Old Dominion University
Information Technology Standard
05.2.0 Data Breach Notification Standard
Date of Current Revision or Creation: | October 1, 2021 |
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
-
Purpose
The purpose of this standard is to specify the data breach notification requirements for Old Dominion University by identifying the triggering factors and necessary responses to unauthorized release of unencrypted sensitive information.
-
Definitions
Data Breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen and/or used by an individual unauthorized to do so.
Personal Information is any piece of data that can potentially be used to identify a single person. Generally, NAME and one or more personal information data elements are necessary to place identity at serious risk.
-
Standards Statement
ODU will identify all University systems, processes, and logical and physical data storage locations, including those held by third parties, which contain Class 1,2, and 3 regulated data as described in the ITS Standard 02.3.0 Data Administration and Classification.
ODU will include provisions in third-party contracts that involve Class 1,2 and 3 regulated data, requiring that the third party and third-party subcontractors:
- Provide timely notification to the agency of suspected breaches
- Allow the agency both to participate in the investigation of incidents and exercise control over decisions regarding external reportings.
ODU will provide appropriate notice to affected individuals upon the unauthorized release of any unencrypted Class 1,2, and 3 regulated data by any mechanism, including, but not limited to:
- Theft or loss of digital media including laptops, desktops, flash drives, smart phones, tablets, CD's, DVD's, tapes, etc.
- Theft or loss of physical hardcopy
- Security compromise of any system containing Class 1,2, and 3 regulated data
- Encrypted data in which the encryption key is also compromised
ODU will provide this notice without undue delay as soon as verification of the unauthorized release is confirmed, except as delineated below.
ODU will provide notification that consists of:
- A general description of what occurred and when
- The type of personal information was involved
- Whether actions have been taken to protect the individual's personal information from further unauthorized disclosure
- What, if anything, ODU will do to assist affected individuals, including contact information for more information and assistance
- What actions ODU recommends that the individual take
ODU will provide this notification by one or more of the following methods, listed in order of preference:
- Standard mailing to any affected individuals whose mailing addresses are available
- Electronic mail to any affected individuals whose email address has been provided to the agency as a contact mechanism
- In the case of large-scale breaches or data breaches where neither form of communication listed above is available or feasible, public communications channels, including:
- Conspicuous notification on the agency website
- Notification by statewide public media, including newspaper, radio and television
ODU will not provide notification immediately following verification of unauthorized data disclosure only if requested by:
- Law Enforcement entities where it would interfere with an ongoing investigation
- CIO, ISO or designee where it would interfere with a determination of the scope of the data breach or investigation of root cause
-
Procedures, Guidelines & Other Related Information
Federal and State Law
Data and System Breach Response Framework
University Policy 3505 - Information Technology Security Policy
IT Standard 02.3.0 - Data Administration & Classification Standard
-
History
Date
Responsible Party
Action
October 2008
ITAC/CIO
Created
October 2009
ITAC/CIO
Reaffirmed
October 2010
ITAC/CIO
Reaffirmed
October 2011
ITAC/CIO
Reaffirmed
October 2012
ITAC/CIO
Reaffirmed
December 2012
IT Policy Office
Minor rewording for clarity
Link updated; departmental name update; numbering revision
December 2016 IT Policy Office Minor rewording for clarity December 2019 IT Policy Office Minor rewording for clarity October 2021 CISO Minor edits for clarification