Guidelines for Internal and External Reporting of Data System Security Breaches

I. Procedures for Internally Reporting a Suspected Compromise of A Data System

What is a Reportable Incident

A reportable data breach incident occurs if:

  • An unauthorized person is believed to have gained the ability to access Confidential Data that are stored on a University data system.
  • A person who is authorized to access Confidential Data that are stored on a University data system misuses that data.

Confidential Data

Confidential Data are defined in the University’s Institutional Data Policy.

How to Report

The department or unit responsible for the affected data system will immediately inform the IT Services network security team of the reportable incident. Call the IT Service Desk at (517) 432-6200 and follow the recorded instructions for reporting a “security incident.”

IT Services will alert MSU Police, and MSU Police will determine whether a criminal investigation is warranted. When there is no criminal investigation, or upon completion of a criminal investigation, IT Services will resume coordination of the incident.

The department or unit will facilitate investigation of the reportable incident by:

  • Immediately disconnecting the affected systems from the network, but leaving them powered on, until investigators direct otherwise;
  • Not logging on or performing administrative functions on the affected system until investigators arrive; and
  • Recording all actions taken in connection with the discovery of the reportable incident – in writing, indicating date and time.

Reporting Responsibilities

IT Services will immediately report the incident to the Vice Provost and CIO for MSU IT Services. The CIO will notify the President, Vice President for Finance and Operations, Provost, General Counsel, Vice President for University Relations, Secretary to the Board of Trustees, and Director of Internal Audit of any significant reportable incident.

IT Services also will promptly report the incident to the following offices depending on the type of confidential or proprietary data that is involved:

  • Credit or debit card data – Controller’s Office
  • Student records – Registrar’s Office and Academic Services
  • Research, intellectual property, or export – controlled data – Regulatory Affairs, Vice President for Research and Graduate Studies
  • Protected health information – HIPAA Officer
  • Employee records – Human Resources.

These offices are responsible for notifying external parties (e.g., payment card companies and governmental agencies) if appropriate.

II. Procedures for External Notice of a Security Breach

Michigan’s Identity Theft Protection Act, MCLA 445.63 et seq, prescribes when the University must give to Michigan residents notice of a security breach of a University data system that contains their personal information.

What is a Security Breach

A security breach means the unauthorized access and acquisition of data from a University data system that compromises the security or confidentiality of a person’s personal information.

Access is not unauthorized if:

  1. The employee or other person acted in good faith in accessing the data;
  2. The access was related to the activities of the agency or person; and
  3. The employee or other person did not misuse any personal information or disclose any personal information to an unauthorized person.

What Is Personal Information

Personal information means a person’s first name or first initial and last name in combination with any of the following data elements when the data elements are not encrypted:

  1. Social security number;
  2. Driver’s license number; or
  3. Account number, credit or debit card number, or other financial account number, in combination with any required security code, access code, or password that would permit access to a person’s financial account.

Personal information does not include government records or documents lawfully made available to the general public.

Is Notice Required

The University must give notice when it discovers a security breach if:

  • The unencrypted and unredacted personal information was accessed and acquired by an unauthorized person; or
  • The personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.

The above notice is not required if the security breach has not caused, or is not likely to cause, substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents.

In determining notice is required, University administrators will consider the following questions:

  1. Is the medium or device storing personal information in the physical possession or control of an unauthorized person (e.g., a lost or stolen computer)?
  2. Is there credible evidence that personal information has been downloaded or copied?
  3. Was personal information used by an unauthorized person (e.g., opening fraudulent accounts or identity theft)?
  4. Was the intrusion stopped while in progress, or before personal information could be acquired?
  5. Is there credible evidence that the purpose of the intrusion was to seek and collect personal information?
  6. Is there credible evidence that the medium or targeted device was used, or being prepared for use, for malicious purposes other than accessing and acquiring personal information (e.g., storage and distribution of large data files)?
  7. What is the likelihood that the intruder has obtained data in a usable format?

When the University discovers a data system security breach that may require notice, the following University administrators will decide whether to notify potentially affected persons: President, Vice President for Finance and Operations, Provost, General Counsel, Vice President for Communications and Brand Strategy, CIO and Vice Provost for IT Services, and Chief of Police.

When and How Must Notice Be Given

In the event that University administrators determine that the University must notify potentially affected persons of a data system security breach, the following procedures will be used.

The University will notify potentially affected persons, without unreasonable delay after detection of the security breach, in writing, by U.S. mail, or electronically (by email) if the University has an email address for the potentially affected person.

The University also will conspicuously post a notice on the University website and notify major statewide media in the form of a press release if:

  • The cost of giving the notice described above exceeds $250,000;
  • More than 500,000 Michigan residents must be notified; or
  • The University has insufficient contact information to notify potentially affected persons.

The University will attempt to notify all potentially affected persons, regardless of their Michigan residency status.

The University may delay notification if:

  • A delay is necessary for the University to assess the scope of the security breach and restore the reasonable integrity of the data system; or
  • MSU Police or another law enforcement agency determines and advises that notification will impede a criminal or civil investigation or jeopardize homeland or national security.

However, the University must give the required notice without unreasonable delay when the reason for the delay no longer exists.

Content of Notice

The department(s) or unit(s) responsible for the data system affected by the security breach will prepare the notice, with the assistance of IT Services, for review by appropriate University administrators.

The notice must clearly and conspicuously:

  1. Describe the security breach in general terms.
  2. Describe the type of personal information that is the subject of unauthorized access or use.
  3. If applicable, generally describe what the University has done to protect the data from further security breaches.
  4. Include a telephone number where a notice recipient may obtain assistance or additional information.
  5. Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.

Providing a Toll-Free Number

If a press release is issued, Communications and Brand Strategy will provide a toll-free number for potentially affected persons to call to obtain additional information. The unit or department responsible for the data affected by the security breach will field the calls and provide information from a FAQ sheet.

If a large number of calls is anticipated, the University may contract with an external agency to respond to calls.

The department(s) or unit(s) re responsible for security of the data system will bear all costs associated with notification and any fines that may be levied under Michigan’s Identity Theft Protection Act, MCLA 445.63 et seq.

Destruction of Data

The University will destroy any data that contain personal information concerning a person when that data are removed from a data system and the University is not retaining the data elsewhere for another purpose not prohibited by state or federal law. These guidelines do not prohibit the University from retaining data that contain personal information for purposes of an investigation, audit, or internal review.

Updates:

  • Original Guidelines published on January 28, 2006.
  • Guidelines revised for compliance with MCLA 445.63 et seq on June 14, 2007.
  • Guidelines revised to correct for Academic Technology Services unit name on February 24, 2009.
  • Guidelines revised regarding network attachments on July 16, 2009.
  • Guidelines revised regarding Student Information policy and Registrar’s office updates on December 14, 2009.
  • Guidelines revised to comport with Institutional Data Policy on January 1, 2011.
  • Guidelines revised to update Vice Provost for Libraries, Computing and Technology to CIO and Vice Provost of IT Services, University Relations to Communications and Brand Strategy, and Department of Police and Public Safety to MSU Police on April 22, 2014. Also at that time, the Guidelines were formatted from a PDF to inline web page text with links for improved accessibility and search.