9.7 Data Breach Policy and Procedure

Administrative Responsibility:   Chief Information Officer

PURPOSE

This policy provides the procedures for addressing a security breach of personally identifiable information maintained by the University.  The procedures are designed to facilitate the determination of a security breach, the identification of individuals who are likely to have been affected by the breach, and the implementation of remedial measures to minimize harm to such persons.   

SCOPE

This policy applies to all security breaches of personally identifiable information that is stored by the University in either physical or electronic form.    

DEFINITIONS

"Affected Person" means an individual whose PII has been determined by the CISO to have been accessed as the result of a Security Breach.

"CISO" means the University's chief information security officer.

"Covered Person" means any Wayne State University officer or employee who has access to PII. 

"Personally Identifiable Information" or "PII" means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

 "Security Breach" is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user has accessed or has potentially accessed personally identifiable information or (2) an authorized user has accessed or has potentially accessed personally identifiable information for an unauthorized purpose.

POLICY

It is the policy of Wayne State University to maintain the security of PII that is recorded in physical or electronic form and to mitigate the harm that may result from the unauthorized access or use of PII. 

PROCEDURES

  1. Response to a Report of an Imminent or Actual Security Breach
  1. Duty to Report.  A Covered Person who becomes aware of information that strongly suggests that a Security Breach of PII that is accessible to that Covered Person either has occurred or may occur shall promptly report that information to the CISO.  Although other employees and students are not required to do so, they are encouraged to report to the CISO any information indicating that a Security Breach has or may occur.
  2. If the CISO becomes aware of a Security Breach, either through a report pursuant to section 5.1 or directly, the CISO shall determine if such Security Breach is imminent or has already occurred. 
  3. Determination of imminent Security Breach. Where a Security Breach is determined to be imminent and where the implementation of reasonable security measures would likely prevent the breach, the CISO or other appropriate University official shall implement such measures. 
  4. Determination of Actual Security Breach and Affected Persons. If a determination is made that a Security Breach has occurred, the CISO shall determine whether any person's PII was accessed as a result of the Security Breach and shall identify the Affected Persons to whom notices must be sent under (e). 
  5. Notification of Affected Persons.  Unless the CISO determines that the Security Breach has not or is not likely to cause substantial loss or injury to or result in identity theft with respect to one or more Affected Persons, the CISO shall arrange for a notice to be provided to each Affected Person without unreasonable delay. 
  1. Manner of Providing Notice of a Security Breach

The notice of a Security Breach shall be provided in one or more of the following ways:

    1. Written notice was sent to the Affected Person at the recipient's postal address in the records of the University.
    2. Written notice sent electronically to the Affected Person.
    3. If the cost of providing notice under (1) or (2) exceeds $500,000 or the University is required to notify more than 500,000 Michigan residents, notice may be conspicuously posted on the University's public website.  If more than 50,000 non-Michigan residents are required to be notified, posting the notice on the University's public website shall constitute sufficient notice to those individuals. 

        3. Content of Notice        

            A notice shall do all the following:

    1. Describe the Security Breach in general terms.
    2. Describe the type of personal information that is the subject of unauthorized access or use.
    3. If applicable, generally describe what the University has done to protect data from further security breaches.
    4. Include a telephone number where a notice recipient may obtain assistance or additional information.
    5. Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.
    6. Be written in a clear and conspicuous manner.
  1. Notifications to the Michigan Department of Health and Human Services

The CISO shall notify the Michigan Department of Health and Human Services, Division of Victim Services, of any imminent or actual Security Breach within 24 hours of the detection of an imminent breach or the confirmation of an actual breach.  Notifications are to be sent to MDHHS-DVS-DataBreach@michigan.gov.

  1. Internal Notifications

Prior to notifying Affected Persons or the Michigan Department of Health and Human Services, Division of Victim Services, the CISO shall notify the University's Chief Information Officer, Vice President of Marketing and Communication, the Provost, and Vice President and General Counsel that a Security Breach has occurred, the nature of the accessed PII, and the types and an approximate number of persons affected by the breach.   These officials shall determine whether notification of the Security Breach shall be provided beyond Affected Persons to the university constituents within their units and/or provided through a press release to the media.

  1. Violations

Violation of this policy may lead to appropriate action as provided by the disciplinary processes relevant to that individual.  Nothing in this policy shall be construed to modify the terms of any collective bargaining agreement. 

APPENDICES

1) N/A

RELATED UNIVERSITY/BOARD POLICIES

1) University Policy 07-2 Confidential Information Policy

Effective Date: 3/1/2023

Revised Date: N/A

Reviewed Date: N/A

To be reviewed, at minimum, every three years and/or revised as needed by:  Chief Information Officer

Next Review By Date: 3/1/2026

SUPERSEDES POLICY

N/A

HISTORICAL DATES

N/A