Ethical Panther line: 1-888-520-0570

Reporting Privacy Breach & Information Incidents

What should you do if you become aware of a privacy breach or information incident?

Any incident which involves the unauthorized disclosure, acquisition or breach of the University’s data, maintained in an electronic form or medium, is considered an information incident which must be reported immediately to the Chief Compliance Officer and or the Chief Information Security Officer. It is important to remember that not all incidents are privacy breaches.

Any incident which involves the unauthorized disclosure, acquisition, or breach of information – whether on paper, electronically, or verbally – which the University is obligated to maintain private and confidential, e.g., social security numbers, student education records and patient identifiable health information, is considered a privacy breach and must be reported to the Chief Compliance Officer and or the Chief Information Security Officer.

Personal information about an individual for which the individual can reasonably expect will not be made available to the public. This type of information includes personally identifiable information (a category of private information regulated by federal and state laws), as well as other non-public private information that would adversely impact an individual if inappropriately used or disclosed.

The Chief Compliance Officer works in close collaboration with the Chief Information Security Officer in assessing the viability and strength of the administrative, physical and technical safeguards in place to secure personally identifiable information in all formats: on paper, electronically, and verbally.

Should I do anything before I report the privacy and or information incident within 24 hours?

Any incident which involves the unauthorized disclosure, acquisition or breach of the University’s data, maintained in an electronic form or medium, is considered an information incident which must be reported immediately to the Chief Compliance Officer and or the Chief Information Security Officer. It is important to remember that not all incidents are privacy breaches.

Any incident which involves the unauthorized disclosure, acquisition, or breach of information – whether on paper, electronically, or verbally – which the University is obligated to maintain private and confidential, e.g., social security numbers, student education records and patient identifiable health information, is considered a privacy breach and must be reported to the Chief Compliance Officer and or the Chief Information Security Officer.

Personal information about an individual for which the individual can reasonably expect will not be made available to the public. This type of information includes personally identifiable information (a category of private information regulated by federal and state laws), as well as other non-public private information that would adversely impact an individual if inappropriately used or disclosed

The Chief Compliance Officer works in close collaboration with the Chief Information Security Officer in assessing the viability and strength of the administrative, physical and technical safeguards in place to secure personally identifiable information in all formats: on paper, electronically, and verbally.

Should I do anything before I report the privacy and or information incident within 24 hours?

Yes, if you can, before you report it, you should:

  • Verify that an Incident occurred.
  • Determine whether the Incident involved private information.
  • Consider what immediate steps should be taken to mitigate harm (e.g. remote wipe a lost or stolen device, or contact a recipient to arrange for destruction of material sent in error.
  • Take the lead, and direct others to gather and preserve FIU information and records needed for General Counsel to make a final breach determination.

For example,

  • If the privacy breach is that medical records were inadvertently left behind in a conference room, pick them up and take them to a secure location so that no one else can view them or remove them from the room.
  • If the breach involves a computer system containing private data:
    • Disconnect the computer from the network (i.e. pull the network cable from the computer, disable wireless access).
    • Do not power off, reboot, or reformat the machine until instructed to do so by the IT Security Office.
    • Do not continue to use the machine or make any changes (i.e. running anti-virus scans).
    • If a computer or other data management device has been lost or stolen, notify the FlU Police Department, the Miami-Dade County Police, or your local law enforcement agency, as appropriate.
    • Contact the IT Security Office.

Report a Privacy Breach or IT Security Incident

There are a number of ways to report privacy/information incidents at FIU and the options are provided below. If you wish to remain anonymous, you may do so by using the University’s Ethical Panther line.

Office of University Compliance and Integrity
E-mail: compliance@fiu.edu
Telephone: 305-348-2216
Mail: Office of University Compliance & Integrity
Modesto Maidique Campus, PC 520
11200 S.W. 8th Street
Miami, FL 33199
Cybersecurity Office
Email: security@fiu.edu
Telephone: (305) 348-3591 and (305) 348-1366
Mail: Cybersecurity Office
Modesto Madique Campus, PC 531
11200 SW 8th Street
Miami, FL 33199

Responding to Privacy Breach/ Information Incidents:

The Chief Compliance Officer and Chief Information Security Officer have the responsibility to investigate all privacy breaches and information incidents, respectively. In doing so, they rely on the assistance of the University Incident Response Team (“IRT”). The IRT shall consist of a core team of central administration with the ability to oversee the management of, or directly manage incidents, as may be required. This includes performing triage effectively, controlling all internal and external communications, reducing duplicative efforts, making a final decision on validating the breach and bringing in additional team members and external resources who may be engaged to support the entire process as needed.