Security Incident Reporting and Breach Notification Procedure
- Reference: California Civil Code Sections 1798.29 and 1798.82
- Issue Date: June 2005
- Revision Date: November 2018
- Expiration Date: N/A
This document outlines procedures and protocols for notification of and response to a security incident or breach involving unencrypted electronic personal information processed and/or maintained by the university and its auxiliary organizations.
SECURITY INCIDENT REPORTING & INVESTIGATION PROTOCOL
Security Incident Reporting
In the event that a data owner, technology staff member, or Information Technology Services representative identifies a potential security incident involving a computer, the computer shall first be disconnected from the network, then shutdown. In all instances, the Operating Unit will await further instructions from the Information Security Officer prior to continued operation of the computer.
Any employee or data owner who believes that a security incident has occurred, shall immediately notify the Vice President of Division of Information Technology/Chief Information Officer and the Information Security Officer. During campus closure, notification shall be made to University Police (562) 985-4101.
Upon notification by an employee, Information Technology Services, or University Police of a suspected unauthorized acquisition of confidential information the Information Security Officer shall promptly notify with the Information Security Incident Response Team.
Security Incident Investigation
The Information Security Officer will conduct an investigation into the security incident to determine whether there has been a security breach. All investigatory work will be documented within a Confidential Information Security Incident Report by the Information Security Officer.
- Low/No Risk Incident
A Low/No Risk incident typically occurs, but is not limited to, an instance when a User or College/Division Technology staff member will observe a problem with a computer. The computer may have been compromised due a form of malware installed on the computer:
- College/Division Technology staff will notify email@example.com.
- College/Division Technology staff will consult with the security team, and possibly Information Technology Services, to determine the level of risk with the incident.
- If it is determined the incident is a “High Risk”, skip to Step 2.
- If it is determined the incident is considered “Low/No Risk”, the College/Division Technology staff will work with the User and Appropriate Administrator to complete the Employee Identification of Stored Data statement, if deemed necessary by the Information Security Officer.
- High Risk Incident
A High Risk incident typically occurs, but is not limited to, an instance when Network Services notices an alert or spike in network activity. The computer may have been compromised due to remote program execution, unusual data traffic, RTP services, etc
- College/Division Technology staff will firstname.lastname@example.org.
- The affected computer will be temporarily transferred to ITS custody for forensic analysis.
- The Information Security Officer will conduct an incident investigation, which may include:
- Follow-up interview with the User
- Follow-up interview with College/Division Technology staff
- Follow-up interview with appropriate administrator.
- Upon completion of forensic analysis and interviews, the Information Security Officer, forensic analysis team, and appropriate administrators from Network Services and Academic Technology Services will meet to review all evidence and determine if there was a security breach.
- If there was no breach, College/Division Technology staff will work with the User and Appropriate Administrator to complete the Employee Identification of Stored Data statement, if deemed necessary by the Information Security Officer.
- If there is a breach, follow the steps outlined in Part II: Security Breach Notification Protocol
- Low/No Risk Incident
Upon completion of the investigation, the Information Security Officer will inform the Information Security Incident Response Team of the result of the investigation.
SECURITY BREACH NOTIFICATION PROTOCOL
If it is determined after investigation that a security breach involving notice triggering information has occurred, the Information Security Officer shall notify the Vice President of Division of Information Technology/Chief Information Officer and Office of General Counsel.
If it is determined that a breach is of the appropriate magnitude and may require a press release, the Information Security Officer shall notify the Senior Director, Information Security Management, Associate Vice President, University Relations, Office of the Chancellor and copy the CIO/Assistant Vice Chancellor.
The Information Security Officer will notify the responsible department, confirming the security breach of notice triggering information and provide advice and guidance. The Information Security Officer shall also initiate the campus breach notification process and work closely with the Division Executive or designee of the department responsible for controlling access to, and security of, the breached electronic equipment to ensure the appropriate handling of the breach response and inquiries. The Information Security Officer will provide guidance to designated employees responsible for responding to breach notification inquiries.
If it is determined after investigation that a security breach involving credit/debit card information has occurred, the Information Security Officer will direct notification to the appropriate merchant bank(s). Within three (3) business days of a confirmed breach, the Information Security Officer shall provide an Incident Report to the appropriate merchant bank(s). Within ten (10) business days, the Information Security Officer shall provide to the appropriate merchant bank(s) a list of all potentially compromised accounts.
Notification of Affected Individuals
The department or office responsible for controlling access to, and security of, the breached electronic equipment shall compile the list of the names of persons whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In consultation with the Information Security Officer, a list of individuals to notify shall be compiled based on the following criteria:
- Residents of California.
- All individuals who are likely to have been affected, such as all whose information had been stored in the files involved, when identification of specific individuals cannot be made.
If notices are sent to more than 10,000 individuals, the Information Security Officer shall notify the following consumer credit reporting agencies:
- Experian: E-mail to BusinessRecordsVictimAssistance@experian.com
- Equifax: E-mail to email@example.com
- TransUnion: E-mail to firstname.lastname@example.org, with “Database Compromise” as subject.
