The University of North Carolina at Chapel Hill
Protocol for Responding to Security Breaches of Certain Identifying Information
In accordance with the Identity Theft Protection Act of 2005, North Carolina General Statutes § 75-60 et seq. and § 132-1.10 of the Public Records Act (together, the “Act”), the University of North Carolina at Chapel Hill (the “University”) is required to safeguard certain information of patients, employees, students, vendors, and other individuals who provide information covered by the Act to the University. This protocol enables the University to comply with the Act.
II. PROTOCOL FOR RESPONDING TO POTENTIAL OR ACTUAL BREACHES
1. Security Breach.
An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to an individual. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach. Good faith acquisition of personal information by an employee or agent of the University for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose and is not subject to further unauthorized disclosure.
2. Identifying Information.
Under the Act and N.C.G.S. § 14-113.20, the following is considered identifying information pursuant to the Act (excluding some identifiers eliminated by N.C.G.S. § 132-1.10 for State agencies):
a. Social security or employer taxpayer identification numbers.
b. Drivers license, State identification card, or passport numbers (except drivers license numbers appearing on law enforcement records).
c. Checking and savings account numbers.
d. Credit and debit card numbers.
Personal Identification (“PIN”) Code as defined in N.C.G.S.
f. Digital signatures.
g. Any other numbers or information that can be used to access a person’s financial resources.
h. Biometric data.
3. Personal Information.
A person’s first name or first initial and last name in combination with identifying information.
B. Breaches and Notification
The University will take all reasonable steps to prevent security breaches with respect to personal and identifying information, as defined above.
1. Internal Notification.
Any University employee or student who becomes aware of a suspected or actual security breach ("breach") must report the matter immediately by calling the Information Technology Response Center (IT Response Center) at 919-962-HELP (919-445-4357). The IT Response Center is available to field such reports 24 hours a day, 7 days a week. If the breach involves the loss or theft of University-owned equipment, the employee or student must also notify the Department of Public Safety by calling (919) 962-8100.
2. External Notification.
The University is required to notify affected individuals of actual security breaches. Each suspected security breach will be reviewed by the Office of University Counsel, and other appropriate University units (including, for example, ITS Security and Public Safety) If it is determined that a security breach occurred, the University (through the appropriate University unit) will take appropriate action that will include the following:
1) Notifying affected individuals without unreasonable delay, with the following information:
a) The incident in general terms;
b) The type of identifying information that was subject to the unauthorized access and acquisition;
c) The general acts of the University to protect the personal information from further unauthorized access;
d) A telephone number that the person may call for further information and assistance; and
e) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
2) Providing the affected individuals with information about how to alert credit agencies to potential fraud and identity theft.
Notice to affected persons may be provided by one or more of the following methods:
1) Written notice,
2) Electronic notice for those persons for whom the University has a valid email address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001, or
3) Telephonic notice provided that contact is made directly with the affected persons and appropriately documented by the University unit.
b. Optional Notification to Affected Individuals.
1) If appropriate, the University unit may offer the option to enroll in a credit monitoring service for a defined period of time at the University’s expense.
NOTE: The determination of whether and for how long to offer this service will depend on the nature and extent of the potential or actual breach. The determination will be made by the appropriate University unit, in consultation with the Office of University Counsel.
3. Delayed Notice.
Notice shall be delayed if law enforcement informs the University that disclosure of the breach would impede a criminal investigation or jeopardize national security. A request for delayed notification must be made in writing or documented contemporaneously by the University in writing, including the name of the law enforcement officer making the request and the officer’s agency engaged in the investigation. The required notice shall be provided without unreasonable delay after the law enforcement agency communicates to the University its determination that notice will no longer impede the investigation or jeopardize national or homeland security.
4. Substitute Notice.
Substitute notice may be given if:
a. The cost of providing the notice exceeds $250,000;
b. The number of affected persons is greater than 500,000; or
c. The University does not have the necessary contact information to notify the individual in any of the aforementioned manners.
Substitute notice will include posting a notice on the University’s website, emailing the affected persons if the University has their email addresses, and notifying major statewide media.
5. Additional Notice Requirements.
If a security breach involves more than 1,000 persons, the University will provide written notice of the timing, distribution, and content of the notice to the Consumer Protection Division of the North Carolina Attorney General’s Office, as well as to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p). In addition, the University will submit to the Consumer Protection Division a completed “North Carolina Security Breach Reporting Form” which includes the number of North Carolina residents affected and the total number of persons affected.
III. INSTITUTIONAL ACTIONS
At least annually, the University Committee for the Protection of Personal Data (UCPPD) will review all incidents of potential or actual security breaches and make recommendations to the Chancellor’s Cabinet for institutional improvements in order to minimize such occurrences in the future.
IV. ADDITIONAL UNIVERSITY POLICIES AND RESOURCES
A breach of personal and/or identifying information may implicate laws other than the North Carolina Identity Theft Protection Act. The following University documents may also be applicable:
· Information Security Policy: http://www.unc.edu/hipaa/policies/Information_Security.pdf
· HIPAA “Minimum Necessary” Policy: http://www.unc.edu/hipaa/policies/Minimum_Necessary.pdf
· Payment Card Industry Standards: http://www.unc.edu/finance/controller/fc/pcd_manual.pdf
The University also has prepared template notification documents that are available online at http://www.unc.edu/depts/legal/ssn.
V. EFFECTIVE DATE
This protocol is effective October 1, 2006.
Revised: January 17, 2007
This policy is maintained by the Office of University Counsel.