UCLA Policy 420:	Notification of Breaches of Computerized Personal Information
Issuing Officer:	Associate Vice Chancellor, Information Technology	Printable View
Responsible Dept:	Office of Information Technology
Effective Date:	February 27, 2008
Supersedes:	UCLA Policy 420, dated 10/11/2007

References   |   Background & Purpose   |   Definitions   |   Statement  |  Attachments

I. REFERENCES

1. UC Business & Finance Bulletin IS-3, Electronic Information Security;
   
   
2. California Civil Code, Information Practices Act of 1977;
   
   
3. Administrative Responsibilities Handbook (PDF) (UCLA, A Reference Guide for Academic and Non-Academic Administrators), Winter 2003;
   
   
4. Protection of Personal Information, Technology Web site;
   
   
5. Determining Notification in the Event of a Security Breach, UCOP Information Resources and Communications, February 6, 2008.
   

II. BACKGROUND AND PURPOSE

Provisions of the California Information Practices Act require any state agency, including the University of California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the System following discovery of such breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person (California Civil Code, §§ 1798.29 and 1798.82). This requirement is contained in UC Business & Finance Bulletin IS-3 (Electronic Information Security).

Effective Jan 1, 2008, the State statute definition of “personal information” has been expanded to include personal medical information and health insurance information. IS-3 was modified in December 2007 to address this change in the legal requirement. Medical information means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. Health insurance information means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual, or any information in an individual’s application and claims history, including any appeals records.

This Policy describes UCLA procedures to implement IS-3 Section III.D.2, Notification in Instances of Security Breaches Involving Electronic Personal Information:

• The campus officials responsible for responding to a Suspected Security Breach;
  
  
• The campus officials responsible for determining if an actual Security Breach has occurred;
  
  
• The campus officials responsible for initiating and implementing notification if a Security Breach has occurred, as described above; and
  
  
• The responsibilities of Deans, Vice Provosts, Vice Chancellors, and other officials for ensuring compliance with this policy in their respective units.
  

UCLA intends to notify all affected individuals regardless of their place of residency.

This policy applies to Personal Information data in electronic form and not to hard copies of same.

III. DEFINITIONS

Personal Information, as used in this policy, means an individual’s first name or first initial, and last name, in combination with any one or more of the following: (1) social security number, (2) driver’s license number or California identification card number, (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, (4) medical information, and (5) health insurance information.

Security Breach means when unencrypted Personal Information of an individual is reasonably believed to have been acquired by an unauthorized person. Acquisition of Personal Information by a University employee or agent for bona fide University business purposes does not constitute a Security Breach, provided that the Personal Information is not used or subject to further unauthorized disclosure.

Security Breach Coordinator, for purposes of this Policy, is the individual or functional position to whom suspected Security Breaches are reported and with overall responsibility for ensuring compliance with this Policy, by his/her respective school, division or unit.

Suspected Security Breach means when a System containing Personal Information is, among other possibilities, lost or stolen, accessed in unauthorized fashion or infected by a virus or worm, but it is not yet known whether the Personal Information has been compromised to meet the level of a Security Breach.

System, for purposes of this policy, is any computer or computing device, including, but not limited to, desktops, laptops, PDAs, removable media such as CDs, USB flashdrives or iPods used as storage devices.

IV. STATEMENT

Each campus must follow the systemwide procedures set forth in Business & Finance Bulletin IS-3 to provide notification of a Security Breach, and develop an implementation plan for such notification, including the designation of a lead campus authority and establishing an incident response process to determine whether a Security Breach has occurred.

A. Responsibilities and Duties

1. Deans, Vice Provosts, Vice Chancellors and Other Officials

The following campus officials are responsible for the security of data files containing Personal Information in their respective areas:

      Deans
      Vice Provosts
      Vice Chancellors
      University Librarian
      Associate Vice Chancellor, Community Partnerships
      Associate Vice Chancellor, Information Technology (IT)
      Assistant Provost, Academic Program Development
      Executive Director, ASUCLA

Accordingly, these officials must establish processes to identify:

• Where Personal Information is used and stored in the school, division or unit;
  
  
• The primary employee positions in the school, division or unit that have access to and use such data;
  
  
• The proprietor and/or custodian of such data, if the data is local to the school, division or unit;
  
  
• A technically acceptable level of security protection for such data.
  

