Breach of Information Notification Policy

Originally Issued:

May 2007


Revision Date:

April 2015

Contacts:

Download Policy Document (PDF)

Policy:

The university shall disclose any breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. of its dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. to any person whose sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosureNotification using one of the following methods: 1) Notice in writing either hand delivered or mailed to the address on file with, or last known to, the university 2) Notice by e-mail if the individual has an e-mail address on file with the university shall be made in the most expedient time possible. It is the university’s sole discretion to determine the scope of the breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure..

The disclosureNotification using one of the following methods: 1) Notice in writing either hand delivered or mailed to the address on file with, or last known to, the university 2) Notice by e-mail if the individual has an e-mail address on file with the university may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

The university shall make every reasonable effortUse all contact information available in university records to notify individuals who may have been impacted. to contact individuals impacted. Contact may be made in person, by mail, and/or by e-mail.

If the university does not have sufficient contact information, a general disclosureNotification using one of the following methods: 1) Notice in writing either hand delivered or mailed to the address on file with, or last known to, the university 2) Notice by e-mail if the individual has an e-mail address on file with the university will be posted on a UNLV web site and appropriate news media outlets will be notified.  

The university will provide information about dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. breaches as required by federal and state laws, and NSHE regulations and/or policies.

Suspect a data breach? Report it now.

Related Documents


Statement of Purpose:

The purpose of this policy is to ensure that the university meets its disclosureNotification using one of the following methods: 1) Notice in writing either hand delivered or mailed to the address on file with, or last known to, the university 2) Notice by e-mail if the individual has an e-mail address on file with the university obligation in the event of an inappropriate release of sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed..


Entities Affected By Policy:

Entities affected by this policy include UNLV students and employees and anyone interacting with UNLV.


Who Should Read This Policy:

UNLV students and employees and anyone engaging in business with UNLV should read this policy.


Exceptions:

There are no exceptions to this policy. 


Frequently Asked Questions:

What would be considered a breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure.? If there is suspicion of a breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. will someone be available to check whether or not one has occurred?

Anytime sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. is potentially exposed to an unauthorized individual it is considered a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure.. The Information Security Office will investigate to determine if a breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. occurred.

For example if you handle sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. and your computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. is found to contain malware, this would be considered a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure.. A forensic investigation would reveal whether someone other than the user of the computerAny university-issued desktop or laptop, listed as property of UNLV/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such. had accessed the information. If so, a breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. response would be initiated.

Another somewhat common occurrence is a lost or stolen unencrypted flash drive containing an instructor’s grades. In this case, since it is impossible to determine if the information has been accessed, a breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. response would be initiated and those possibly impacted notified.

Does the DataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. BreachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. Notification Policy apply only to information stored electronically?

The policy applies to all sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. irrespective of the manner in which it is stored. Paper documents containing protected informationInformation provided at the direction of UNLV or to which access was indirectly obtained in the course of contractor's performance of services, that: is an education record, protected health information, or personally identifiable information; identifies any individual (by name, signature, address, telephone number, email address, or other unique identifier); can be used to authenticate any individual (including, but not limited to, any employee identification number, Social Security number, driver's license number or other government-issued identification number, passwords or PINs, biometric or health data, answers to security questions, or other personal identifiers); or, includes credit card, debit card, or other financial information. UNLV business contact information is not, by itself, protected information. are also subject to this policy.

Whose responsibility is it to notify the university of a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure.?

The first person to discover that information could have potentially been breached should notify the university by sending an email to breachreport [at] unlv [dot] edu. That individual should also notify his or her supervisor that they have reported a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure..

How should a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. be reported? Can a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. be reported in person?

All reports regarding suspected breaches should be made through breachreport [at] unlv [dot] edu. The report will be handled through the Information Security Office.

If a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. is reported in person, the person will be directed to submit the report via email.

Are there disciplinary actions associated with not reporting potential breaches?

If an employee intentionally neglects to report a suspected breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure., the employee would be subject to the existing university procedures for handling personnel matters.

Is there a place where UNLV breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. notifications will be available for public review?

All UNLV breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. notifications that require a full breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. response will be available on the BreachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. Information website. The notifications will be available for 60 days. For more information on what constitutes a full breachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. response, see the UNLV BreachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. of Information Procedures.