User login


Electronic Data Security Breach Reporting and Response Policy


Effective: October 2013

Revised: November 2014, February 2017, July 2019


I. Introduction

Columbia University is committed to compliance with all applicable federal and state laws and regulations relating to the compromise of Sensitive Data (as such term is defined in the Columbia University Information Security Charter (the “Charter”) This Policy establishes measures that must be taken to report and respond to a possible breach or compromise of Sensitive Data, including the determination of the Systems affected, whether any Sensitive Data have in fact been compromised, what specific Data were compromised and what actions are required for forensic investigation and legal compliance.


Capitalized terms used herein without definition are defined in the Charter.


II. Policy History

The effective date of the Policy is November 1, 2013.  This Policy replaces the University’s Electronic Data Security Breach Reporting and Response Policy, dated February 14, 2007 and amended in May 2011 and June 2013, and the CUIMC Privacy and Information Security Incident Procedure and Breach Notification Policy, dated November 2007, as amended in January and April 2013.    


To see the full text of this policy, please use the link on the right.