technology Standards

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Presented by: Jason C. Gavejian Morristown Office

COMMENTARY. Information JONES DAY

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Employee Security Awareness Training Program

Red Flags/Identity Theft Prevention Policy: Purpose

[Utility Name] Identity Theft Prevention Program

University of Wisconsin-Madison Policy and Procedure

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Summary Comparison of Current Data Security and Breach Notification Bills

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Security and Privacy Breach Notification

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Red Flags Program. Purpose

Putting It All Together:

What is Cybersecurity?

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Prevention of Identity Theft in Student Financial Transactions AP 5800

Navigating Regulatory Impacts of a Financial Services Data Breach

Federal Breach Notification Decision Tree and Tools

UTAH VALLEY UNIVERSITY Policies and Procedures

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Frequently Asked Question Regarding 201 CMR 17.00

Data Governance & Classification Policy A Data Classification and Data Types

Cyber Security Issues

PRIVACY-SECURITY INCIDENT REPORT

Identity Theft Prevention Program. Effective beginning August 1, 2009

Security Breaches: How to Prepare and Respond

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Privacy & Information Security Protocol: Breach Notification & Mitigation

Orlando, FL September 23-27, Your School Has Been Breached Now What? Cyber Incident Simulation Exercise

Subject: University Information Technology Resource Security Policy: OUTDATED

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

HIPAA FOR BROKERS. revised 10/17

Protecting Your Gear, Your Work & Cal Poly

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Breach Notification Assessment Tool

Information Privacy Statement

HIPAA and HIPAA Compliance with PHI/PII in Research

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

What To Do When Your Data Winds Up Where It Shouldn t

IDENTITY THEFT PREVENTION Policy Statement

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Breaches and Remediation

HIPAA & Privacy Compliance Update

University of North Texas System Administration Identity Theft Prevention Program

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA UPDATE. Michael L. Brody, DPM

HIPAA Federal Security Rule H I P A A

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

CCC Data Management Procedures DCL3 Data Access

Understanding the Impact of Data Privacy January 2012

Beam Technologies Inc. Privacy Policy

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Data Backup and Contingency Planning Procedure

Information Security Incident Response Plan

ANNUAL SECURITY AWARENESS TRAINING 2012

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

DATA PROTECTION LAWS OF THE WORLD. United States

Information Security Incident Response Plan

THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION. Nathan Taylor Morrison & Foerster LLP

Credit Card Data Compromise: Incident Response Plan

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Privacy Policy on the Responsibilities of Third Party Service Providers

Security of Personal and Financial Information.

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

The HIPAA Omnibus Rule

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Spectrum Wellness Privacy Statement

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Records Management and Retention

MICRO-ENTERPRISE CREDENTIAL TRACKING AGREEMENT

Overview of Presentation

What is a Dataset? Information Security and Privacy Office (ISPO) Risk Assessment Program August 2018 Version 1.1

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Data Breach Trends: What Local Government Lawyers Need to Know

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

General Data Protection Regulation (GDPR)

IAM Security & Privacy Policies Scott Bradner

Security Breach Notification Reflections on the U.S. Experience

DEPAUW UNIVERSITY DATA CLASSIFICATION POLICY AND HANDLING RECOMMENDATIONS ( )

HIPAA Privacy and Security Training Program

Online Privacy & Security for the Mortgage Industry

UWTSD Group Data Protection Policy

Transcription:

Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or regulation governs the security of all types of sensitive personal information. Under federal law certain industries are legally obligated to protect certain types of sensitive personal information. These obligations were created, in large part, when federal privacy legislation was enacted in the credit, financial services, health care, government, securities, and Internet sectors. Federal regulations were issued to require certain entities to implement information securities programs and provide breach notice to affected persons. The summary below outlines the primary laws impacting the University of Massachusetts and the steps that must be taken if a legally covered data is compromised (i.e., intentionally or accidently disclosed, accessed, or used), A. Massachusetts General Law 93H (M.G.L. 93H) Notice requirements are triggered under M.G.L. 93H when the University knows that: There has been breach of security including unauthorized acquisition or use (e.g., used for unauthorized reasons) of encrypted or unencrypted information that creates a substantial risk of identity theft or fraud OR Personal information, as defined in M.G.L. 93H and detailed below, of a resident of the Commonwealth has been acquired or used by an unauthorized person OR Personal information, as defined in M.G.L. 93H and detailed below, of a resident of the Commonwealth has been used for an unauthorized purposes. There is no minimum number of impacted Residents so a breach of security or disclosure of information relating to a single resident may require notice under this law. M.G.L. 93H defines personal information as an individual's first name or first initial, and last name in combination with one or more of the following data elements: Social Security Number, Driver s License Number State-Identification Card Number, Financial Account Number Or Credit Or Debit Card Number, With Or Without Any Required Security Code, Access Code, Personally Identifiable Identification Number Or Password, That Would Permit Access To A Resident s Financial Account. The issues to consider related to M.G.L. 93H are: b. If no, go to question 6. 2. Does the compromise impact Massachusetts residents? b. If no, determine if other laws (e.g., HIPAA, GLB, FERPA, other state breach notification laws, etc.) apply

