Statement of Purpose
The purpose of this policy is to ensure that the university meets its disclosure obligation in the event of an inappropriate release of sensitive, personal information.
Entities Affected by this Policy
Entities affected by this policy include 51³Ô¹ÏºÚÁÏ students and employees and anyone interacting with 51³Ô¹ÏºÚÁÏ.
Who Should Read this Policy
51³Ô¹ÏºÚÁÏ students and employees and anyone engaging in business with 51³Ô¹ÏºÚÁÏ should read this policy.
Policy
The university shall disclose any breach of its data to any person whose sensitive, personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure shall be made in the most expedient time possible. It is the university’s sole discretion to determine the scope of the breach.
The disclosure may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
The university shall make every reasonable effort to contact individuals impacted. Contact may be made in person, by mail, and/or by e-mail.
If the university does not have sufficient contact information, a general disclosure will be posted on a 51³Ô¹ÏºÚÁÏ web site and appropriate news media outlets will be notified.
The university will provide information about data breaches as required by federal and state laws, and NSHE regulations and/or policies.
For additional information, including how to request an exception to this policy, refer to the Office of Information Technology’s Policies and Procedures web page at .
Related Information
Links
Contacts
Definitions
- Breach
-
Unauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of 51³Ô¹ÏºÚÁÏ for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure.
- Disclosure
-
Notification using one of the following methods:
- Notice in writing either hand delivered or mailed to the address on file with, or last known to, the university
- Notice by e-mail if the individual has an e-mail address on file with the university
- Every Reasonable Effort
-
Use all contact information available in university records to notify individuals who may have been impacted.
- Sensitive, Personal Information
-
Any information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)]
Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed.