POLICY TITLE: Computer Security Breach Notification Policy
POLICY #: IT - 23
DATE DRAFTED: 5/2/07
DATE POSTED for Review: 5/18/07
APPROVED DATE: 5/18/07
REVISION DATE: 03/31/2014

BRIEF DESCRIPTION:  To define the circumstances under which the University shall provide notice to individuals regarding a breach in security of private information.

Introduction | Scope | Policy Statement | Procedures | Related Policies | Policy Home

Introduction:
The University of Iowa shall provide timely and appropriate notice to affected individuals when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information, typically maintained in an electronic format by the University.

Scope:
Attacks on University IT resources are infractions of the Acceptable Use Policy constituting misuse, or they may be vandalism or other criminal behavior. Reporting information security breaches occurring on University systems and/or on University networks to appropriate authorities is a requirement of all persons affiliated with the University in any capacity, including staff, students, faculty, contractors, visitors, and alumni.  

Policy Statement:
Suspected or confirmed information security breaches must be reported to University authorities. This includes the affected management or collegiate unit officer, as well as the Information Security and Policy Office (ISPO). Contact the ISPO by sending a message to it-security@uiowa.edu or calling 319-335-6332.

The ISPO will investigate the report, and if a security breach of private and/or highly sensitive information may have occurred, will inform the Chief Information Officer (CIO) and/or law enforcement, as appropriate.

In the event that a public notification of the security breach may be warranted, the CIO will consult with the appropriate University Vice President(s), Provost, and General Counsel to develop the response and make the final determination if a public notification of the event is warranted.

Procedures:
The entity responsible for support of the system or network under attack is expected to:
  1. Report the attack to their management and to the ISPO
  2. Block or prevent escalation of the attack, if possible
  3. Follow instructions communicated from the ISPO in subsequent investigation of the incident and preservation of evidence
  4. Implement recommendations from the ISPO
  5. Repair the resultant damage to the system

Internal Notifications
The Chief Information Security Officer will report serious computer security breaches to the Chief Information Officer (CIO) in a timely manner. The CIO will consult with one or more VP’s as appropriate, and decide if the Critical Incident Management Team must be convened to determine a response strategy, or if an alternate group is appropriate for the response. This determination may be made prior to completion of the investigation of the security breach. The ISPO will report the incident to the Department of Public Safety, the appropriate Judicial Representative, and/or the University General Counsel when, based on preliminary investigation, criminal activity has taken place and/or when the incident originated from a University computer or network.

Determination of External Notification
To determine if unencrypted private or highly sensitive information has been acquired, or is reasonably believed to have been acquired by an unauthorized person, the (likelihood of the) following will be considered:
  1. Physical possession (lost or stolen device?)
  2. Credible evidence the information was copied/removed
  3. Length of time between intrusion and detection
  4. Purpose of the intrusion was acquisition of information
  5. Credible evidence the information was in a useable format
  6. Ability to reach the affected individuals
  7. Applicable University policy, and/or local, state, or federal laws

External Notification
If it is determined that an external notification to the affected individuals is warranted, the following procedures will apply:
  1. Written notice will be provided to the affected individuals using US Mail, unless the cost is excessive or insufficient contact information exists.  The letter will be developed by the department responsible for the system experiencing the breach, and approved by University Relations and others as appropriate. The excessiveness of cost consideration will be the decision of the CIO, General Counsel, and Vice President for Finance and Operations.
  2. If written notice to the affected individuals is not feasible, the following methods will be considered for providing notice:
    1. Personal e-mail notices (provided addresses are available), developed by the department responsible for the system experiencing the breach, and approved by the CIO, University Relations, and other administrators as appropriate.
    2. A press release to media, to be written by University Relations and approved by the CIO, and other administrators as appropriate.
    3. An informational web site, developed and hosted by the department responsible for the system experiencing the breach, and approved by the CIO, University Relations, and others as appropriate, with a conspicuous link in the University Home Page News area.
  3. All expenses associated with external notification will be the responsibility of the department responsible for the system that experienced the security breach.
Definitions:

Private Information
If the information acquired includes a name (first and last name or first initial and last name) in combination with any of the following, and the information was not in an encrypted format, a public notification may be warranted:

  1. Social security number
  2. Driver’s license Number
  3. Bank Account, Credit, or Debit Card Account number with security, access, PIN, or password that would permit access to the account
  4. HawkID Password

Personal information that is publicly and lawfully available to the general public, such as address, phone number, and email address are not considered private information for the purposes of this policy. 

Highly Sensitive Information
If the information acquired is of a very sensitive, confidential, or proprietary nature, the security breach will be investigated and University officials, including the CIO, General Counsel, and Vice Presidents will determine if a public notification is warranted. Examples of highly sensitive information include but are not limited to:

  1. Name, Address, with Date of Birth
  2. Records protected by FERPA, HIPAA, GLBA, or other applicable federal laws and regulations
  3. Research data or results prior to publication or filing of a patent application
  4. Information subject to contractual confidentiality provisions
  5. Security codes, combinations, or passwords

Related Policies, References and Practices:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)