黑料视频

Helpful Links

Navigate OHIO

Connect With Us

Tech Help Desk
Alden Library 4th floor
30 Park Place
Athens, OH 45701

Notification of a Data Security Breach

Administrative Procedure

Determining if individual notification is needed:

Per Information Security Standard: Data Breach Response, the Chief Information Security Officer (CISO), in consultation with the Office of Legal Affairs, and the Chief Privacy Officer (CPO) is responsible for determining:

  1. Whether a breach of information security or University sensitive data has occurred and
  2. Whether notification to affected individuals is required, based on state and federal laws, contractual obligations, and industry best practices 

The CISO may also seek advice from other key administrators responsible for security and privacy at the University and consult with responsible administrators on the affected campus area, or unit. 

All notifications must originate from the CPO.

Notifying Individuals

The CPO is the most appropriate to deliver timely and effective notification to individuals.

  1. Draft the content of notification
    • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
      • The CPO will collaborate with the Information Security Office to create a summary of the technical aspects of the incident in easy-to-understand terminology.
    • A description of the types of private data that were involved in the breach (e.g., full name, social security number, date of birth, home address, bank account number, personal financial information, grades, diagnosis, etc.).
    • Any steps individuals should take to protect themselves from possible harm resulting from the breach (e.g., identity theft).
    • A brief description of what the University is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
    • Contact information for further questions and assistance, including a toll-free telephone number, an email address, website address, or postal address as appropriate.

  2. Determine the manner of notification

    The CPO determines the most appropriate manner of notification to impacted individuals: mail, email, or substitute notice鈥攁s required under the law.

  3. Seek stakeholder feedback on notification

    The CPO will draft the notification and seek feedback from the CISO, Legal Affairs, and other applicable stakeholders such as University Communications & Marketing and the University Registrar prior to distribution.

  4. Determine if other actions are required

    The CPO in coordination with the CISO and Legal Affairs determines whether other requirements apply, depending on the nature of the information that is the subject of the breach, as well as the scope of the breach. Such determinations may include but not be limited to:

    Notification required by the Ohio Revised Code Section 1349.19.

    • Notification in accordance with other state and federal laws and contractual and regulatory obligations as applicable.
    • Notification regarding protected health information that must comply with the notification provisions within HIPAA regulations. 45 C.F.R. Part 164, Subpart D. Additional requirements such as obligations to include posting on websites, notice to media outlets, and notification to the Secretary of Health and Human Services.

Reviewers

The reviewers of this administrative procedure are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Audit Risk & Compliance: Josh Gonzalez, Chief Privacy Officer
  • Audit Risk & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College)
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
  • Finance: Julie Allison, Associate Vice President, Finance
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education

History

Draft versions of this policy were circulated for review and approved on November 20, 2020.

Draft revisions of this policy were circulated for review and approved on May 16, 2025.