What's an Incident?
What Constitutes a Personal Data Exposure
Exposure of an individual's name in combination with any of the following constitutes a data breach and may require the university to begin the notification process:
- Social Security numbers
- HIPAA projected data
Banking or Financial account numbers with passwords or PIN numbers
- Driver's license number or state identification card number
- Student educational records including academic performance data, disciplinary records, race or ethnicity, gender, nationality or grades.
Consequences of a Violation
According to the University's Breach Notification policy available on Pulse, the actual costs associated with the notification will be borne by the department involved with the breach.
The cost of the notification process is not the only consideration when dealing with a personal data exposure. Perhaps of greater consequence is the loss of trust in the university that results from these incidents. Other institutions that have incurred major breaches have reported significant negative effects that include denial of grant applications, loss of donor support and declines in enrollment.
- Remove Social Security numbers - Simply removing Social Security numbers from electronic and paper documents goes a long way toward neutralizing the threat of legal action should those files be exposed. Removing SSNs completely or scrambling the numbers is one effective way to protect student information in the event of a computer theft. Use safe unique identifiers such as a students "name.n" whenever possible and remove protected personal information from documents you intend to store.
Reporting a Security Breach
Individuals wishing to report actual or potential data breaches can call the IS&T Service Desk at 3-7600 (on-campus) or (215) 503-7600.