Information Technology Standard 05.2.0

Data Breach Notification Standard


Date of Current Revision or Creation: October 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to specify the data breach notification requirements for Old Dominion University by identifying the triggering factors and necessary responses to unauthorized release of unencrypted sensitive information.

Definitions

Data Breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen and/or used by an individual unauthorized to do so.

Personal Information is any piece of data that can potentially be used to identify a single person. Generally, NAME and one or more personal information data elements are necessary to place identity at serious risk.

Standards Statement

ODU will identify all University systems, processes, and logical and physical data storage locations, including those held by third parties, which contain Class 1,2, and 3 regulated data as described in the ITS Standard 02.3.0 Data Administration and Classification.

ODU will include provisions in third-party contracts that involve Class 1,2 and 3 regulated data, requiring that the third party and third-party subcontractors:

  1. Provide timely notification to the agency of suspected breaches
  2. Allow the agency both to participate in the investigation of incidents and exercise control over decisions regarding external reportings.

ODU will provide appropriate notice to affected individuals upon the unauthorized release of any unencrypted Class 1,2, and 3 regulated data by any mechanism, including, but not limited to:

  1. Theft or loss of digital media including laptops, desktops, flash drives, smart phones, tablets, CD's, DVD's, tapes, etc.
  2. Theft or loss of physical hardcopy
  3. Security compromise of any system containing Class 1,2, and 3 regulated data
  4. Encrypted data in which the encryption key is also compromised

ODU will provide this notice without undue delay as soon as verification of the unauthorized release is confirmed, except as delineated below.

ODU will provide notification that consists of:

  1. A general description of what occurred and when
  2. The type of personal information was involved
  3. Whether actions have been taken to protect the individual's personal information from further unauthorized disclosure
  4. What, if anything, ODU will do to assist affected individuals, including contact information for more information and assistance
  5. What actions ODU recommends that the individual take

ODU will provide this notification by one or more of the following methods, listed in order of preference:

  1. Standard mailing to any affected individuals whose mailing addresses are available
  2. Electronic mail to any affected individuals whose email address has been provided to the agency as a contact mechanism
  3. In the case of large-scale breaches or data breaches where neither form of communication listed above is available or feasible, public communications channels, including:
    1. Conspicuous notification on the agency website
    2. Notification by statewide public media, including newspaper, radio and television

ODU will not provide notification immediately following verification of unauthorized data disclosure only if requested by:

  1. Law Enforcement entities where it would interfere with an ongoing investigation
  2. CIO, ISO or designee where it would interfere with a determination of the scope of the data breach or investigation of root cause

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

ITAC/CIO

Created

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

October 2012

ITAC/CIO

Reaffirmed

December 2012

IT Policy Office

Minor rewording for clarity

Link updated; departmental name update; numbering revision

December 2016 IT Policy Office Minor rewording for clarity
December 2019 IT Policy Office Minor rewording for clarity
October 2021 CISO Minor edits for clarification