Data Breach Response Policy

 

 

Scope

This policy covers all computer systems, network devices, and any additional systems and outputs containing or transmitting Aurora University (AU) data.

 

Purpose

The purpose of this policy is to provide a process to report suspected thefts involving data, data breaches or exposures (including unauthorized access, use, or disclosure) to appropriate individuals; and to outline the response to a confirmed theft, data breach or exposure based on the type of data involved.

 

Aurora University Data

AU public data is defined as information that a user has a reasonable basis to believe is lawfully made available to the general public from:

(i) Federal, State, or local government records;

(ii) Widely distributed media; or

(iii) Disclosures to the general public required to be made by Federal, State, or local law.

 

 

AU private data is defined as private information (e.g., Social Security Number, birth date, credit card numbers) that can only be released to the subject (i.e., owner) of the information and to those within the University who have a legitimate need-to-know, outside agencies or departments with the subject’s written permission, and others as allowed by law.

 

Policy

Reporting of suspected thefts, data breaches or exposures

Any individual who suspects that a theft, breach or exposure of AU data has occurred must immediately provide a description of what occurred via e-mail to the Chief Information Officer via e-mail at itshelp@aurora.edu or by calling 630-844-5790.  This e-mail address and phone number, are monitored by AU’s information security resources. The University’s information security resources will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the information security team will follow the appropriate procedure depending on the nature of the data involved.

 

 

The following flowchart specifies the steps to be taken upon notification of a data breach:

Data Breach Flow Chart

 

 

Questions about this Policy

If you have questions about this policy, please contact the Chief Information Officer at itshelp@aurora.edu or 630-844-5790.

 

Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the appropriate employment handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Appendix

For any data breaches, exposures, or thefts involving information listed below, a representative from the listed areas will be included on the response team:

 

Data Type

Areas or individuals to be additionally included on response team

Financial information, including but not limited to credit card numbers, bank account numbers, investment information, grant information, and budget information

Finance, Director of Cash Management and/or Treasurer

Information about individual employees, including but not limited to social security numbers

Human Resources

Student financial information

Office of  Financial Aid, Student Accounts, University Communications

Student information protected by FERPA

Student Life, Registrar, Provost, University Communications

Student health information

Student Life, Wellness Center, University Communications

Student information not listed above

Student Life, University Communications

Research data

University Analytics, Provost

PII concerning faculty

Faculty Administration, Provost

PII concerning donors or unreleased information about gifts received

Advancement

Payroll information

Controller and/or Payroll

 

Action Item Checklist

 

This checklist outlines items that the response team should consider while responding to a security incident.

  • All available information about the incident, including both information that has been confirmed and information that is suspected, should be provided to the response team. As new information is discovered, it should be provided to the response team as quickly as possible.
  • Business recovery and continuity procedures should be followed
  • Analysis of legal requirements for reporting compromises should be followed
  • Reference or inclusion of incident response procedures from the payment brands
  • Remember to alert university leadership teams (President, Senior Staff, Deans) so they understand what is being done to address the incident and are apprised of status. The order and frequency of updates to these groups will be determined by the VP – Information Technology Services depending on the incident.
  • Track the amount of time that has passed between incident, discovery of incident, and notification of affected individuals.
  • Daily conference calls to checkpoint progress and obstacles are required.  They are tremendously helpful in keeping remediation on track and sharing information. 
  • If contracts need to be negotiated to provide services to the affected departments or individuals, those negotiations should begin immediately. Check to see if previously negotiated contracts can be applied to the situation.
  • University Communications will be called upon to prepare outward facing information.  Materials that may need to be developed to handle the incident include:
    • Web pages
    • Notification letter
    • Press release
    • Q&A for media
    • Q&A for call center and other responders

 

History

  • 8 April 2016: Initial Policy