The University Policy Manual

  • Home »
  • Personal Information Security Breach Notification Policy

Personal Information Security Breach Notification Policy

The University of North Carolina at Greensboro

  • (Approved by the Chancellor, February 16, 2009; Revision approved June 17, 2010)
  • (Approved by the Chancellor, May 15, 2010)

Introduction

The North Carolina Identity Theft Protection Act, NC Gen. Stat. 75-65, and 132-1.10(c1), requires State agencies to notify persons whose "personal information" held by an agency has been compromised by a "security breach" as defined in the Act. This Policy sets forth the circumstances and procedures under which required notifications will be made.

Definitions

"Personal Information"

is defined by the Act to mean a person's first name or first initial and last name in combination with any of the following items:

  1. Social security or employer taxpayer identification number.
  2. Driver's license, State identification card, or passport numbers.
  3. Checking account numbers.
  4. Savings account numbers.
  5. Credit card numbers.
  6. Debit card numbers.
  7. Personal Identification Number (PIN code).
  8. Digital signatures.
  9. Any other numbers or information that can be used to access a person's financial resources.
  10. Biometric data.
  11. Fingerprints.

Even if listed above, however, "personal information" does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, State, or local government records.

"Security Breach"

is defined by the Act to mean: an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.

Good faith acquisition of personal information by an employee or agent of the University for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the University and is not subject to further unauthorized disclosure.

"Security Breach" vs. "Lesser Breach"

In this Policy, the phrase "security breach" means that type of breach necessitating notice to impacted persons under this Policy and the Act. The phrase "lesser breach" refers to any other type of breach. The procedures in this Policy must be followed for all types of breaches unless otherwise indicated.

Procedures in the Event of any and all Breaches

Containment, Classification, and Report of a Breach.

Containment:

The first priority after any type of breach is discovered is to contain the breach and notify supervisory personnel as quickly as possible. The data must be secured, and the reasonable integrity, security, and confidentiality of the data or data system must be restored.

Classification and Internal Reporting:

The next step is to determine the exact nature of the breach in terms of its extent and seriousness. The supervisor must take immediate action to determine the extent and category of the breach and to take such further action as is necessary to contain the breach or recover the missing data. Assistance from University Information Technology Services, University Police, or other office with relevant expertise should be requested as soon as possible. University Counsel may also be requested to help determine the category of the breach. The supervisor must document the breach, the scope of the breach, steps taken to contain the breach, and the names or categories of persons whose personal information was, or may have been, accessed or acquired by an unauthorized person.

Action Steps after Discovery of Any and All Breaches:

Contact the University Counsel or the University Information Security Officer (ITS) for a copy of "Security Breach Notification Guidelines."

What Actions may be taken if ITS determines there has been a "Lesser Breach," i.e., a Breach that does not constitute a "Security Breach" as defined by this Policy and the Act?

If there has not been a "security breach" as defined by the Act and this Policy, then only the Chancellor, in his or her sole discretion, may direct that notification be given, if, under the facts and circumstances surrounding the breach, the Chancellor believes it to be in the best interest of the University and of individuals whose personal information may have been put at risk.

Notification to Victims where there has been a "Security Breach" as defined in the Act and this Policy

Time for Providing Notification.

The University shall notify affected individuals without unreasonable delay as described below. However, notification shall be delayed if law enforcement informs the University that disclosure of the breach would impede a criminal investigation or jeopardize national or homeland security. A request for delayed notification must be made in writing or documented contemporaneously by the University in writing, including the name of the law enforcement officer making the request and the officer's agency engaged in the investigation. The required notification shall be provided without unreasonable delay after the law enforcement agency communicates to the University its determination that notification will no longer impede the investigation or jeopardize national or homeland security.

Responsibility for Providing Notification.

The responsibility for providing notification shall lie with the Head of the Division that has primary authority for the data. If the breach involves data from more than one Division or if primary authority for the data cannot be determined, or, in the case of paragraph III.B. above, the responsibility shall lie with the officer designated by the Chancellor. The Division Head or the Chancellor may delegate this responsibility, but should satisfy himself or herself that the proper notification has, in fact, occurred. The University Counsel will review the proposed notification before it is sent and will assist in drafting as required. A copy of the notification will also be provided to the Director of University Relations prior to the time it is posted or sent to affected individuals.

Contents of the Notification.

The notification shall be clear and conspicuous and include all of the following:

  1. A description of the incident in general terms;
  2. A description of the type of personal information that was subject to the unauthorized access and acquisition;
  3. A description of the actions taken by the University to protect the personal information from further unauthorized access. However, the description of those actions may be general so as not to further increase the risk or severity of the breach;
  4. A telephone number that the person may call for further information and assistance;
  5. Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports;
  6. The toll-free numbers and addresses for the major consumer reporting agencies as follows:
    1. Equifax
      (800) 685-1111
      Web, www.equifax.com
    2. Experian
      (888) EXPERIAN
      (888-397-3742)
      Web, www.experian.com
    3. Trans Union
      (800) 888-4213
      Web, www.transunion.com; and
  7. The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft. The information is as follows:
    1. Federal Trade Commission,
      Consumer Response Center
      600 Pennsylvania Avenue, NW
      Washington, DC 20580
      Telephone: 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261
      http://www.ftc.gov/idtheft
    2. North Carolina Attorney's Office
      9001 Mail Service Center
      Raleigh, NC 27699-9001
      Telephone: (919) 716-6400
      http://www.ncdoj.com/.
Method of Notification

Notification to affected persons must be provided by one of the following methods [2] unless substitute notification is permitted:

  1. Written notification, or
  2. Electronic notification, for those persons for whom the University has a valid e-mail address and who have agreed to receive communications electronically, or
  3. Telephonic notification provided that contact is made directly with the affected persons.
Substitute Notification.

Substitute notification may be given if:

  1. The cost of providing the notification exceeds $250,000;
  2. The University does not have the necessary contact information to notify an individual in any of the aforementioned manners; or
  3. The University is not able to identify particular affected individuals.
Method of Substitute Notification.

If given, substitute notification shall include all of the following:

  1. E-mail notification when the University has an electronic e-mail address for subject persons;
  2. Conspicuous posting of the notification on the University's Web page; and
  3. Notification to major statewide media.
Additional Requirements.
  1. Whenever notice of a "security breach" as defined in the Act and this Policy is given to at least one person, the University Counsel, without unreasonable delay, shall notify the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.
  2. Whenever notice of a "security breach" as defined in the Act and this Policy, is given to more than 1,000 persons, the University Counsel shall notify, without unreasonable delay, the Consumer Protection Division of the North Carolina Attorney General's Office, as well as all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the timing, distribution, and content of any notice.

Effective Date

This Policy is effective November 1, 2006.

Contact

Comments or questions? Email the Policy Administrator.


Footnotes:
  1. If state-owned personal property has been stolen, damaged or misused, the State Bureau of Investigation must also be notified in accordance with N.C.Gen.Stat. §114-15.1.
  2. Although the Identity Theft Protection Act only requires that one of the options listed in this section be selected, the University has discretion to give notice by more than one method.