Policy 2317 – Computer Breach Notification Policy
Effective Date: 1/16/2015
Responsible Office: Computing Center
Brief Description: To define the circumstances under which the University shall provide notice to individuals regarding a breach in security of private information.
Louisiana Tech University shall provide timely and appropriate notice to affected individuals when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information, typically maintained in an electronic format by the University.
Attacks on University IT resources are infractions of the Campus Computer Use Policy. Reporting information security breaches occurring on University systems and/or on University networks to appropriate authorities is a requirement of all persons affiliated with the University in any capacity, including staff, students, faculty, contractors, visitors, and alumni.
Suspected or confirmed information security breaches must be reported to University authorities, which includes informing the affected management or collegiate unit officer, as well as contacting the Computing Center Director at 318-257-2893 and sending a message to firstname.lastname@example.org.
The Computing Center Director will investigate the report, and if a security breach of private and/or highly sensitive information has occurred, will inform the President and/or law enforcement as appropriate.
In the event that a public notification of the security breach may be warranted, the Computing Center Director will consult with the appropriate University Vice President(s), President, and General Counsel to develop the response and make the final determination if a public notification of the event is warranted.
The entity responsible for support of the system or network under attack is expected to:
- Report the attack to their management and to the Computing Center
- Block or prevent escalation of the attack, if possible
- Follow instructions communicated from the Computing Center in subsequent investigation of the incident and preservation of evidence
- Implement recommendations from the Computing Center
- Repair the resultant damage to the system
The Computing Center Director will report serious computer security breaches to the President and to the Vice President of Academic Affairs in a timely manner. He will consult with one or more Vice Presidents as appropriate to determine a response strategy, or if an alternate group is appropriate for the response. This determination may be made prior to completion of the investigation of the security breach. The Computing Center Director will report the incident to the Facility Security Officer and appropriate authorities when, based on preliminary investigation, criminal activity has taken place and/or when the incident originated from a University computer or network.
Determination of External Notification
If unencrypted private or highly sensitive information has been acquired, or is reasonably believed to have been acquired by an unauthorized person, the following factors will be considered to determine if an external notification is warranted:
- Physical possession (lost or stolen device?)
- Credible evidence the information was copied/removed
- Length of time between intrusion and detection
- Purpose of the intrusion was acquisition of information
- Credible evidence the information was in a useable format
- Ability to reach the affected individuals
- Applicable University policy, and/or local, state, or federal laws
If it is determined that an external notification to the affected individuals is warranted, the following procedures will apply:
Written notice will be provided to the affected individuals using US Mail, unless the cost is excessive or insufficient contact information exists. The letter will be developed by the department responsible for the system experiencing the breach, and approved by University Communications and others as appropriate. The excessiveness of cost consideration will be the decision of the Computing Center Director, General Counsel, and Vice President for Finance.
If written notice to the affected individuals is not feasible, the following methods will be considered for providing notice:
- Personal e-mail notices (provided addresses are available), developed by the department responsible for the system experiencing the breach, and approved by University Communications, the Computing Center Director, and other administrators as appropriate.
- A press release to media, to be written by University Communications.
- An informational web page approved by University Communications, and others as appropriate, with a conspicuous link in the University Home Page and News Area.
All expenses associated with external notification will be the responsibility of the department responsible for the system that experienced the security breach.
If the information acquired includes a name (first and last name or first initial and last name) in combination with any of the following, and the information was not in an encrypted format, a public notification may be warranted:
- Social Security Number
- Driver’s license number
- Bank Account, Credit, or Debit Card Account number with security, access, PIN, or password that would permit access to the account
Personal information that is publicly and lawfully available to the general public, such as address, phone number, and email address, is not considered private information for the purposes of this policy.
Highly Sensitive Information
If the information acquired is of a very sensitive, confidential, or proprietary nature, the security breach will be investigated and University officials, including the Computing Center Director, General Counsel, and Vice Presidents will determine if a public notification is warranted. Examples of highly sensitive information include but are not limited to:
- Records protected by FERPA, HIPAA, GLBA, or other applicable federal laws and regulations
- Research data or results prior to publication or filing of a patent application
- Information subject to contractual confidentiality provisions
- Security codes, combinations, or passwords