Information Security Incident Reporting and Notification Policy

University Employees and Affiliates: Faculty, staff, student employees, interns, contractors, cloud service providers, or any other third parties engaged in work on the University’s behalf.

Information Asset: Information, defined and managed as single units so that it can be understood, shared, protected and exploited effectively. Information assets may be stored in various media and various formats (for example, within data bases, in word processing documents, within spreadsheets, in diagrams or other forms).

University Information System: Any data system operated or maintained by University Employees or Affiliates, or service providers, which interacts with, accesses, or stores information assets in University care regardless of storage device, medium or physical location.

Information Security Incident (“Security Incident”): An information security event that has compromised the confidentiality, integrity, or availability of an information asset. Such incidents include, but are not limited to, workstation viruses, spyware infections, data system or storage theft, or other unauthorized interactions with University Information Systems or data.

Information Security Breach (“Security Breach”): An Information Security Incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data whether transmitted, stored or otherwise processed.

Protected Data: Data protected by legal, regulatory or contractual requirements, or by University Policy. The North Carolina Identity Theft Protection Act (NC Gen. Stat. 75-65, and 132-1.10(c1), and the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) , and the Health Insurance Portability and Accountability Act (HIPAA), are examples of regulations defining protected data and its security requirements. Such data include, but are not limited to Social Security Numbers, credit card/financial information, and student records information. Such information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, State, or local government records. Please see the University’s Data Classification Policy for more detailed information about protected data, and about classification and storage requirements for such data.

University Employees and Affiliates must promptly report suspected Information Security Incidents, including physical loss of equipment or storage media, to their department head (or in Incidents involving the department head, to the department head’s immediate supervisor) and to the Information Security Office using the process outlined in the University’s Information Security Incident Reporting Procedures.

The Information Security Office will, with cooperation of the affected department, investigate all reported incidents and report relevant results to the Vice Chancellor for Information Technology Services and to the department head (or in Incidents involving the department head, to the department head’s immediate supervisor).

The Vice Chancellor for Information Technology Services, with advice from the Information Security Officer, will determine if a Security Incident constitutes a Security Breach.

The Vice Chancellor for Information Technology Services will notify the Office of General Counsel and report to and advise the Chancellor on possible Security Breaches as appropriate.

1. Content and scope of any Security Breach Notification shall be at the Chancellor’s discretion and in compliance with all legal requirements.
2. Determining if a Security Breach or Incident is appropriate for public notification is the responsibility of the Chancellor with advice from the Vice Chancellor for Information Technology Services, the Office of General Counsel, and others at the Chancellor’s discretion.
3. When determined that a Security Breach requires public notification, the Chancellor will direct that notification of said Breach be given within 30 days of the conclusion of the Security Incident investigation.

All Security Breaches shall be reported to external regulatory and legal authorities and individual notifications shall be made in compliance with the North Carolina Identity Theft Protection Act (NC Gen. Stat. 75-65, and 132-1.10(c1)) and other applicable law as appropriate.

Beyond notification and except where required by law, the University makes no promise of service to individuals affected by a Security Breach. The Chancellor may elect to provide additional services to affected individuals.

Security Incidents involving protected health information are subject to this policy and to the University’s HIPAA Compliance Policy, which outlines University compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

Information Security Incident Reporting Procedures

• Acceptable Use Policy
• Data Classification Policy
• Information Security Policy
• Uniniversity HIPAA Compliance Policy

NC General Statutes

The Chancellor is responsible for approving this Policy.

• Responsible Executive: Donna R. Heath, Vice Chancellor for Information Technology Services and Chief Information Officer (CIO), [email protected]
• Responsible Administrator: Casey J. Forrest, Chief Information Security Officer (CISO), [email protected]