Home : Information Technology : Information Technology

The University shall provide timely and appropriate notice to affected individuals when there has been a breach of security of private data about them. A breach in security occurs when there is an unauthorized acquisition of private information maintained in any form by the University. The Chief Information Officer or delegate, in consultation with the General Counsel's Office, shall be responsible for reviewing incidents to determine whether notification is required and directing responsible departments in complying with the notification obligation. All known or suspected breaches of security must be reported to the CIO, to enable the CIO to determine whether notification is required. Suspected breaches can be reported at abuse@umn.edu or your campus help-desk.

This policy protects individuals from potential harm arising from the unauthorized acquisition of private information about them, and promotes compliance with state and federal privacy laws.

• Reporting Security Incidents and Making Notification

For questions, contact your unit's IT professional, your campus help-desk, abuse@umn.edu, or:

Subject	Contact	Phone	Fax/Email
Primary Contacts	Ken Hanna Tracy Smith	612-625-1505 612-624-9546	k-hann1@umn.edu smith229@umn.edu
Breaches/electronic	Ken Hanna	612-625-1505	k-hann1@umn.edu
Security	Steve Cawley	612-625-8855	cawley@umn.edu
Medical records/PHI	Ross Janssen	612-626-5844	janss006@umn.edu
Student records	Tina Falkner	612-625-1064	rovic001@umn.edu
Legal	Tracy Smith	612-624-9546	tracysmith@mail.ogc.umn.edu

Campus Help Desks

Campus	Help Desk	Phone
Help Desk Contacts Security questions, concerns, or suspected incidents E-mail: abuse@umn.edu
University of Minnesota - Twin Cities (TC)	TC Help Desk	1-HELP (612) 301-4357
University of Minnesota - Duluth (UMD)	UMD Help Desk	218-726-8847
University of Minnesota - Morris (UMM)	UMM Help Desk	320-589-6391
University of Minnesota - Crookston (UMC)	UMC Help Desk	218-281-8000

Breach of security

For purposes of this policy this means unauthorized acquisition of data maintained by the University, which compromises the security and classification of the data. Good faith acquisition of government data by an employee, contractor, or agent of the University is not a breach of the security of the data, if the data is not provided to an unauthorized person.

Data

Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files.

Private data

Data about individuals that is classified by law as private or confidential and is maintained by the University in electronic, paper, or other format or medium. Under the Minnesota Government Data Practices Act, " private data" means data classified as not public and available to the subject of the data, and "confidential data" means data classified as not public but not available to the subject of the data. See Appendix attached to this policy.

Unauthorized acquisition

For the purposes of this policy, this means that a person has obtained University data without statutory authority or the consent of the individual who is the subject of the data, and with the intent to use the data for non-University purposes.

All Employees

Report good faith concerns about security breaches of private data at the University.

Chief Information Officer

Make determinations, in consultation with the General Counsel's Office, as to whether notification is required, and direct responsible departments in complying with notification obligations.

Collegiate/Unit Administrators

Provide timely and effective notification to individuals as directed by the CIO when there has been a security breach of private data in their area.

General Counsel

Provide legal advice to the Office of Information Technology and other University staff and decision makers to ensure compliance with notification obligations under the law.

• Examples of Public, Private, and Confidential Information

Q: Where do I report a breach of security?

At abuse@umn.edu or your campus help-desk. Look at the attached Procedure for more details on how to report.

Q: What are examples of breaches of security?

A: In the case of electronic data, a breach of security may occur, for example, when a computer containing private data has been hacked and the data has been downloaded, when electronic files have been mistakenly posted on the Web or e-mailed to the wrong recipients, or when a laptop, personal desk assistant, or other electronic storage device has been stolen or lost. In the case of paper data, a breach of security may occur when documents are stolen, lost, misdirected, or left vulnerable to unauthorized acquisition.

Q: Does this policy only apply to electronic data?

A: No, this policy applies to all University data, regardless of the medium.

Q: What if I am aware of a possible incident, but can't tell whether someone has actually acquired the data?

A: You should report the incident, even if you don't know whether someone has acquired the data. The CIO is responsible for determining whether the data has been acquired.

Q: Who makes the notification when there has been a breach?

A: Generally, the department responsible for the data will be responsible for preparing the list of addressees and making the notification, although depending on circumstances the notification may come from someone else at the University. The manner of notification will be determined as part of the consultation process with administrators and the CIO.

Q: Why do we report breaches?

A: For several reasons-to be honest with people about whom we hold data, to help people prevent identify theft when their data is taken, and to comply with legal obligations, including a state law implemented in 2005 requiring notification in certain circumstances.

Q: What should I do if I think my unit is at risk of a breach due to a lack of security?

A: If you think your unit lacks physical or technical security, contact abuse@umn.edu or your campus help-desk.

Q: Will I get in trouble for reporting a breach?

A: No-employees may not be retaliated against for reporting concerns at the University.

Statutes

• Minnesota Government Data Practices Act, including Minn. Stat. § 13.055
• Minnesota Statutes § 325E.61

Policies and Procedures

• Administrative Policy: Protecting the Privacy of Student Education Records
• Administrative Policy: Internal Access to University Information
• Administrative Policy: Acceptable Use of Information Technology Resources
• Administrative Procedure: Reporting Violations of Security, Acceptable Use, Technology Resources, and Threats of Violence (Twin Cities Campuses)
• Administrative Policy: User Authentication for Access to University Computer Resources
• Administrative Policy: Administration and Oversight for Protection of Individual Health Information
• Administrative Policy: Use and Disclosure of Individual Health Information for Research
• Administrative Policy: Protection of Individual Health Information by University Health Care Components (HIPAA)
• Administrative Policy: Accessing U-Wide Banking Services
• Administrative Policy: Financial Data and Systems Security
• Administrative Procedure: Responding to Security Violations

Other Related Information

• Examples of Public, Private, and Confidential Information
• Safe Computing: Identity Theft"

Effective:

May 2006

To obtain a copy of a historical policy, e-mail the U Policy Librarian at policy@umn.edu or call 612-624-4372.