Effective Date: March 1, 2007
Any suspected or confirmed compromise of protected electronic data must be reported to the Information Technology Security and Policy Office and to the local system administrator.
The Office of the General Counsel is responsible for overseeing legal compliance in the case of a compromise of protected data.
Any individual responsible for a system containing protected data that may have been compromised must take immediate steps to secure that system and preserve it without change according to the appended procedure.
Reason(s) for the Policy
Federal and state statutes require the notification of governmental agencies and affected individuals when there is reason to believe that legally protected data held by or for the University was acquired by someone without valid authorization.
This policy establishes measures that must be taken to prepare and respond to data breach incidents including the determination of the systems or applications affected, if data has been corrupted, what specific data was compromised, and what actions are required for forensic investigation and legal compliance.
Primary Policy to Which This Policy Responds
This policy responds to all applicable federal and state statutes pertaining to breaches of the security of protected, electronic data. These statutes include, but are not limited to, the New York State Information Security Breach and Notification Act, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).
Responsible University Officer and Office
Compliance Responsibility: Office of the General Counsel
Policy and Technical Support: Columbia University Information Technology Security Office
This policy was established in February 14, 2007.
This policy was updated in May 2011 to include PCI DSS in the list of statues.
Who is Governed by This Policy
This policy applies to all individuals who access, use, or control a University information technology resource. Those individuals covered include, but are not limited to, staff, faculty, students, those working on behalf of the University, guests, and visitors.
Who Should Know This Policy
All individuals, particularly those with broad management responsibilities including Senior Executive Officers, Deans, Vice Presidents, Data Stewards, Chairs, Directors, Senior Administrative Officers, Departmental Administrators, Researchers, and IT support staff
Exclusions & Special Situations