University Incident Response Policy
Fordham's Electronic Data Security Breach Notification and Response Policy
Policy Statement
Actual or suspected security breaches involving confidential personal data must be reported immediately to the University Information Security Office (UISO) and the University Chief Information Security Officer. Once the nature and extent of the breach has been determined, the University will notify affected individuals as necessary. Violations of this policy may lead to disciplinary action.
The Office of the General Counsel is responsible for overseeing legal compliance in the case of a compromise of protected data.
Any individual responsible for a system containing protected data that may have been compromised must take immediate steps to secure that system and preserve it without change according to the appended procedure.
Reasons for the Policy
Confidential personal data compromised by a security breach may lead to identity theft and invasion of privacy for affected individuals. Federal and state statutes require the notification of governmental agencies and affected individuals when there is reason to believe that legally protected data held by or for the University was acquired by someone without valid authorization or inadvertently disseminated.
This policy establishes measures that the University will take to prepare and respond to security breach incidents including the determination of the systems or applications affected, whether the data has been corrupted, what specific data was compromised, and what actions are required for forensic investigation and legal compliance.
Primary Legislation to which this Policy Responds
This policy responds to all applicable federal and state statutes pertaining to security breaches of protected electronic data. These statutes include, but are not limited to, the New York State Information Security Breach and Notification Act, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).
What is the New York State Information Security Breach and Notification Act? The New York State Information Security Breach and Notification Act, effective December 7, 2005, requires notification to any New York resident whose “private information” was, or is reasonably believed to have been, acquired by a person without valid ‘authorization”. The Act requires Fordham to notify:
- Affected individuals upon discovery of the breach of electronic protected information.
- Consumer reporting agencies if more than 5,000 New York residents are to be notified.
- The Attorney General’s office, the Consumer Protection Board and the New York State Office of Cyber Security & Critical Infrastructure Coordination, of the timing, content, and distribution of the notices and an approximate number of affected persons.
You can read more about the Act from MSSNY or the NY attorney general.
What is the Family Educational Rights and Privacy Act (FERPA)? The Family Education Rights and Privacy Act (FERPA) is a Federal law that protects and safeguards the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Individuals cannot bring a case against the institution, but the Department of Education can enforce FERPA by depriving an institution of federal funding (including financial aid to students). Read more about FERPA.
What is the Health Insurance Portability and Accountability Act (HIPAA)? The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of medical records for health care providers, health maintenance organizations and health records clearinghouses. A major goal of HIPAA is to assure that individual’s health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and protect the public’s health and well being. HIPAA establishes, for the first time, a foundation of federal protections for the privacy of protected health information. However, it does not replace federal, state, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices. Read more about HIPAA.
What is the Gramm-Leach-Bliley Act (GLBA)? The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, is a comprehensive, federal law that governs a financial institution’s retention, use and disclosure of customer records and information. GLBA sets forth a financial institution’s privacy obligations to its customers and its duties concerning the safeguarding of customer’s personal information. The GLBA is composed of several parts, including the Privacy Rule (16 CFR § 313) and the Safeguards Rule (16 CFR § 314). The GLBA applies to the University because it processes student loans and provides other financial services. As such, the University falls within the definition of “financial institution” under the GLBA and must comply with the law’s requirements. “Financial Institution” means any institution which engages in financial activities. Examples of financial activities that are covered by GLBA include the following: student or other loans, including receiving application information, and the making and servicing of such loans, collection of delinquent loans, check cashing services, financial or investment advisory services, credit counseling services, travel agency services provided in connection with financial services, tax planning or tax preparation, obtaining information from a consumer report career counseling services for those seeking employment in finance, accounting or auditing. View additional guidance regarding GLBA.
Fordham University is committed to compliance with all applicable legal statutes pertaining to the breach of security of protected electronic data. Compliance includes all actions and notifications defined by the governing federal or state statutes as well as University policies associated with data security and privacy.
Responsible University Officer and Office
Legal Compliance Responsibility: Office of the General Counsel
Policy and Technical Support: University Information Security Office (UISO)
Who is governed by the policy?
