Electronic Data Security Breach Reporting and Response

Effective Date: March 1, 2007 

Policy Statement

Any suspected or confirmed compromise of protected electronic data must be reported to the Information Technology Security and Policy Office and to the local system administrator.  

The Office of the General Counsel is responsible for overseeing legal compliance in the case of a compromise of protected data.

Any individual responsible for a system containing protected data that may have been compromised must take immediate steps to secure that system and preserve it without change according to the appended procedure.  

Reason(s) for the Policy

Federal and state statutes require the notification of governmental agencies and affected individuals when there is reason to believe that legally protected data held by or for the University was acquired by someone without valid authorization.

This policy establishes measures that must be taken to prepare and respond to data breach incidents including the determination of the systems or applications affected, if data has been corrupted, what specific data was compromised, and what actions are required for forensic investigation and legal compliance.

Primary Policy to Which This Policy Responds

This policy responds to all applicable federal and state statutes pertaining to breaches of the security of protected, electronic data.  These statutes include, but are not limited to, the New York State Information Security Breach and Notification Act, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).

Responsible University Officer and Office

Compliance Responsibility: Office of the General Counsel

Policy and Technical Support: Columbia University Information Technology Security Office

Revision History

This policy was established in February 14, 2007.  

This policy was updated in May 2011 to include PCI DSS in the list of statues.

Who is Governed by This Policy

This policy applies to all individuals who access, use, or control a University information technology resource.  Those individuals covered include, but are not limited to, staff, faculty, students, those working on behalf of the University, guests, and visitors.

Who Should Know This Policy

All individuals, particularly those with broad management responsibilities including Senior Executive Officers, Deans, Vice Presidents, Data Stewards, Chairs, Directors, Senior Administrative Officers, Departmental Administrators, Researchers, and IT support staff

Exclusions & Special Situations

None

Policy Text

Click here for full policy text