The process for identifying affected individuals as part of a notification shall be included in the Confidential Information Security Incident Report.
Individuals whose notice-triggering information has been compromised shall be notified in the most expedient time possible, and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The information considered when determining the notification date shall be included within the Confidential Information Security Incident Report.
Content of Notice
The breach notification will provide a brief description of the security breach, a contact for inquiries, and helpful references to individuals regarding identity theft and fraud. The content of the breach notification, and when appropriate, the content of both the web site page and the press release will be reviewed and approved by the Information Security Officer.
Communications with Outside Agencies
With the exception of the Office of Government and Media Relations, University Police, and the Information Security Officer, university personnel are not authorized to speak on behalf of the university to media personnel or representatives of other outside agencies. All media inquiries or other public affairs inquiries should be directed to the Office of Government and Media Relations at (562) 985-8816. All other inquiries should be directed to the Information Security Officer at (562) 985-5459 or to the University Police at (562) 985-4101.
Method of Notification
A letter shall be printed with official California State University, Long Beach letterhead, addressed to the individual at the last recorded home address, or if only an email address is known, the last recorded email address with the University. Any notices returned with address forwarding information will be re-sent by the responsible department.
Alert appropriate consumer credit reporting agencies if notification is sent to more than 10,000 individuals.
If less than 500,000 individuals were affected, or if the cost of disseminating individual notices is less than $250,000, notices shall be sent by first class mail or email address.
If more than 500,000 individuals were affected or if the cost of giving individual notices to affected individuals is greater than $250,000 or if there is insufficient contact information, the following substitute notification procedures shall be followed:
- Notices by e-mail shall be sent to all affected individuals whose e-mails are known.
- The University shall issue a press release to the media as appropriate.
- A “Notice of Breach” shall be conspicuously posted on the campus web site. *
*After a six month period of time the Office of General Counsel, Associate Vice President, Government and Media Relations, and the Information Security Officer will determine whether to continue website posting.
Breach Notification Inquiry Response
Subsequent to a security breach notification, the University can expect several inquiries from notified users, their parents/spouse, and security vendors. The Information Security Officer will provide a written Inquiry Response Guide to be used by the division executive, or designee(s), to respond to any phone calls/emails/letters/walk in traffic with inquiries regarding the breach. If the questions are outside the scope of the information provided within the Inquiry Response Guide, the division executive or designee may refer the inquiry to the Information Security Officer for further assistance.
The department responsible for controlling access to, and security of, the breached electronic information is responsible for financial and human resources used to notify and respond to the affected individuals.
Confidential Information is information that identifies or describes an individual. Confidential Information is further detailed on the CSULB Information Security webpage.
Unencrypted electronic personal information/notice-triggering information will be considered to have been acquired, or reasonably believed to have been acquired, by an unauthorized person in any of the following situations.
Lost or stolen electronic equipment (including palm pilots, laptops, desktop computers, and USB storage devices) containing unencrypted personal information.
A successful intrusion of computer systems via the network where it is indicated that unencrypted personal information has been downloaded, copied, or otherwise accessed.
Unauthorized Data Access
Includes situations where someone has received unauthorized access to data, such as sending non public mail/e-mail to the wrong recipient, incorrect computer access settings, inadvertent posting of personal information in electronic format or other non-hacking icidents. Unauthorized data access also includes indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
The individual with primary responsibility for determining the purpose and function of a record system.
All encryption algorithms, with the exception of trivial ciphers, meet the minimal campus requirements for encryption. If personal information stored on the compromised electronic equipment is encrypted, no University notification is required.
Health Insurance Information
An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
An investigatory summation of a Security Incident completed by the Information Security Officer to determine if the university has incurred a Security Breach.
Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
Specific items of personal information identified in CA Civil Code Sections 1798.29 and 1798.3. This information includes an individual’s name in combination with Social Security Number, driver’s license/California identification card number, health insurance information, medical information, or financial account number such as credit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
An unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by California State University, Long Beach or its auxiliary organizations.
Information Security Incident Response Team
Individuals designated by the University to address Information Security issues. The group includes the Associate Vice President/Dean of Students, Student Services, Associate Vice President of Academic Technology, Associate Vice President, Information Technology Services, Associate Vice President, University Relations, Information Security Officer, and the Chief of Police.
A collection of related activities or events which provide evidence that confidential information could have been acquired by an unauthorized person.
LEGAL OR CIVIL ACTIONS
Subsequent to a breach, the University may be reviewed by a governing state or federal agency or a civil action could be brought against the University. The Information Security Officer will represent all complaints and agency inquiries submitted to the University as a result of the security breach. Legal counsel will be solicited as needed to respond to complaints or actions. The University is responsible for the payment of fines, penalties, or retributions levied by agencies or the courts.
Information Security Office