This policy applies to all individuals who access, use, or control a University information technology resource. Those individuals covered include, but are not limited to, staff, faculty, students, those working on behalf of the University, guests, and visitors.
Who should know the policy?
This policy is to be distributed to all users who use University-owned systems and networks including, but not limited to, Senior Executive Officers, Deans, Vice Presidents, Data Stewards, Chairs, Directors, Senior Administrative Officers, Departmental Administrators, Instructional Staff, Researchers, and IT support staff.
Responsibilities
Reporting
It is the responsibility of all users to report promptly all suspected or confirmed breaches of protected electronic data to one of the contacts listed below in “Contacts”
Compliance and University Response
The University has established a University Response Team to deal with electronic data breaches. The core University Response Team (URT) consists of representatives of the following units:
Fordham University Information Security Office
General Counsel
Human Resources
Internal Audit
Office of Marketing and Communications
Office of Safety and Security
Student Affairs (Dean of Students for the campus)
The Chief Information Security Officer, his/her delegate, or other cognizant representative of the URT will convene the URT upon receiving a report of a possible breach. An individual will be appointed to manage the ensuing investigation.
The General Counsel is responsible for all legal issues associated with an actual or suspected compromise of protected data.
The Office of General Counsel will work with the Office of Safety and Security which is responsible for all contacts with law enforcement and for the non-technical and possible criminal aspects of any investigation.
The Dean of Students or a designate appropriate to the school in which the student is enrolled is responsible for the adjudication of any student who may be responsible for violation of the University Code of Conduct relative to this policy (possible language).
The Office of Marketing and Communications is responsible for all internal and external communications and media relations after consultation with the URT’s members.
The University Response Team will establish detailed internal procedures for compliance, external and internal communications, and oversight of the investigation and technical support associated with a suspected or actual breach of protected electronic data.
The core URT will call on any necessary additional offices and resources required to carry out the investigation and remediation of any breach. This expanded URT will be responsible for the investigation of the incident and any technical support required. Incident team members will include representatives of affected data owners, any other units/offices/individuals responsible for the devices or data involved, and any associated information technology or investigative resources.
The following major units/offices/individuals will participate in the development of procedures for an investigation, in periodic reviews of these procedures and in regular training. Any area of responsibility that is not represented by the table below will be handled through the Office of General Counsel.
| Unit/Office/Individual | Area of Responsibility |
| General Counsel | Legal compliance |
| Safety and Security | Law enforcement/criminal investigation |
| University Information Security | Investigation |
| Marketing and Communications | Communications |
| University Information Security | Technical support |
| Internal Audit | Audit issues |
| University Information Security | Risk issues |
| Academic Affairs | Academic data |
| Finance | Financial data |
| Human Resources | Human resources data |
| Student Affairs | Student data |
| Development and University Relations | Alumni/development data |
| Libraries | Libraries data |
| Student Affairs | University Health and Medical Data, Judicial Affairs information, counseling and mental health information |
| Enrollment Services | Enrollment data |
Definitions
Breach The actual or probable exposure of protected data to an unauthorized person by any means. This includes inadvertent disclosure of the data as well as the unauthorized action of a person authorized to access the data.
Device Devices include computers and any other equipment such as PDAs, smartphones, tablets, copiers, printers, disk drives, diskettes, CDs, USB drives, or other devices that store or display data.
Incident A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of Information; interference with Information Systems operations; or violation of policy
User Any individual who accesses, uses, or controls a University electronic information resource. Users include but are not limited to staff, faculty, students, those working on behalf of the University, guests, and visitors.
Confidential/personal/sensitive protected data/information Any information in or sourced from an electronic information system likely to result in an identity theft such as name, addresses, University ID Number, Social Security Number, bank account information, driver's license number, credit or debit card numbers, etc.
Points of Contact
To report a possible IT Security Incident:
Email: infosec@fordham.edu
To confidentially report an IT Security Incident:
Web: Confidential Incident Report
For legal issues: Office of Legal Counsel
Phone: 718-817-3110
Cross References to Related Fordham and Other Governmental Policies