Reporting Privacy & IT Security Incidents
What should you do if you become aware of a privacy or IT security incident?
Any incident which involves the unauthorized disclosure, acquisition, or breach of information - whether on paper, electronically, or verbally - which the University is obligated to maintain private and confidential, e.g., social security numbers, student education records and patient identifiable health information, must be reported to the University Privacy Officer immediately. Please note that the University Privacy Officer oversees HIPAA Privacy and Compliance.
Any incident which involves the unauthorized disclosure, acquisition or breach of the University's data, maintained in an electronic form or medium, is considered an IT Security Incident which must be reported immediately to the University IT Security Officer. Please note that the IT Security Officer is the University HIPAA Security Officer.
Should I do anything before I report the privacy or IT security incident?
Yes, if you can, before you report it, you should take steps to correct the situation and minimize the risk of additional loss of private and confidential information. For example,
- If the privacy breach is that medical records were inadvertently left behind in a conference room, pick them up and take them to a secure location so that no one else can view them or remove them from the room.
- If the breach involves a computer system containing private data:
- Disconnect the computer from the network (i.e. pull the network cable from the computer, disable wireless access).
- Do not power off, reboot, or reformat the machine until instructed to do so by the IT Security Office.
- Do not continue to use the machine or make any changes (i.e. running anti-virus scans).
- If a computer or other data management device has been lost or stolen, notify the University's Public Safety Department, the Miami-Dade County Police, or your local law enforcement agency, as appropriate.
- Contact the IT Security Office immediately.
Report a Privacy Breach or IT Security Incident
There are a number of ways to report privacy/IT security incidents at Florida International University and the options are provided below. If you wish to remain anonymous, you may do so by using the University's Ethical Panther line.
Reporting Privacy Incidents
You may report by:
- Completing the on-line form: Privacy Incident Report Form
- Telephone: (305) 348-2216
- E-mail: firstname.lastname@example.org
- Mail: Office of University Compliance & Integrity
Modesto Maidique Campus, PC 520
11200 S.W. 8th Street
Miami, FL 33199
Reporting IT Security Incidents
You may report by:
- Telephone: (305) 348-1366
- E-mail: email@example.com
If you are a Network or Systems Administrator at a College, School or Center, you must immediately notify the IT Security Officer of any computing incidents which clearly compromise system or network integrity including, without limitation:
- Notification by outside institutions or individuals of any incident
- Data loss or theft
- Inappropriate systems or information access or use
- Any other breach or violation of IT policies of which you become aware
As a Network/Systems Administrator, you must be familiar with the Responsibilities for FIU Network and/or Systems Administrators Policy (Policy No. 1919.005), available at: http://policies.fiu.edu/record_profile.php?id=589&s=Network
Ethical Panther line:
If you wish to remain anonymous and still report a privacy/security incident, you may always do so via the University's Ethical Panther line offered through Convercent.
You may reach Convercent (24 hours a day, 365 days a year) by:
- Telephone: 1-844-312-5358
- Internet: http://www.convercent.com/report/
- FIU Ethics and Compliance Web site: http://compliance.fiu.edu/hotline.html
Responding to Privacy / IT Security Incidents:
The University Compliance Officer and IT Security Officer have the responsibility to investigate all privacy and IT security incidents, respectively. In doing so, they rely on the assistance of the University division/department heads who oversee the area(s) wherein the specific incident originated. In addition, the University division/department is responsible for all necessary mitigation and costs associated with notification of impacted individuals in accordance with applicable laws. FIU Network and System Administrators, when requested, are expected to cooperate fully with the IT Security Office in any investigation.