Any incident which involves the unauthorized disclosure, acquisition or breach of the University’s data, maintained in an electronic form or medium, is considered an information incident which must be reported immediately to the Chief Compliance Officer and or the Chief Information Security Officer. It is important to remember that not all incidents are privacy breaches.
Any incident which involves the unauthorized disclosure, acquisition, or breach of information – whether on paper, electronically, or verbally – which the University is obligated to maintain private and confidential, e.g., social security numbers, student education records and patient identifiable health information, is considered a privacy breach and must be reported to the Chief Compliance Officer and or the Chief Information Security Officer.
Personal information about an individual for which the individual can reasonably expect will not be made available to the public. This type of information includes personally identifiable information (a category of private information regulated by federal and state laws), as well as other non-public private information that would adversely impact an individual if inappropriately used or disclosed
The Chief Compliance Officer works in close collaboration with the Chief Information Security Officer in assessing the viability and strength of the administrative, physical and technical safeguards in place to secure personally identifiable information in all formats: on paper, electronically, and verbally.
Should I do anything before I report the privacy and or information incident within 24 hours?
Yes, if you can, before you report it, you should:
- Verify that an Incident occurred.
- Determine whether the Incident involved private information.
- Consider what immediate steps should be taken to mitigate harm (e.g. remote wipe a lost or stolen device, or contact a recipient to arrange for destruction of material sent in error.
- Take the lead, and direct others to gather and preserve FIU information and records needed for General Counsel to make a final breach determination.
For example,
- If the privacy breach is that medical records were inadvertently left behind in a conference room, pick them up and take them to a secure location so that no one else can view them or remove them from the room.
- If the breach involves a computer system containing private data:
- Disconnect the computer from the network (i.e. pull the network cable from the computer, disable wireless access).
- Do not power off, reboot, or reformat the machine until instructed to do so by the IT Security Office.
- Do not continue to use the machine or make any changes (i.e. running anti-virus scans).
- If a computer or other data management device has been lost or stolen, notify the FlU Police Department, the Miami-Dade County Police, or your local law enforcement agency, as appropriate.
- Contact the IT Security Office.