Data breach response standard

Purpose

The University will provide timely and appropriate notice to affected individuals when there has been a breach of security involving their private data. Such a notice provides communication regarding data breaches in an effort to assist individuals with protecting themselves from potential harm arising from unauthorized access or acquisition of their private data, and to comply with notifications required by state, federal privacy and data security laws, and contractual and regulatory obligations.

Scope

Where a breach of University data is suspected, University employees and students, or other individuals, must report incidents where a breach of University data is suspected to the Office of Information Technology (OIT) Information Security Office (ISO),via the ISO website’s Report Information Security Incidents.

Additionally, all suspected data breaches involving protected health information (PHI), including the data of Ohio University HIPAA covered entities, data utilized by the University's Business Associates, or the data utilized by University units acting as Business Associates for external HIPAA covered entities must also be reported to the University HIPAA Privacy Officer.

Standard

The Senior Manager of Information Security (SMIS), in consultation with the Office of Legal Affairs is responsible for determining:

1. Whether a breach of information security or University sensitive data has occurred
2. Whether notification to affected individuals is required, based upon state and federal laws.

The SMIS may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators in the affected campus, area, or unit.

The SMIS and ISO will work with the responsible departments to send any required notifications in accordance with Administrative Procedure: Notification of a Data Security Breach. All notifications must be reviewed and approved by University Information Security prior to the distribution of the notification.

Responsibilities

All individuals. Report concerns regarding suspected security breaches of private data to University Information Security at security@ohio.edu.

Chief Information Officer (CIO). Delegate to the Senior Manager of Information Security the authority and responsibility for the suspected information security and data breach investigation, oversight of the notification process, and breach determination, where appropriate.

Senior Manager Information Security (SMIS)

• Accountable for making determinations, in consultation with the Office of Legal Affairs as to whether a breach of information security or private data has occurred and whether notification is required, and direct responsible departments in complying with notification obligations.
• Delegate the authority and responsibilities for investigation of the suspected information security and data breach, and oversight of the notification process.
• Inform the appropriate University leadership of suspected data breaches.

Office of Information Technology (OIT) –Information Security Office (ISO)

• Investigate the suspected information security or data breach.
• Report breach information and status to the SMIS.
• Report suspected information security and data breach to the appropriate university officials.
• Ensure that appropriate and timely action is taken on a suspected information security or data breach.
• Provide oversight of the notification process.

Collegiate/unit administrators. Provide timely and effective notification to individuals as directed by the SMIS when there has been a security breach of private data in their area.

HIPAA privacy officer

• Notify external entities in accordance with the respective privacy law or contract (e.g., Federal Department of Health and Human Services for PHI).
• Provide privacy advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with breach determination and notification obligations under the privacy law or contract they are responsible for.

Legal Affairs. Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with breach determination and notification obligations under the law.

Definitions

Breach of security: For purposes of this standard this means unauthorized access to, acquisition, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University, if the data is not provided to an unauthorized person; (2) incidents involving data that have been rendered unusable, unreadable, or indecipherable (e.g., through valid encryption) to unauthorized individuals; or (3) incidents involving data that has been deidentified in compliance with applicable legal requirements.

Business associate: An individual (other than an employee or member of the workforce of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a Covered Entity and where the provision of the service involves the use or disclosure of PHI.

Covered entity: A Health Care Provider, Health Plan, or health care clearinghouse. A Covered Entity also includes those units or components designated as a Hybrid Entity.

Information: Data collected, stored, transferred or reported for any purpose, whether in electronic, paper, oral, or other media.

Private data: University data protected by federal or state law (e.g., FERPA, HIPAA, Ohio Breach Notification Law), regulation, or contract (e.g. PCI DSS for credit cards, some research contracts).

Protected health information ("PHI"): Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Covered Entity, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is reasonable basis to believe can be used to identify an individual. PHI specifically excludes information of individuals who have been deceased for more than 50 years.

The following records are exempted from the definition of PHI as defined by HIPAA:

• Education records maintained by an educational institution;
• Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. 1232g (4)(B)(iv); and
• Employment records held by a covered entity in its role as employer.

Unauthorized acquisition: For the purposes of this policy, this means that a person has obtained University private data without statutory authority, authorization from an appropriate University official, or authorization of the individual who is the subject of the data, or with the intent to use the data for unauthorized or non-University purposes.

References

• Administrative Procedure: Notification of a Data Breach
• Report Information Security Incidents
• University HIPAA Privacy Officer
• HIPAA Standard for HIPAA Compliance Coordinators
• https://www.ohio.edu/oit/security/consulting/defining-sensitive-data
• Academic Policy:Managing Student Records
• General Policy:Protected Health Information
• Administrative Policy:Accepting Revenue via Payment Cards
• IT Policy:Acceptable Usage
• Ohio Breach Notification Law 1349.19
• HIPAA Regulations, 45 CFR Part 164, Subpart D
• Family Educational Rights and Privacy Act (FERPA)
• Payment Card Industry Data Security Standard (PCI DSS)
• Gramm–Leach–Bliley Act (GLBA)

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

• Information Technology: Ed Carter (Chair)
• Human Resources: Michael Courtney
• Faculty: Hans Kruse
• Finance and Administration: Chad Mitchell
• Associate Dean: Shawn Ostermann
• Regional Higher Education: Larry Tumblin
• Research and Sponsored Programs: Maureen Valentine
• Enterprise Risk Management and Insurance: Larry Wines

History

Draft versions of this policy were circulated for review and approved November 20, 2020.