Data Breach Notification Policy

Approved: 05/08/2017
Last Reviewed: 05/08/2017
Last Modified: 05/08/2017

Statement

Santa Fe College (SF) is governed by the notification requirements of Florida Statutes §501.17(3)-(6), otherwise known as the Florida Information Protection Act (FIPA) of 2014. Accordingly, SF shall provide timely and appropriate notice, as required, when there is reasonable belief that protected personal information held by SF has been compromised by a data breach.

Purpose

The purpose of this policy is to outline how SF will respond to incidents involving data breaches. It will identify and define steps and procedures that will be followed when those breaches occur and will address how affected individuals will be notified as required by the relevant state or federal laws.

Scope

This policy applies to all SF information assets or information assets under the care of SF, and applies to all faculty, staff, students, and individuals who interact with, access, or store SF electronic information regardless of storage device, medium, or physical location.

Definitions

Data Breach - An incident of unauthorized access of data in electronic form containing personal information,sometimes also referred to as a “breach of security” or a “breach”.

• Protected personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, and does not include information made lawfully available to the general public from federal, State, or local government
• Good faith acquisition of protected personal information by an employee or agent of SF for a legitimate purpose does not constitute a data breach, provided that the personal information is not used for a purpose other than a lawful purpose of SF and is not subject to further unauthorized

Information Technology (IT) Resources - Equipment or services used to input, store, process, transmit, and output information, including, but not limited to, desktops, laptops, mobile devices, servers, telephones, fax machines, copiers, printers, wired and wireless networks, Internet, email, cloud storage, and social media sites.

Technology Incident Response Team (TIRT) - A cross-functional group organized/selected by the Chief Information Officer (CIO) and comprised of skilled individuals within SF with the expertise, technical resources, and decision-making capability to coordinate a quick, effective, and orderly response to technology-related incidents. Previously referred to as the Information Security Incident Response Team.

Florida Information Protection Act (FIPA) - requires covered entities, which includes certain government entities, conducting business in Florida that acquire, maintain, store or use personal information, to inform Florida residents of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information. FIPA provides the following definitions of what constitutes protected personal information:

1. The first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are neither encrypted nor redacted:
   • Social Security Number
   • A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify
   • Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts.
   • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
   • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
2. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account

Additional definitions of the terms used in this policy can be found in the SF IT Policies Appendix A.

Policy

5.1 Reporting responsibilities

All individuals affiliated with SF in any capacity, including but not limited to staff, students, faculty, contractors, visitors, and alumni, should report suspected or actual data breaches immediately to their supervisor, any SF Executive/Managerial employee, or directly to the Information Technology Services Help Desk at 352-395-5999.

Examples of the types of incidents to report include, but are not limited to:

• Access to SF IT resources by unauthorized individuals
• Evidence of unauthorized access into a system containing private/confidential data
• An unauthorized attempt to physically enter or break into a secure IT area
• Unauthorized sharing of SF IT login credentials.
• Loss of an SF hardware resource such as laptop, tablet, cell phone, or removable data storage devices.
• Hacking or defacing of an SF online resource
• Documents containing private/confidential data sent in any form to a wrong recipient.
• Employee misuse of authorized access to disclose or mine private or confidential data.

5.2 Activating the Technology Incident Response Team

Upon receipt of a suspected information security breach, the CIO or designee, or other cognizant representative, will convene the Technology Incident Response Team (TIRT) without undue delay to expeditiously conduct a fact-finding investigation to determine whether a data breach or compromise has occurred.

5.3 Security Breach Initial Procedures

Containment - If the TIRT determines there was a data breach, the TIRT will partner with Information Technology and the affected office or department to contain the breach.

Assessment - Once the breach is contained and eradicated, the TIRT will assess the extent and impact of the breach.

Data preservation - All evidence related to the breach will be preserved for future analysis.

Documentation - Each step related to the breach and breach investigation will be fully documented.

Reporting and legal obligations - The TIRT will consult with the college’s General Counsel to determine specific legal obligations relating to the breached information and relevant reporting obligations such as:

• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• State of Florida laws
• Federal laws including the Federal Trade Commission Act and Gramm-Leach-Bliley Act
• Any relevant contractual obligations

If a data breach compromises protected personal information of over 500 individuals in the State of Florida, SF must inform the Florida Department of Legal Affairs as well as each affected or likely affected resident within 30 days of the breach

Additionally, SF will be required to make certain materials available to the state government upon request, such as remedial procedures, incident reports, and computer forensic

5.4 Notification to Victims

5.4.1 Timing for Providing Notification

If required by law, SF shall notify affected individuals, regardless of the overall number of affected persons, without unreasonable delay and within 30 days upon discovery of a data breach. Notification shall be delayed, however, if a law enforcement agency informs SF that disclosure of the breach would impede a criminal investigation or jeopardize national or homeland security. A request for delayed notification must be made in writing or documented contemporaneously by SF in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The required notification shall be provided without unreasonable delay after the law enforcement agency communicates to SF its determination that notification will no longer impede the investigation or jeopardize national or homeland security.

5.4.2 Responsibility for Providing Notification

The Office of the General Counsel will review the proposed notification prior to being sent and will assist in drafting as required. A copy of the notification will also be provided to the Office of the President of SF prior to the time it is posted or sent to affected individuals.

5.4.3 Contents of the Notification

• A description of the incident in general terms and a timeline of the data breach.
• A description of the type of personal information that was subject to possible unauthorized access and acquisition.
• A description of the actions taken by SF to protect the personal information from further unauthorized access.
• A telephone number that affected individuals may call for further information as well as directions for the person to remain vigilant by reviewing account statements and monitoring free credit reports.
• The toll-free numbers and addresses for the major consumer reporting agencies.
• Beyond notification and except where required by law, SF makes no promise of service to individuals affected by a data breach. SF, however, may elect to provide additional services to affected individuals at its discretion.

5.4.4 Methods of Notification

• Written notice by first class mail to each affected individual
• or
• Electronic notice to each affected individual if communication normally occurs in that medium
• or
• Telephonic notification provided that the contact is made directly with the affected person(s).
• Substitute notice may be provided if the cost of providing the written notice required to each affected individual would exceed $250,000, or that the affected class of individuals to be notified exceeds 500,000, or SF does not have sufficient contact information to notify affected individuals. Substitute notice consists of all of the following:
  • Conspicuous posting of the notice on the institution website for a minimum of 45 days
  • and
  • Notification to major media outlets that reach the general public.
• Whenever notice of data breach is given to more than 1,000 persons, SF will notify, without unreasonable delay, all three major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

IT Responsibilities

All entities that collect customer data should "take reasonable measures to protect and secure data in electronic form containing personal information" on individuals. The SF ITS Department will be responsible for the following:

• Training employees on steps to take to ensure data security as part of their job duties.
• Purchasing data security software.
• Limiting employees’ access to data that each specific employee needs to
  complete their job requirements.
• Regularly auditing file access permissions.
• Implement procedures for reporting data breaches or violations of
  security protocol.
• Educating employees on any new developments in data breach security.
• Hiring a security expert to periodically review the security of SF data.
• Implementing disposal standards for customer data no longer to be
  retained.
• Implementing a yearly practice exercise of this policy and adjusting as
  necessary.

Contact

Questions regarding this Policy should be directed to Information Technology
Services at 352-395-5999 or can be emailed to help.desk@sfcollege.edu.

History/Revision Dates

Approved: 05/08/2017