Security Breach Regulation 506

Regulation 506 Approved: February 17, 2011
UNIVERSITY OF NORTH CAROLINA SCHOOL OF THE ARTS
Security Breach Regulation
Regulation 506
Source of Authority: Identity Theft Protection Act, N.C.G.S. § 75-60 et seq.;
N.C.G.S. § 132-1.10;
N.C.G.S. § 116-34(a);
UNC Code § 502(A)
Revision Authority: Chancellor
History: First Issued: February 17, 2011
Related Policies and Regulations: Identity Theft Protection Act, N.C.G.S. § 75-60 et seq.;
N.C.G.S. § 132-1.10;
Confidential Information Access Regulation 501;
FERPA Regulation 803;
Records Request Regulation 118;
Red Flag Rules/Identity Theft Regulation 505;
Technology Use Regulation 508
Responsible Offices: General Counsel
Information Technology Department
Department of Police and Public Safety
Effective Date: February 17, 2011

I. Purpose

In accordance with the Identity Theft Protection Act of 2005, North Carolina General Statutes § 75-60 et seq., and § 132-1.10 of the Public Records Act (collectively, the ”Act”), UNCSA is required to safeguard certain information of patients, employees, students, vendors, and other individuals who provide information covered by the Act to UNCSA.

II. Scope

This regulation applies to all breaches of security involving certain identifying information as proscribed in the Act.

III. Definitions

A. “Security Breach” means:

1. unauthorized acquisition of records or data containing personal information where

a. illegal use of the personal information has occurred or is reasonably likely to occur; OR

b. that creates a material risk of harm to an individual; OR

2. unauthorized acquisition of personal information and the confidential process or key.

3. Good faith acquisition of personal information by an employee or agent of the University for a legitimate purpose is not a security breach, provided that the personal information is used only for a lawful purpose and is not subject to further unauthorized disclosure.

B. “Identifying Information” is:

1. Social security or employer taxpayer identification numbers;

2. Driver’s license, State identification card, or passport numbers (except driver’s license numbers appearing on law enforcement records);

3. Checking and savings account numbers;

4. Credit and debit card numbers;

5. Personal Identification (”PIN”) Code as defined in N.C.G.S. § 14-113.8(6);

6. Digital signatures;

7. Any other numbers or information that can be used to access a person’s financial resources;

8. Biometric data;

9. Fingerprints; AND

10. Passwords.

C. “Personal Information” means a person’s first name or first initial and last name in combination with confidential identifying information.

IV. Regulation

A. The University will take all reasonable steps to prevent security breaches with respect to personal and identifying information.

B. Any University employee or student who becomes aware of a suspected or actual security breach (“breach”) must notify the appropriate UNCSA offices.

C. If it is determined that a security breach occurred, the University (through the appropriate University unit) will take appropriate action as defined by the applicable procedures.

D. Notice to affected persons may be provided by any means permitted by UNCSA procedures.

E. Delayed Notice. Notice shall be delayed if law enforcement informs the University that disclosure of the breach would impede a criminal investigation or jeopardize national security.

F. Substitute Notice.

1. Substitute notice may be given if:

a. The cost of providing the notice exceeds $250,000;

b. The number of affected persons is greater than 500,000; or

c. The University does not have the necessary contact information to notify the individual in any of the aforementioned manners.

2. Substitute notice will include posting a notice on the University’s website and emailing the affected persons if the University has their email addresses.

G. Additional Notice Requirements

1. If a security breach involves more than 1,000 persons, the University will provide written notice of the timing, distribution, and content of the notice to the Consumer Protection Division of the North Carolina Attorney General’s Office and the U.S. Department of Education.

2. The Office of the State Controller must be notified only if the breach involved credit card information.

3. Notification to the Family Policy Compliance Office of US Department of Education is not required but is recommended if the number of students impacted is large.

H. The Information Technologies Department will review all incidents of potential or actual security breaches and make recommendations to the Chancellor’s Cabinet for institutional improvements in order to minimize such occurrences in the future.

V. Revision History

A. February 17, 2011 – Adopted by Board of Trustees as part of UNCSA Policy Manual


UNIVERSITY OF NORTH CAROLINA SCHOOL OF THE ARTS

Security Breach Procedures

Procedure 506

I. Notifications

A. Any University employee or student who becomes aware of a suspected or actual security breach (“breach”) must notify the appropriate UNCSA offices and the General Counsel’s Office at (336) 770-3273.

B. If the breach involves electronic equipment, the Chief Technology Officer must also be immediately notified at (336) 770-3314.

C. If the breach involves loss or theft of University-owned equipment, the UNCSA Department of Police and Public Safety must also be notified at (336) 770-3321.

II. Each suspected security breach will be reviewed by General Counsel and other appropriate University units (including, for example, Information Technologies and Public Safety) in a manner which comports with State law. If it is determined that a security breach occurred, the University (through the appropriate University unit) will take appropriate action that will include the following:

A. Notifying affected individuals without unreasonable delay, with the following information as required by State Law:

1. the incident in general terms;

2. the type of identifying information that was subject to the unauthorized access and acquisition;

3. the general acts of the University to protect the personal information from further unauthorized access;

4. a telephone number that the person may call for further information and assistance; AND

5. advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

6. The toll-free numbers and addresses for the major consumer reporting agencies.

7. The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.

B. Providing the affected individuals with information about how to alert credit agencies to potential fraud and identity theft.

III. Notice to affected persons may be provided by one or more of the following methods:

A. Written notice,

B. Electronic notice for those persons for whom the University has a valid email address and who have agreed to receive communications electronically, or

C. Telephonic notice provided that contact is made directly with the affected persons and appropriately documented by the University unit.

IV. Delayed Notice

A. As required by State Law, notice shall be delayed if law enforcement informs the University that disclosure of the breach would impede a criminal investigation or jeopardize national security.

B. A request for delayed notification must be made in writing or documented contemporaneously by the University in writing, including the name of the law enforcement officer making the request and the officer’s agency engaged in the investigation.

C. The required notice shall be provided without unreasonable delay after the law enforcement agency communicates to the University its determination that notice will no longer impede the investigation or jeopardize national or homeland security.