Information Security Breach Notification Policy
Issued: March 1st, 2010
Related Policies: Hampshire College Information Security Policy, Hampshire College Data Security Policy
1.0 Purpose:
To define the circumstances under which the College shall provide notice regarding a breach in security of college information.
2.0 Scope:
This policy applies to information safeguarded both by Hampshire College and/or by third-party vendors and contractors working with Hampshire College. Suspected or confirmed information security breaches must be reported immediately to the director of information technology. A breach is defined as unauthorized access of college information. Hampshire College Information Technology Department will investigate all reports of security breaches of private and/or Level III information, as defined in the Hampshire College Data Security Policy.
Based on the results of the College's investigation, internal and/or external parties may be notified, as necessary and appropriate.
3.0 Policy:
Upon notification of a suspected information security breach the information technology department will:
- Report the breach to the appropriate officials
- Block, mitigate, or de-escalate the breach, if possible.
- Implement processes and procedures to prevent similar breaches from occurring in the future.
Internal Notification
The Hampshire College information technology department will report all suspected cases of significant information breaches to the vice president for finance and administration, and will work with him/her to establish an appropriate response strategy. If the Hampshire College information technology departments's investigation determines that criminal activity has taken place, the information technology director (or designee) will report the breach to public safety and/or College counsel. The College community at large will be notified of the results of the initial investigation.
External Notification
The director of information technology in consultation with the vice president for finance and administration will determine if external notification will be required in the event of an information breach. External notification is required if any of the following conditions are met:
- Has access been gained to unencrypted Level III information?
- Has a physical device that contains unencrypted Level III information been lost or stolen?
- Is there evidence that unencrypted Level III information has been copied or removed?
- Is there evidence that the intrusion was intended to acquire unencrypted Level III information?
- Do local, state, or federal laws or college policy require notification in this instance?
Parties to be notified may include:
- Anyone affected by the breach, or whose data may have been compromised.
- Government officials as required by law, such as the attorney general of Massachusetts.
Information Classes
Please refer to the Hampshire College Data security policy for more information regarding classification of information.