3. Does the data fall into the defined PI data noted above. a. If yes, go to question 5. b. If no, go to question 4. 4. Is the information disclosed in security breach information that poses a substantial risk of identity theft or fraud against a Massachusetts resident? Several factors should be considered when determining the level of risk including but not limited to, whether the data was targeted by an attacker, the circumstances of the breach (e.g., random theft of a laptop out of a car versus theft out of a locked office), whether one or many data elements were compromised that if used in combination with other easily accessible information may increase the risk, etc.) a. If yes, go to question 5. b. If no, no action is needed. 5. Was the compromised data encrypted? a. If yes, was the encryption key compromised? Maybe we need to change the order. First question is, was it encrypted, and was key comprised? Then second question, if key comprised, or if unencrypted, does it pose substantial risk? If no, no other action needed b. If no, Notice must be given to: The Attorney General using University standard notice The Director of Consumer Affairs and Business Regulation (required only for specific financially related data compromise) Consumer reporting agencies (required only for specific financially related data compromise) Affected individuals using University standard notice 6. Has the data owner/licensor specified a process to follow, either via a contract or other written document, when a compromise occurs? B. Health Insurance portability and Accountability Act of 1996 (HIPAA) Some University entities (e.g., health services, pharmacies, clinical studies, etc.) are subject to HIPAA and therefore, are impacted by HIPAA s Standards for Privacy (i.e., Privacy Rule) of Personally Identifiable Health Information (i.e., PHI - information relating to past, present or future physical or mental health or condition of an individual; provision of healthcare to an individual or payment for the provision of healthcare to an individual). The HIPAA Privacy Rule covers PHI whether it is on paper, in computers (i.e., electronic) or communicated orally. Please note that student health records are classified as "education records" and are therefore, covered by the Family Educational Rights and Privacy Act (FERPA). HIPAA defines PHI as including, but not limited to: Name Telephone/Fax Number, Email Address, Social Security Number,

Driver s License Number, Name And Internet Address Or A Any Other Unique Identifying Number, Characteristic Or Code. HIPAA contains no specific data compromise notice requirement other than for internal reporting. According to the Department of Health and Human Services, "This regulation does not specifically require any incident reporting to outside entities. External incident reporting is dependent upon business and legal considerations." Thus, while the HIPAA Security Rule does not require you be notified of a breach, other laws may require notice. Within Massachusetts, the disclosure of confidential medical information is restricted by a statutory right of privacy as well as by statutes governing specific entities and medical conditions. Regardless of the lack of external notice requirements of HIPAA, the compromise of personal patient/medical information may fall under M.G.L. 93H if the data compromised creates a substantial risk of identity theft or fraud against a Massachusetts resident. The issues to consider for a security breach of patient/medical related personal data are: b. If no, go to question 4. 2. Is the information disclosed in security breach information that poses a substantial risk of identity theft or fraud against a Massachusetts resident? Several factors should be considered when determining the level of risk including but not limited to, whether the data was targeted by an attacker, the circumstances of the breach (e.g., random theft of a laptop out of a car versus theft out of a locked office), whether one or many data elements were compromised that if used in combination with other easily accessible information may increase the risk, etc.) 3. Was the compromised data encrypted? 4. Was the encryption key compromised? 5. Has the data owner/licensor specified a process to follow, either via a contract or other written document, when a compromise occurs?