These responsibilities may be delegated to others as appropriate, however ultimate accountability for the security and whereabouts of electronic records containing Personal Information rests with the officials noted above for their respective areas of responsibility. Any financial liability to the University resulting from failure by a unit to comply with this Policy shall be assigned to the unit where the Security Breach occurred.

Each of the officials noted above must designate a Security Breach Coordinator and ensure that that individual reads this Policy and understands his/her responsibilities thereof. Changes to a designated Security Breach Coordinator must be approved by the appropriate official and communicated to the Director, IT Security.

All of the officials noted above shall be responsible for any costs associated with notification of a Security Breach in their respective areas.

2. Security Breach Coordinators

Security Breach Coordinators are responsible for:

• Ensuring that all Suspected Security Breaches within their respective school, division or unit are investigated and reported to the Associate Vice Chancellor, IT.
  
  
• Acting as liaison between their respective school, division or unit and the Director, IT Security to facilitate investigation of such Suspected Security Breaches.
  
  
• Making arrangements for implementing notification requirements, including the actual distribution of notification letters or emails and the setting up of a hotline for inquiries if appropriate.
  

The Security Breach Coordinator is a role assumed by the IT Compliance Coordinator in each unit (see Attachment A). Other related duties and responsibilities may be assigned to a Security Breach Coordinator as deemed necessary.

3. Associate Vice Chancellor, Information Technology (IT)

The Associate Vice Chancellor, IT is the designated lead campus authority, in accordance with the implementing guidelines of IS-3, and is responsible for:

Reporting all Security Breach incidents, in writing, to the Associate Vice President for Information Resources and Communications, UC Office of the President (UCOP), and their ultimate resolution (see section IV.C below).



Reporting all Security Breach incidents that involve medical or health insurance information as described in section II., above, in writing, to the Exectuive Director, Medical Services, UCOP, and to the appropriate UCLA HIPAA Privacy Officer.



Making a final determination as to whether the Suspected Security Breach is an actual Security Breach, based on the recommendation from the Director, IT Security, as noted in section IV.B and IV.C below.



As appropriate, may also report Suspected Security Breaches to UCOP where a decision has been made not to notify.

4. Director, Information Technology (IT) Security

The Associate Vice Chancellor, IT delegates the following responsibilities to the Director, IT Security:

• Ensuring that the campus Security Breach incident response process is followed (see IV.C below);
  
  
• Ensuring that systemwide and, if applicable, campus notification procedures are followed; and
  
  
• Coordinating with appropriate Campus Officials, as noted in IV.C. below, to analyze and recommend, in writing, to the Associate Vice Chancellor, IT, whether a Suspected Security Breach is an actual Security Breach requiring notification.
  

B. Notification Requirements

In the event of a Security Breach, UCLA must provide notification of the breach to those individuals whose unencrypted Personal Information is reasonably believed to have been acquired by an unauthorized person. Notification must occur without unreasonable delay, except:

• When the UCLA Police or other law enforcement agency has determined that notification will impede a criminal investigation (in this case, notification must occur as soon as the UCLA Police or other law enforcement agency determines that it will not compromise the investigation), or
  
  
• In order to discover the scope of the Security Breach and restore the integrity of the System.
  

C. Security Breach Incident Response Process

Any instance of a Suspected Security Breach must be reported immediately to the appropriate Security Breach Coordinator, who will initiate the incident response process described below.

1. Initial Reporting and Analysis

2. Security Breach Notification

If a Security Breach has occurred, the following steps should be taken:

The Associate Vice Chancellor, IT will notify UCOP of the final disposition of the Security Breach incident, including a description of the incident, the response process, the notification process, and the actions taken to prevent further breaches of security.

VII. ATTACHMENTS

A. List of Campus IT Compliance Coordinators (as of April 2008)

B. Data Security Guidelines