University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
PROCEDURE
University of Minnesota
University of Minnesota
University M logo on blue background
ADMINISTRATIVE PROCEDURE
Home : Information Technology : Acceptable Use and Information Security

Reporting Security Incidents and Making Notification

Related Policy: Reporting and Notifying Individuals of Security Breaches

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

A. If a Security Breach is Suspected

If you suspect a technical or tampering issue with a computer storing sensitive or private data, do not use the computer—that could compromise an investigation. Instead, call your Info Tech support. If Info Tech support is not readily available, call 1Help at (612) 301-4357 (on Twin Cities campus dial 1-HELP). You may also use another computer and email help@umn.edu for further direction.

If you suspect a potential security issue involving any private data—whether the data is on a computer, on paper, on the web, etc.—immediately report the details to abuse@umn.edu.

If you have questions about whether data is private, consult "What is Public and Private Information" as well as the related policy noted above, including the "contacts" listed in the policy.

You should also alert your supervisor.

B. Responsibility for Reporting a Security Breach

Any person who knows or reasonably believes that a breach of the security of private data has occurred should report their concern to the University. Any University employee with responsibility for data must report known or suspected breaches of security of private data. These reports will enable the University to investigate and address the concern and to make determinations about appropriate notification to the subjects of the private data.

C. Reporting a Security Breach

Just send an e-mail to abuse@umn.edu or contact your campus help-desk. Tell them:

  • Your contact information
  • The department involved
  • A brief description of what happened
  • A general description of the type of data at issue

D. Determining if Individual Notification is Needed

The Chief Information Officer (CIO) or delegate, in consultation with the General Counsel's Office, will be responsible for determining whether a breach of security of data has occurred and whether notification to individuals is required. The CIO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit.

E. Notifying Individuals

The CIO will work with the affected unit, responsible administrators, University Relations, and others as appropriate to deliver timely and effective notification to individuals.

  1. Content of Notification. While the content may vary, notification must always include these elements, to the extent possible:
    • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
    • A description of the types of private information that were involved in the breach (e.g., full name, social security number, date of birth, home address, account number, personal financial information, grades, diagnosis, disability code, etc.)
    • Any steps individuals should take to protect themselves from possible harm resulting from the breach (e.g., identity theft)
    • A brief description of what the University is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches
    • Contact information for further questions and assistance, including a toll-free telephone number, an email address, Website address, or postal address
  2. Manner of Notification. The CIO will determine the appropriate manner of notification—whether first-class mail, email, or substitute notice—as required under the law. The manner of notification may vary depending on the type of data (personal health information, which is governed by HIPAA regulations, or other private data, which is governed by the Minnesota Government Data Practices Act), the number of affected individuals, the availability of current address information, and other factors.
  3. Other Requirements. The CIO must determine whether other requirements apply, depending on the nature of the information that is the subject of the breach, as well as the scope of the breach. Notifications required by the Minnesota Government Data Practices Act must comply with the provisions of that law. Minn. Stat. § 13.055. Notification regarding protected health information must comply with the notification provisions within HIPAA regulations. 45 C.F.R. Part 164, Subpart D. Additional requirements may include posting on websites, notice to media outlets, and notification to the Secretary of Health.
  4. Expenses. Direct expenses related to the breach notification process are the responsibility of the affected unit.

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

Acceptable Use and Information Security Image

Information Technology Policies

  • Acceptable Use and Information Security

SEND FEEDBACK
Leave feedback or ask a question about the policy.

HOW TO USE POLICIES
Here are tips on finding the information you need in University Administrative Policies.

DOCUMENT COLOR KEY
Policy color - POLICY
Procedure color - PROCEDURE
Appendix color - APPENDIX
FAQ color - FAQ

© 2012 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on May 3, 2012