Back to Top
Skip to Content
Home :: Policies :: Data Breach Response

Data Breach Response

Responsible Department
Information Technology
Effective Date
12/19/2019
  1. .

    Policy Purpose

    1. The purpose of this document is to define requirements for responding to potential breaches of sensitive information.  This policy is focused on the specific types of security incidents that may involve the accidental disclosure of personally-identifiable information (PII) to unauthorized third-parties.

    2. This policy applies to all University of North Georgia employees, students and third-party contractors that collect, process or otherwise handle sensitive personal information of employees, students or customers.

    3. Enforcement - Violations of this policy may result in loss of University system and network usage privileges, and/or disciplinary action, up to and including termination or expulsion.

    4. This is a new policy.
  2. .

    Definitions

    1. Breach Discovery – A data breach is considered “discovered” within 24 hours of its initial report and when the “notification clause” has been triggered.

    2. Governing Body Notification Requirement – A privacy breach found to contain PII that requires reporting to the regulatory agency or other governing body will trigger this notification requirement.

    3. Notification Requirement – A data breach of sensitive personal information that is found to be reasonably likely to result in identify theft will trigger a Notification Requirement.

    4. Notification Burden of Proof - The requirement to demonstrate that all required notifications were made in response to a privacy breach.

    5. Privacy Breach - A privacy breach occurs when personal information is collected, retained, accessed, used, or disclosed in ways that are not in accordance with the provisions of the University’s policies, applicable privacy laws, or regulations. Privacy breaches may occur through:

      1. Hackers gaining access to data through a malicious attack;

      2. Lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.);

      3. Employee negligence (e.g., leaving a password list in a publicly accessible location, technical staff misconfiguring a security service or device, etc.); and/or,

      4. Policy and/or system failure.

    6. Privacy Breach Response Team – A multi-disciplinary team that is responsible for planning, analyzing and responding to privacy breaches.  The team will be composed of qualified individuals from various department including (but not limited to) Information Security, Legal, Human Resources, University Relations.

    7. Personally Identifiable Information (PII) – Information that alone, or when combined with other personal or identifying information can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

    8. Privacy-Applicable Law – Relevant laws, enactments, regulations, regulatory permits and licenses that are in effect and address the protection, handling and privacy of target privacy data.

    9. Sensitive Personal Information - Personal information that requires an extra level of protection and a higher duty of care, for example, information on medical or health conditions, certain financial information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual preferences, or information related to offenses or criminal convictions.
  3. .

    Policy Statement

    1. Privacy Breach Preparation and Organization

      1. Privacy Breach Response Team – University of North Georgia must establish and staff a special team with the responsibility of planning for, analyzing and responding to data breaches.  The team must be composed of qualified individuals from various department including (but not limited to) Information Security, General Counsel, Human Resources, University Relations.

      2. Cyber Incident Response Plan – The University must establish and maintain a written Cyber Incident Response Plan detailing the requirements of the response program.  The plan must include the detailed standards and procedures for implementing official breach response policies.

    2. Privacy Breach Impact Analysis

      1. Security Incident Analysis – Each security incident reported to the University’s Computer Emergency Response Team (CERT) that involves the possible disclosure of sensitive personal information (PII) of employees, students or customers must be analyzed to determine the event qualifies as a breach under University standards.

      2. Breach Notification Analysis – Each security event identified as a breach must be further analyzed to determine the notification requirements for the breach.  Breaches that trigger the notification requirements must be logged and reporting immediately to the Privacy Breach Response Team.

    3. Third-party Reporting

      The University of North Georgia must establish a formal reporting mechanism to allow third-parties that process sensitive personal information to report a breach of such information.   University Computer Incident Response Team members will respond with 24 hours of such notification.

    4. Notification and Remediation

      The University must document clear procedures for reporting and managing cybersecurity incidents in a cybersecurity incident response plan and procedural documents as appropriate.  These procedures shall include timely reporting of incidents to University System of Georgia administrators, governing bodies, and other entities that require legal notification.  Further notification may be required for individual consumers and the general public.
  4. .

    Support Information

    1. USG Business Policy Manual, section 12.0

    2. USG Information Technology Handbook

    3. UNG Data Governance and Access Policy

    4. HITECH Act SEC. 13402. NOTIFICATION IN THE CASE OF BREACH

    5. FACTA – Red Flags Rule
  5. .

    Procedures

    Any related operating procedures must comply with and should reference this policy

UNG follows Section 508 Standards and WCAG 2.0 for web accessibility. If you require the content on this web page in another format, please contact the ADA Coordinator.


Back to Top