Electronic Data Security –– Incident Response Plan
revised 7-22-2011; revised 3-18-2016
The Importance of Securing Electronic Data
Much of the data stored or transmitted via Reed's computing equipment is confidential. Unauthorized access to this data may constitute a violation of federal statutes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and other laws designed to protect privacy. A breach in data security that compromises personal information can lead to identity theft, putting members of the Reed community at risk and exposing the College to litigation. Unauthorized access to other confidential data, though not usable for identity theft, may nonetheless have serious legal, financial, or public relations implications for the College.
Preventing Electronic Data Breaches
The task of protecting confidential electronic data is shared by all members of the Reed community who have authorized access to such data. In general, confidential data should not be accessed, copied, stored, downloaded, transmitted, or used unless it is essential for College business.
Confidential data should not be stored on laptops or other mobile devices for longer than necessary and should be encrypted at all times when not actually in use. Devices that contain confidential data, whether mobile or not, should be secured by strong authentication (e.g., multiple levels of passwords) as well as by physical means (security cables, locked cabinets, etc.). Mobile devices should not be put into checked luggage when traveling.
The Chain of Responsibility
Under certain circumstances, confidential electronic data –– such as student names, email addresses, or other information –– may need to be conveyed to individuals or groups who are not employees of the College. These may be vendors, contractors, professional organizations, (internal) student organizations, or others. In these circumstances, the College must require the recipient of the data to abide by the same (or stricter) guidelines to protect the data from unauthorized access or abuse. This chain of responsibility must extend to any third parties (or beyond) to whom the confidential data might be further conveyed.
Responding to Data Security Breaches
Despite explicit guidelines for securing confidential electronic data, breaches can still occur. At such times, it is important that the College respond as quickly and professionally as possible. Computer thefts, should be reported immediately to CIS (firstname.lastname@example.org ext. 7254 or 503-777-7254).
Steps that CIS will take in the event of a data security breach are as follows:
- identification of the person reporting the breach (name, contact info, etc.)
- basis for belief that a breach has occurred
- location, timeframe, equipment, and/or other details of breach
- preliminary identification of confidential data that may be at risk
- chief information officer
- director of community safety (if physical access to hardware is involved)
- president and senior officers (depending on sensitivity and scope of data exposed)
- legal counsel (depending on sensitivity and scope of data exposed)
- law enforcement (depending on the nature/scope of theft)
- IDExperts (company retained by Reed to assist with breach notification)
- director of public affairs (depending on sensitivity and scope of data exposed)
- if credit card data is involved notify bankcard holder within 24 hours of confirmed breach discovery (and notify CampusGuard, Inc. for assistance)
- identify ongoing vulnerability of data to exposure from breach source (and take immediate steps to address)
- conduct preliminary forensic analysis (retain outside assistance as needed)
- prepare inventory of data at risk
- determine if exposed data were encrypted
- identify security measures that were defeated (and by what means)
- identify affected individuals at risk of identity theft or other harm
- assess financial, legal, regulatory, operational, reputational and other potential institutional risks
- implement password changes and other security measures to prevent further data exposure
- determine if exposed/corrupted data can be restored from backups; take appropriate steps
- determine if value of exposed data can be neutralized by changing account access, ID information, or other measures
Based on regulatory requirements (e.g., Oregon ID Theft Protection Act) and other factors, Senior Officers, CIO, and Director of Public Affairs (in consultation with legal counsel as appropriate) determine whether notifications are required (or advisable) for:
- government agencies
- affected individuals
- Reed community
- business partners
If Senior Officers, CIO, and Director of Public Affairs determine that notifications are needed:
- the CIO will notify IDExperts who will coordinate notifications to affected individuals. Unless directed otherwise by law enforcement, such notifications will be made without delay.
- the Chief Financial Officer will notify government agencies and business partners.
- the Director of Public Affairs will coordinate notifications to the Reed community, the public, and others as necessary.
Communications will address the following points:
- nature and scope of breach
- general circumstances of the breach (e.g., stolen laptop, hacked database etc.)
- approximate timeline (e.g., date of breach discovery)
- steps the college has taken to investigate and assess the breach
- any involvement of law enforcement or other third parties
- appraisal of any misuse of the missing data
- college-provided credit-watch service for affected individuals (1-2 years)
- IDExperts steps on behalf of affected individuals
- steps that the college is taking to prevent future breaches of this nature
In the wake of a data security breach, Reed will:
- take steps to ensure that missing data cannot be used to access further information or cause harm in other ways to Reed's electronic or other resources;
- pursue with law enforcement all reasonable means to recover lost data and equipment;
- review and modify as needed all procedures governing systems administration, software management, database protections, access to hardware, etc., to prevent future data breaches of a similar nature;
- take appropriate actions if staff negligence or other’s behavior contributed to the incident.