Possible data breach? Report it.

Thursday, September 17, 2009

Reportable incidents include:

  • A locked file cabinet containing employee medical records has been pried open overnight.
  • A data file containing student grades is accidentally copied into a publicly accessible location on the network.
  • A suspicious person is seen leaving a work area where printouts of financial aid applications are visible.
  • A server containing protected health information is invaded by an attacker via the network.
  • A thumb drive containing a database of employee bank account numbers is lost.
  • A desktop computer containing student educational records is infected by a malicious computer virus.
  • A laptop containing unpublished research information is stolen from an office.

A researcher, writing a time-sensitive report, steps out of his office to chat with a colleague. He returns fifteen minutes later to discover that his laptop has been stolen. He immediately contacts the University Police Department and DoIT’s Help Desk to report the theft. The researcher should also contact his local IT staff and department management.

The UW-Madison Information Incident Reporting Policy requires the reporting of an incident where there is a reasonable belief that unauthorized persons may have accessed sensitive UW-Madison information*, such as Social Security numbers, personal health information, and student data. This policy applies to UW-Madison employees, contractors and users of UW-Madison information resources.

In the case of the researcher, the stolen laptop contained personally identifiable health information used in his research thereby requiring him to report the incident.  Other situations, such as a financial aid counselor inadvertently forwarding student bank account numbers to an unauthorized co-worker or a Human Resources employee discovering malware on his office computer, also need to be reported. See the Information Incident Reporting Procedure for more information. Failure to report as required under the policy may have serious consequences to both the institution and the individual responsible for protecting the data.

The Vice Provost for Information Technology issued the Information Incident Reporting Policy effective 1 June 2009. It was developed to reduce institutional risk and ensure compliance with state and federal laws, such as Wisconsin’s incident reporting law, and to minimize possible damage to individuals or the institution.

* Sensitive information includes personal identifiable information such as Social Security numbers and bank account numbers, personal health information, student data, and research data subject to a future patent.