Data Breach Response Procedures

Purpose

For Case Western Reserve University any breach of private information has the potential to result in losses to the university and community members. Security incidents could arise in a myriad of contexts relating to paper documents and electronically-stored and transmitted information such as theft, misuse of data, and computer- or technology- based violations. They may result in disclosure of personal information, diminished intellectual property, a tarnished reputation in the community, loss of trust among university employees and students, reduction of economic resources and funding opportunities, the loss of employees’ time in responding and reacting to the breaches, and legal sanctions. Because of these potential harms, CWRU places a high priority on the security of its information. It is CWRU’s intention to investigate and respond appropriately to each information breach, depending upon the level of potential consequential harm, and legal obligations, related to each particular situation.

All individuals and management centers (e.g. offices, departments, schools) within the CWRU community are responsible for reporting information breaches and upholding university privacy policies and practices.

This document defines and describes the communication and response procedures in the event of a data breach. The overarching consideration is that all regulatory requirements and institutional policies be met.

Roles and Responsibilities regarding responding to information breaches

Privacy Office (PO)/Compliance Office

Responsible for developing and maintaining the system-wide incident response process for data breaches. Acts as a central and the first point of contact in the event of data breaches. Responsible for notifying individuals affected by privacy-related breaches.

Information Technology Services Security

Responsible for conducting computer diagnostic support in computer- or technology-based breaches, providing expertise and advice regarding data security, and suggesting remedies to prevent future breach occurrences.

Office of General Counsel

Responsible for providing legal advice during the investigation, including guidance on providing notifications as required by law (e.g. HIPAA, state law, etc.)

Marketing & Communications

Responsible for providing Privacy Officer with communication strategies with regard to affected parties and internal stakeholders. Also responsible for communicating with the media after consultations with the PO and campus constituencies.

Other offices as necessary, such as the offices of the President, Provost, Vice President for Student Affairs, and/or leaders of affected offices.

Procedures [Flow of responsive actions]

1. CWRU personnel discover a possible breach of private information.
2. Immediately, alleged breach is reported to Privacy Office (PO). To report a breach, personnel should contact Lisa Palazzo, University Chief Compliance and Privacy Officer, 216.368.5791, lxp66@case.edu.
3. PO contacts the complainant for information. PO investigates alleged breach event as quickly as possible.
4. If PO determines no actual breach of private information was made, the PO documents this determination and the process ends.
5. If PO determines there was a breach of private information, PO works with affected office or department to contain the breach. PO assesses extent and impact of event. May also bring in other offices (e.g. ITS Security if the alleged data breach involved electronic information).
6. After containing the breach, PO confers with Office of General Counsel (OGC) to determine whether specific legal protections relate to the breached information and identify the relevant reporting obligations. PO and OGC will work together to identify all laws that may impact CWRU’s response, including but not limited to the following: Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Ohio state law, other federal laws such as the Federal Trade Commission Act and Gramm-Leach-Bliley Act, plus any relevant contractual obligations. PO and OGC may consult other internal CWRU offices as necessary.
7. PO drafts standard notification letter to individuals affected by breach and sends letters per applicable legal requirements.
8. In addition to legally required notifications, PO identifies whether other actions are required to remedy the effects of the breach (e.g. identify theft protection, notification to third parties, etc.) The PO also identifies other institutional process deficiencies that must be addressed. If so, PO works with affected groups to ensure their work processes are modified to avoid similar, future breaches. Also, PO notifies Human Resources of any employment policy violations so that appropriate corrective action may be taken.
9. A breach incident is closed when PO drafts a Breach Report, an internal record which shall be considered a confidential university document. The PO shall share the breach report, at its discretion, with parties that were involved in the incident, as well as appropriate university leadership. The breach report shall include at least all of the following items, to the extent the information is available:
   • Date and time the breach was detected
   • Physical location, system, and university services involved in breach
   • Department or office responsible for the system or service
   • Type and scope of data which was compromised
   • Brief overview of the vulnerability that contributed to the breach
   • Potential impact to individuals and/or campus operations and resources
   • Summary of response activities
10. PO collects each Breach Report and may use the report to fulfill legal reporting obligations to appropriate federal agencies. Additionally, appropriate university offices shall maintain records for purposes of compliance with privacy-related laws.