1.Purpose

This Policy establishes Information Security Incident reporting and notification requirements.

2.Scope

This policy applies to all University information assets or information assets in the University’s care, and applies to all faculty, staff, students, and any parties who interact with, access, or store University information assets or information assets in the University’s care regardless of storage device, medium or physical location.

3.Definitions

3.1University Employees and Affiliates

Faculty, staff, student employees, interns, contractors, cloud service providers, or any other third parties engaged in work on the University’s behalf.

3.2Information Asset

Information, defined and managed as single units so that it can be understood, shared, protected and exploited effectively. Information assets may be stored in various media and various formats (for example, within data bases, in word processing documents, within spreadsheets, in diagrams or other forms).

3.3University Information System

Any data system operated or maintained by University Employees or Affiliates, or service providers, which interacts with, accesses, or stores information assets in University care regardless of storage device, medium or physical location.

3.4Information Security Incident (“Security Incident”)

An information security event that has compromised the confidentiality, integrity, or availability of an information asset. Such incidents include, but are not limited to, workstation viruses, spyware infections, data system or storage theft, or other unauthorized interactions with University Information Systems or data.

3.5Information Security Breach (“Security Breach”)

An Information Security Incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data whether transmitted, stored or otherwise processed.

3.6Protected Data

Data protected by legal, regulatory or contractual requirements, or by University Policy. The North Carolina Identity Theft Protection Act (NC Gen. Stat. 75-65, and 132-1.10(c1), and the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) are examples of regulations defining protected data and its security requirements. Such data include, but are not limited to Social Security Numbers, credit card/financial information, and student records information. Such information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, State, or local government records. Please see the University’s Data Classification Policy for more detailed information about protected data, and about classification and storage requirements for such data.

4.Policy

4.1

University Employees and Affiliates must promptly report suspected Information Security Incidents, including physical loss of equipment or storage media, to their department head (or in Incidents involving the department head, to the department head’s immediate supervisor) and to the Information Security Office using the process outlined in the University’s Information Security Incident Reporting Procedures.

4.2

The Information Security Office will, with cooperation of the affected department, investigate all reported incidents and report relevant results to the Vice Chancellor for Information Technology Services and to the department head (or in Incidents involving the department head, to the department head’s immediate supervisor).

4.3

The Vice Chancellor for Information Technology Services, with advice from the Information Security Officer, will determine if a Security Incident constitutes a Security Breach.

4.4

The Vice Chancellor for Information Technology Services will report to and advise the Chancellor on possible Security Breaches as appropriate.

  1. Content and scope of any Security Breach Notification shall be at the Chancellor’s discretion and in compliance with all legal requirements.
  2. Determining if a Security Breach or Incident is appropriate for public notification is solely the responsibility of the Chancellor with advice from the Vice Chancellor for Information Technology Services and others at the Chancellor’s discretion.
  3. Should the Chancellor determine a Security Breach requires public notification, the Chancellor will direct that notification of said Breach be given within 30 days of the conclusion of the Security Incident investigation.

4.5

All Security Breaches shall be reported to external regulatory and legal authorities and individual notifications shall be made in compliance with the North Carolina Identity Theft Protection Act (NC Gen. Stat. 75-65, and 132-1.10(c1)) and other applicable law as appropriate.

4.6

Beyond notification and except where required by law, the University makes no promise of service to individuals affected by a Security Breach. The Chancellor, however, may elect to provide additional services to affected individuals.

4.7

Security Incidents involving protected health information are subject to this policy and to the University’s HIPAA Compliance Policy, which outlines University compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

5.Compliance and Enforcement

The Vice Chancellor for Information Technology Services will enforce this Policy, and establish standards, procedures, and protocols in support of the policy.

Any violation of this policy by a University student is subject to the Student Code of Conduct in the student handbook. For employees, any violation of this policy is “misconduct” under EHRA policies (faculty and EHRA non-faculty) and “unacceptable personal conduct” under SHRA policies, including any appeal rights stated therein. Violations of law may also be referred for criminal or civil prosecution.

6.Additional Information

6.3Resources

6.4Approval Authority

Chancellor

6.5Contacts for Additional Information and Reporting

Vice Chancellor of Information Technology Services (Chief Information Officer), Donna Heath, 336-334-5092, drheath@uncg.edu

University Information Security Officer, Casey Forrest, 336-334-3304, cjforrest@uncg.edu

Revisions

Revision Date Revision Summary
Formerly Personal Information Security Breach Notification Policy
02/16/2009 Approved by the Chancellor
06/17/2010 Approved by the Chancellor
08/17/2015 Approved by the Chancellor

- Information Security Incident Reporting and Notification Policy. Retrieved 06/21/2021. Official version at https://policy.uncg.edu/university_policies/information-security-incident-reporting-and-notification-policy/. Copyright © 2021 The University of North Carolina at Greensboro.