Computing & Information Services

Electronic Data Security –– Incident Response Plan

revised 7-22-2011

The Importance of Securing Electronic Data

Much of the data stored or transmitted via Reed's computing equipment is confidential. Unauthorized access to this data may constitute a violation of federal statutes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLB), and other laws designed to protect privacy. A breach in data security that compromises personal information can lead to identity theft, putting members of the Reed community at risk and exposing the College to litigation. Unauthorized access to other confidential data, though not usable for identity theft, may nonetheless have serious legal, financial, or public relations implications for the College.

Preventing Electronic Data Breaches

The task of protecting confidential electronic data is shared by all members of the Reed community who have authorized access to such data. In general, confidential data should not be accessed, copied, stored, downloaded, transmitted, or used unless it is essential to do so to conduct College business.

Confidential data should not be stored on laptops or other mobile devices for longer than necessary and should be encrypted at all times when not actually in use. Devices that contain confidential data, whether mobile or not, should be secured by strong authentication (e.g., multiple levels of passwords) as well as by physical means (security cables, locked cabinets, etc.). Mobile devices should not be put into checked luggage when traveling.

The Chain of Responsibility

Under certain circumstances, confidential electronic data –– such as student names, email addresses, or other information –– may need to be conveyed to individuals or groups who are not employees of the College. These may be vendors, contractors, professional organizations, (internal) student organizations, or others. In these circumstances, the College must require the recipient of the data to abide by the same (or stricter) guidelines to protect the data from unauthorized access or abuse. This chain of responsibility must extend to any third parties (or beyond) to whom the confidential data might be further conveyed.

Responding to Data Security Breaches

Despite explicit guidelines for securing confidential electronic data, breaches can still occur. At such times, it is important that the College respond as quickly and as professionally as possible. Computer thefts, should be reported immediately to CIS (ext. 7254 or 503-777-7254). Steps that CIS will take in the event of a data security breach are as follows:

1. Determination of the nature and scope of a breach

  • identification of the person reporting the breach (name, contact info, etc.)
  • record of the location, timeframe, and apparent cause of the breach
  • preliminary identification of confidential data that may be at risk

2. Communication about breach to authorized individuals

  • chief technology officer
  • director of community safety (if physical entry or hardware are involved)
  • president and senior officers (depending on severity of data compromised)
  • law enforcement (depending on the nature/magnitude of theft)
  • legal counsel (depending on severity of data compromised)
  • IDExperts (company on retainer to Reed to assist with breach notification)

3. Investigation of breach

  • confirmation/inventory of confidential materials at risk
  • security measures that were defeated or circumvented
  • forensic evidence
  • likelihood of recovering data (or stolen equipment)
  • utilize outside assistance if needed

4. Assessment of breach

  • password changes and other security measures to prevent further breaches
  • identify individuals affected by the breach (e.g., those whose loss of confidential information may put them at risk of identity theft or other adverse consequences)

5. Remediation

  • determine if lost data can be restored from backups; take appropriate steps
  • determine if lost data can be neutralized by changing account access, ID information, and taking other steps

6. Notification of breach - senior officers and CTO will determine need and method(s) to:

  • notify affected individuals
  • notify Reed community
  • notify public

Guidelines for Community and Public Notifications

If senior officers and the CTO determine that community and/or public notifications are indicated, the CTO will notify IDExperts who will assist with notifications .

 Communications will cover the following points:

  • nature and scope of missing data
  • general circumstances of the breach (e.g., stolen laptop, hacked database etc.)
  • rough timeline of the breach (e.g., date of breach, date of discovery)
  • steps the college has taken to investigate and assess the breach
  • any involvement of law enforcement or other third parties
  • knowledge of any misuse of the missing data
  • college-provided credit-watch service for affect individuals for one year
  • IDExperts steps on behalf of affected individuals
  • steps that the college is taking to prevent future breaches of this nature

Post-Incident Follow-Up

 In the wake of a data security breach, CIS will:

  • insure that missing data (e.g., passwords) cannot be used to access further information or cause harm in other ways to Reed's electronic or other resources;
  • pursue all reasonable means to recover the lost data (e.g., if Reed "ET" software was installed on a missing laptop, determine if it has provided location information);
  • modify procedures, software, equipment, etc., as needed to prevent future data breaches of a similar nature;
  • take appropriate actions if personnel negligence caused or contributed to the incident.