C. Family Educational Rights and Privacy Act (FERPA) The University may disclose, without consent, "directory" information. The University has defined directory information as: Student's name; Major; Acknowledgment of a student's participation in officially recognized activities and sports; Weight and height of members of athletic teams; Date(s) of attendance; Degrees, certificates, awards received; The most recent previous educational agency or institution attended by the student; and Appointment as a Resident Assistant or Community Development Assistant. For graduate students who are teaching credit courses, work department, office address, and employment category are also defined as directory information. The University is required to give students a reasonable amount of time to request that the school not disclose directory information about them. FERPA controls the disclosure of personally identifiable information (i.e., data directly related to student other than directory information) regardless of format (e.g., handwritten, audio, paper, electronic, etc.) to third parties. FERPA does NOT cover alumni records. FERPA contains no specific data compromise notice requirement. Regardless of the lack of external notice requirements of FERPA, the compromise of personal student information may fall under M.G.L. 93H if the data compromised creates a substantial risk of identity theft or fraud against a Massachusetts resident. The issues to consider for a security breach of student related data are: b. If no, go to question 7. 2. Is the data defined as University directory information? b. If no, go to question 4. 3. Has the student requested that the University not disclose directory information about them?. c. 4. Is the information disclosed in security breach information that poses a substantial risk of identity theft or fraud against a Massachusetts resident? Several factors should be considered when determining the level of risk including but not limited to, whether the data was targeted by an attacker, the circumstances of the breach (e.g., random theft of a laptop out of a car versus theft out of a locked office), whether one

or many data elements were compromised that if used in combination with other easily accessible information may increase the risk, etc.) a. If yes, go to question 5. 5. Was the compromised data encrypted? a. If yes, go to question 7. 6. Was the encryption key compromised? 7. Has the data owner/licensor specified a process to follow, either via a contract or other written document, when a compromise occurs? D. Graham-Leach-Bliley Act (GLBA) GLBA requires that the University ensure the security and confidentiality of customer records (i.e., personally identifiable information) such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. GLBA contains no specific data compromise notice requirement however some of this data is included in M.G.L. 93H (i.e., names plus bank and credit card account numbers and Social Security Numbers) so notice requirements of this law take effect in the event of a data breach. Follow section A of this document. Regardless of the lack of external notice requirements of GLBA, the compromise of personal customer information other than PII may fall under M.G.L. 93H if the data compromised creates a substantial risk of identity theft or fraud against a Massachusetts resident. Note: In most cases this would be related to the compromise of financial aid information so students would be the impacted customers. The issues to consider for a security breach of customer data are: b. If no, go to question 5. 2. Is the information disclosed in security breach information that poses a substantial risk of identity theft or fraud against a Massachusetts resident? Several factors should be considered when determining the level of risk including but not limited to, whether the data was targeted by an attacker, the circumstances of the breach (e.g., random theft of a laptop out of a car versus theft out of a locked office), whether one or many data elements were compromised that if used in combination with other easily accessible information may increase the risk, etc.)

3. Was the compromised data encrypted? 4. Was the encryption key compromised? 5. Has the data owner/licensor specified a process to follow, either via a contract or other written document, when a compromise occurs? E. Other Confidential Information Compromises Requiring Notice As previously noted, regardless of the lack of external notice requirements for specific types of data (e.g., mother s maiden name, birth date, employee identification number, etc.) the compromise of personal information may fall under M.G.L. 93H if the data compromised creates a substantial risk of identity theft or fraud against a Massachusetts resident. The issues to consider for a security breach of the other data types are: b. If no, go to question 5. 2. Does the data disclosure create a substantial risk of identity theft or fraud against a Massachusetts resident? 3. Was the compromised data encrypted? 4. Was the encryption key compromised? 5. Has the data owner/licensor specified a process to follow, either via a contract or other written document, when a compromise occurs? b. If no, notify data owner of compromise. c. Lastly, this Procedure is not intended to impose any further data security breach/compromise notice requirements other than those dictated in M.G.L. 93H however, there may be incidents involving PII or protected data for which Campuses determine external notification is prudent. This is especially true if multiple data elements are compromised which, when taken as a whole present a significant risk of safety, identity theft or fraud to impacted individuals. The need for such notices will be determined by the Campuses, in coordination with University legal counsel, and as authorized by the Campus CIO.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback