Data Incident Notification Policy

PURPOSE

Information assets and IT resources that contain, distribute, and store data are vital to the systems that support Shepherd University’s ongoing mission of discovery, learning, and engagement. All information assets and IT resources, especially data, must be protected throughout various phases of their useful life, including when created, collected, stored, transferred, purged, and ultimately destroyed. Shepherd University relies on the proper use of Restricted, Confidential, and Sensitive data to prevent external exposures of any Personally Identifiable Information (PII).

The purpose of this policy is to establish a consistent approach to the handling of lost or stolen data from a Shepherd University information asset or IT resource. Standardized processes and procedures help to ensure that Shepherd University can act responsibly, respond effectively, and protect its information assets and IT resource to the best extent possible. Additionally, this policy will outline and define the necessary steps that will be taken for notification, when necessary and applicable by Federal or state law.

Policy

Shepherd University information assets and IT resources contain various types of data that is to be used holistically and individually in an approved, ethical, and lawful manner to avoid loss and/or damage to Shepherd University data, operations, image, or financial interest. All affiliated data should be considered confidential and proprietary, thus every effort to protect the integrity of all types of data must be made.

A. DATA INCIDENT
A data incident means an accidental or deliberate event, either by human error or malicious intent, which results in or constitutes the imminent threat of an unauthorized access, loss, disclosure, modification, disruption, or destruction of communication, information assets, or IT resources of Shepherd University.

Adopting a standardized and consistent approach to data incident management shall ensure that:

• Data incidents are reported in a timely manner and can be properly investigated.
• Data incidents are handled by appropriately authorized and skilled personnel.
• Appropriate levels of management are involved in response management.
• Data incidents are recorded and documented.
• External agencies, users, and any impacted party are informed as required.

B. DATA CLASSIFICATIONS
Data incidents vary in impact and risk depending on a number of mitigating factors including the content and quantity of data involved. It is critical that a response, once notified, is handled quickly to identify the data classification of said data incident for a response to be distributed in a timely manner.

Restricted Data is highly confidential and is protected by laws, statutes, regulations, guidelines, and contractual language, which if exposed could result in legal damages, fines, penalties, identity theft, and/or financial fraud. Examples include, but are not limited to, user PII, SSNs, driver’s license numbers, health records, taxpayer ID numbers, and other financial data.

Confidential Data is information that is protected by laws, regulations, university policies, or other contractual language, but does not carry the same level of risk as restricted data. Confidential data may be disclosed to individuals on a strictly need-to-know basis only, where law permits. Examples include student educational records, student directory information, personal/payroll information, and job application information.

Sensitive Data is information that is protected by laws, regulations, university policies, or other contractual language, but does not carry the same level of risk as restricted or confidential data. Sensitive data should be perceived as data that can be shared internally but generally not to external parties. Examples include student ID numbers, faculty workload, research work in progress, and library archives.

Public Data is information that may be available to the general public and is defined with no existing local, state, national, or international legal restrictions on access or usage. Examples include publicly posted press releases, publicly posted catalogs, and public announcements.

C. INCIDENT IMPACT CATEGORIES

Critical/Major pertains to a data incident conducted on a large scale as defined by being a campus-wide core database related incident or a single incident impacting large user groups (>100).

Critical/major incident impacts typically have the following attributes:

• Significant data loss, potential for lack of business continuity, and irreversible consequences are imminent.
• Negative media coverage is likely, and exposure is high.
• Legal or contractual remedies may be required.
• Requires significant reporting beyond normal operating procedures.

Moderate pertains to a data incident conducted on a medium-sized scale as defined by being potentially database related or impacting medium-sized user groups (>10 but <100). Moderate incident impacts typically have the following attributes:

• Data loss is possible, but localized/compartmentalized, potential for limited business continuity losses, and minimized exposure.
• Risk is moderate.
• Negative media coverage is possible, but exposure is limited.
• Significant user inconvenience is likely.

Minor pertains to a data incident conducted on a personal or small-sized scale as defined by (<10). Minor incident impacts typically have the following attributes:

• Data loss is contained on encrypted hardware.
• Risk is low.
• Incident can be addressed through normal support channels.
• Significant user inconvenience is likely, but not damaging.

SCOPE of AFFECTED PARTIES

This policy applies to all users, such as students, faculty, and staff of Shepherd University and to other persons accessing Shepherd University information assets and/or IT resources including but not limited to authorized agents or community members, regardless of whether such information asset or IT resource is accessed from on-campus or off-campus.

ROLES & RESPONSIBILITIES

All Shepherd University students, faculty, staff, and other parties with access to Shepherd University information assets and IT resources shall be responsible for:

USERS

• Understand and comply with the guidance provided by this policy, as well as applicable compliance programs and affiliated awareness training with all applicable laws, standards, procedures, and university protocols.
• Physically secure and safeguard information assets and IT resources, within the user’s possession and control, including abiding with the safe handling of data.
• Promptly report any suspected violation pertaining to this policy, any security events, and/or incidents involving a suspected compromise of a user’s account or IT resource to itworkorder@shepherd.edu or by calling 304.876.5457.

INTERNAL IT – PROCEDURES

1. Any individual who suspects that a Shepherd University informational asset, IT resource, or raw data (regardless if stored in paper form, on a personal device, or a university-issued computing device) if lost, stolen, or if restricted or confidential data is accessed by an unauthorized user, must contact IT Services immediately by emailing itworkorder@shepherd.edu or dialing 304.876.5457.
2. IT Services, upon being notified, will contact General Counsel to assist in performing an assessment as to whether restricted, confidential, or sensitive information is/was at risk. SUPD will be notified in case of any stolen device.
3. General Counsel and IT Services will follow the West Virginia Breach of Personal Information Notification Act, if personal information is deemed to be possibly breached or stolen.
• a. Security Breach is defined as unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of Pii maintained by Shepherd University as part of a database of PII regarding multiple individuals and that will cause Shepherd University to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of West Virginia.
• b. Any good-faith acquisition of PII by an employee or agent acting on behalf of Shepherd University for the purposes of operating day-t-day business of Shepherd University, is not considered a breach of the system, provided that the PII is not used for any purpose other than a lawful purpose or subject to further unauthorized disclosure.
• c. Notification obligation is defined to which the state statue applies shall give notice of any breach of security of Shepherd University systems following discovery or notification of the breach of the security of the system to any resident of West Virginia whose unencrypted and unredacted PII was, or is reasonably believed to have been, accessed and acquired by an unauthorized person and that causes, or is believed to cause, identity theft or other fraud to any resident of West Virginia.
• d. Shepherd University must give notice of the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and Shepherd University reasonably believes that such breach has caused, or will cause, identify theft or other fraud to any resident of this state.
4. Notifications may be provided by any of the following methods:
• a. Written notice to the last known home address for the individual.
• b. Notice by telephone, if the user impacted can reasonably be expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information (but does not require the user to provide personal information), and user is provided with a telephone number to call or an internet website to visit to obtain further information or assistance.
• c. Email notification can be provided if the user is a current faculty member, employee, student, or affiliate of Shepherd University.
• d. Substitute notice can be utilized if:
• i. The cost of providing notice would exceed $100,000.
• ii. The affected users to be notified exceeds 175,000.
• iii. There is insufficient contact information for the affected user(s).
• iv. Substitute notices shall consist of:
• 1. Email notification for when Shepherd University has a valid email address for the impacted users.
• 2. Conspicuous posting of the notice on Shepherd University’s webpage.
• 3. Notifying a major state-wide media source.
• e. Vendor/Affiliate notifications. Any vendor or affiliate of Shepherd University that maintains, collects, stores, transmits, and manages computerized data on behalf of Shepherd University shall provide notice of any data incident and/or breach within their security system, following the discovery by the vendor/affiliate to the user(s) impacted on whose behalf the vendor/affiliate maintains, stores, and manages the data.
• f. When Shepherd University provides notification to more than 1,000 users at one time, notification must be given without delay to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in Section 603 of the Fair Credit Reporting Act of the timing, distribution, and number of notices.
• i. Free credit monitoring for up to 12 months after a data incident will be offered to those impacted users whose information may have been affected by a data incident.




INTERNAL IT – INCIDENT RESPONSE

Assess Risk and Incident Scope – All data incidents shall have immediate analysis of the incident and an Incident Report completed by the CIO/CISO – Information Privacy Officer, or designee. This analysis shall include a determination of said incident scope and serve as a roadmap to mitigation. This analysis shall be documented and shared with key personnel of the Executive Leadership Team, the affected parties, and any other relevant stakeholders. At a minimum, the following duties will be conducted:

1. Preliminary Assessment
• a. When and where did the data incident occur?
• b. What type of data was impacted, and/or type of device(s) lost or stolen?
• i. Data classification assessment, with impact.
• ii. Can data be used fraudulently?
• iii. Report asset as lost or stolen to SUPD.
• c. Ascertain if security or access has been contained to limit further data exposure or loss.
• d. Is there other information at risk?

Notification – All data incidents classified as critical or moderate shall have effective communication plans to appropriately manage that appropriate personnel within the campus are aware of said data incident. At a minimum, the following duties will be conducted:

1. Notification of Campus Stakeholders
• a. IT Services
• i. CIO/CISO – Information Privacy Officer
• ii. IT Services Desk
• b. General Counsel
• c. VP or Executive responsible for the impacted department, business area, or academic area.
• d. University Communications
• e. SUPD

Continued Evaluation of Incident – All data incidents shall have extensive investigation, research, and analysis operate on a continuous basis as notification is dispersed to key campus personnel, with a focus to contain, prevent, and recover data.

1. Further Evaluate Scope of Data Incident
• a. Identified IT point-person per data incident.
• CIO/CISO – Information Privacy Officer
• b. Was there evidence of suspicious behavior or negligence by an employee?
• c. Was there any criminal intent by employee?
• i. If so, is an external investigation warranted?
• ii. HR
• iii. SUPD
• d. Does a backup of data and/or system exist?
• i. Restoral
• ii. Is there a similar functioning device that can assist in determining risk?
• e. Damage to building or physical security?
• i. Are any door access or lock codes impacted that could result in physical danger?

Communication to Public – All data incidents classified as critical or moderate shall have effective communication plans to appropriately inform the public effective as to manage the communication process towards a complete resolution. At a minimum, the following duties will be conducted:

1. Determine Need to Notify Public
• a. Do employees need to be made aware?
• b. Does data incident impact suggest the public be notified?
• i. Yes
• 1. Communication Liaison identified?
• a. Developing talking points.
• b. Frame message.
• c. Deliver optimum messaging.
• d. Define next steps:
• i. State Associations.
• ii. Press Conference.
• 1. Community
• iii. Press Release.
• iv. National Associations.
• ii. No
• 1. Internal review
• c. If SUPD was involved, has an exact time been determined? Are additional law enforcement agencies necessary?
• i. FBI
• ii. Homeland Security
• iii. County Sheriff
• iv. State Police
2. Communication to Public
• a. Has notification method been identified?
• i. Will it differ for each impacted user?
• ii. Has method been prepared?
• b. Does a fact sheet need to be created?
• i. Outline of incident
• ii. Explain actions currently being undertaken by Shepherd University.
• iii. Include all contact information. iv. Anything else of value.
• c. Does a toll-free number need to be created?
• i. Will a call center be needed?
• d. Does a web site need to be created?
• i. FAQs
• ii. Next Steps
• iii. Contact
• e. Identify services to be arranged for impacted users.
• i. Credit monitoring
• 1. Does a contract need to be established?
• 2. Has the length of monitoring defined?
• 3. How will information be communicated to individuals?
• a. Credit Bureaus
• b. Shepherd University
• ii. Reminders?

Postmortem Evaluation and Response – All data incidents classified as critical or moderate shall have a postmortem analysis conducted by the CIO/CISO – Information Privacy Officer, or designee, to make recommendations on ways to limit risk and exposure in the future. At a minimum, the following duties will be conducted:

1. Evaluate and Address Weaknesses.
• a. Consider the data and security measures employed.
• i. Was full-disk encryption being used on system or device?
• ii. Was the software up-to-date?
• iii. Was other security measures deployed?
• 1. Multi-factor
• 2. Password protection files/data
• iv. Were security policies being adhered to?
• 1. Does a security assessment need to be conducted?
• 2. Is this the proper place for data, system, or device?
• v. Was data properly classified?
• b. Are policies in need of modifications?
• i. Lapse in processes or protocols?
• ii. Did policy address the issue clearly and concisely?
• 1. Identify new workflows and/or protocols to further enhance security measures.
• c. User Education
• i. Are new education efforts needed?
• ii. Was user authorized and adequately trained?
• 1. Recommend new education measures.




CIO/CISO – INFORMATION PRIVACY OFFICER

• Oversee and administer this policy.
• Ensure all phases of this policy is reasonably executed in order to protect Shepherd University interest, is properly authorized, and meets the scope and conditions of protecting data.
• Provide authorization and direction to IT Services staff in accordance with this policy, to authorize disconnection of any information asset and/or IT resource or disabling of a user account if it is believed that either is compromising the information security and privacy of Shepherd University.
• Develop awareness and necessary training materials as it pertains to this policy.




IT SERVICES STAFF

• With appropriate authorization, take directed action in accordance with this policy to preserve, secure, and protect the interests of Shepherd University.
• Ensure all associated procedures are followed and documented accordingly when taking any actions outlined in this policy.

RELATED TOOLS

TRAINING
• Family Educational Rights & Privacy Act (FERPA) Training
• Gramm-Leach-Bliley Act (GLBA) Training

RELATED POLICIES & GUIDELINES
BOG#35: Information Technology Security
Acceptable Use Policy
E-mail Policy
Data Classification Policy
International Travel Security Policy
Password Guidelines
Social Security Number Guidelines
Work from Home / Remote Access Guidelines

POLICY: Data Incident Notification Policy
IMPACT: Data, Technology, and IT Resources
RESPONSIBLE OFFICE: IT Services
CREATED: February 10, 2023
REVIEWED: February 19, 2024
APPROVED BY: CIO/CISO – Information Privacy Officer
VERSION: 24.1