BASED ON POLICY NUMBER AND TITLE:
TTC Policy 2-13-0 EP 5: Asset Protection; SBTCE Policy 4-4-105 Information Security
What is an Information Security Data Breach?
A type of incident which includes the access, use, theft, loss of control, disclosure and/or distribution of sensitive data (e.g. SSN, DOB, student grades, tax records, credit card information, medical records) in violation of a law or regulation.
An information security data breach incident may involve any or all of the following:
- A violation of Federal data privacy laws (FERPA, HIPAA, GLBA), South Carolina Technical College System information security policies and procedures, and TTC information security policies and procedures.
- Unauthorized data access by an employee or external entity.
- Unintended disclosure of, loss of, or altered sensitive data.
- Presence of a malicious application, such as a virus or malware, that impacts sensitive data.
- Credentials or other access control mechanisms that are lost, stolen, or disclosed.
- Lost or stolen computing devices that contain sensitive data.
- Lost or stolen mobile storage devices that contain sensitive data.
Information Security Data Breach Response Team
- TTC Information Security Liaison
- Chief of Staff, Student Services
- Director, Finance
- Associate VP, Human Resources
- Registrar, Student Services
- Director, Infrastructure Services
- Director, IT Customer Service
- Director, Enterprise Services
- Operations Manager, Enterprise Services
- Director, Public Safety
- Public Information Director, Marketing
- Business Operations Manager, Continuing Education
- Assistant VP, Academic Affairs
- Internal Auditor, Finance and Administration
- TTC Legal Liaison
Information Security Data Breach Notification
- TTC employees or third party contractors must complete the data breach alert form to report a data breach. If the form is not available, please email the Data Breach Response Team at firstname.lastname@example.org. If email is not available, please call TTC’s Information Security Liaison at 843-574-6311 or the IT Helpdesk at 843-574-6801.
- Describe the type of protected/sensitive data breached:
- Social Security Number
- Date of birth
- Tax records
- Student grades
- Credit card number
- Medical records
- Bank account number
- Briefly describe how the breach was detected.
- Provide the location of breached data (e.g. system name, mobile computing device, storage device, hard copy records, campus, site).
- What date did the breach occur and what date was the breach discovered?
- Briefly describe the scope of the breach (e.g. the number of data records compromised and/or the number of users that are affected).
Data Breach Assessment, Prioritization, and Response (Response Team)
TTC’s Information Security Liaison will serve as a Breach Response Team manager and coordinate activities. In the Security Liaison’s absence, the Student Services Chief of Staff will serve as Response Team manager. In the Chief of Staff’s absence, the Academic Affairs Assistant VP will serve as Response Team manager.
The Breach Response Team manager will immediately convene the team to perform the following steps:
- Validate the data breach:
- Has a data breach occurred in violation of a law or regulation?
- Is the status of the data breach active or post breach?
- What was the method of data disclosure?
- Internal, external, malicious, accidental/unintended?
- Does the breach impact system functionality?
- To what extent does the breach affect faculty, staff, and students?
- What is the anticipated reputational and financial impact to the college?
- Assign a high or low priority level to the data breach based on current and future impact.
- Notify Cabinet of high priority data breaches.
- Cabinet, with guidance from TTC’s Legal Liaison and external Legal Counsel, will determine whether to notify law enforcement based on the nature of the breach and federal, state regulations.
- Cabinet will designate a college representative with the authority to share breach information to external parties including law enforcement.
- Notify data owners and identify all affected data, machines, and devices.
- Reference section 2-C (Response to Red Flags) of the Red Flags Rule Identity Theft Prevention Plan and follow applicable steps.
- Follow applicable FERPA guidelines.
- Document and report on breach response activities and coordinate the flow of information about the breach to TTC employees and contractors.
- Locate and preserve (when possible) all written and electronic logs and records applicable to the breach for examination.
- Work with data owners and IT staff to mitigate damage and determine the root cause of the breach to prevent future occurrences.
- Determine when to notify affected faculty, staff, students, and authorized third parties with guidance from Cabinet, TTC’s Legal Liaison, and external Legal Counsel.
- Law Enforcement will provide notification guidance if the breach is under criminal investigation.
- Create an appropriate media notification after approval from Cabinet, TTC’s Legal Liaison, external Legal Counsel, and Law Enforcement.
- Perform a final assessment of the data breach and ensure that controls are in place to prevent a reoccurrence. Notify Cabinet of low level data breaches after final assessment is complete.
Data Breach Response Phases (Reference)
- Notification to response team
- Notify external agencies and customers (if warranted)
- Lessons learned