UCSC PII Inventory and Security Breach Procedures

Originally UCSC Implementation Plan for Protection of Electronic Personally Identifiable Information, June 26, 2003

Updated January 2015


Law and University Policy

These procedures are intended to comply with the legislative requirements of California Civil Code Sections 1798.29 and 1798.82, the portions of the California Information Practices Act signed into law in September 2002, and effective July 1, 2003, and incident response requirements under Federal HIPAA legislation, the Payment Card Industry Data Security Standard, and UC Business & Finance Bulletin IS-3: Electronic Information Security [1]. These procedures also augment some of the responsibilities defined in IS-3.


UCSC Procedures

I. Scope and Applicability

These procedures relate to the management of "personally identifiable information" (PII), and to security breaches and suspected security breaches of PII, other types of electronic restricted data, and other “significant” or “high-visibility” incidents. They apply to all campus units as well as to those organizations and agencies, public and private, which conduct business or have other electronic information interactions with UCSC.

These procedures amend and supercede the UCSC Implementation Plan for Protection of Electronic Personally Identifiable Information, published June 26, 2003.

Note: If a suspected security breach potentially involves electronic protected health information (ePHI/HIPAA data), UC's HIPAA Breach Response Policy shall apply. The Campus HIPAA Privacy Official shall be the designated Privacy Official under this policy, and the response will follow requirements per the UC IS-3 Incident Response Standard.


II. Definitions

The following terms used in these procedures are defined in the online Glossary of Selected UCSC IT Policy-Related Terms.

Breach of Security 
Electronic Personally Identifiable Information (PII)
Electronic Protected Health Information
Encryption 
Payment Card Industry
Restricted Data
Service Provider
System
System Steward

Additional Definitions:

  • High-Visibility Incident: Incidents of high public concern or attention.
  • Significant Incident: Incidents that involve significant legal, regulatory, reputational, or financial risk to UC of which senior management should be aware.
  • Subject: The individual to whom electronic restricted data pertains.

III. Management and Protection of Electronic Restricted Data

All individuals are responsible for the appropriate protection of restricted data under their jurisdiction or control.

General practices for the protection and management of electronic restricted data are available on the ITS Security website. Online computer security awareness training is also available. Systems containing electronic PII and other restricted data are also subject to the broader requirements of IS-3 and other legal and institutional requirements for protection of this data [2].

If there is any question about the adequacy of current controls, a review by UCSC IT Security or UCSC Internal Audit staff should be requested.


IV. Personally Identifiable Information (PII) Inventory

A. IS-3 requires campuses to establish a process or processes to identify

  • where PII is used and stored,
  • the primary employee positions that have access to and use of the data,
  • the System Steward and Service Provider of the data, and
  • an acceptable level of security protection for the data (see Section III, above).

B. UCSC has adopted a three-tiered approach to establish and maintain this inventory:

1. Identify locations where PII is likely to be used and stored, including employee types or classes that have access to and use of the data, and the original source of the PII. These “likely locations” also suggest questions that can be asked to locate PII and help determine whether a breached system is likely to contain PII.

  • Likely locations are identified in conjunction with ITS Divisional Liaisons (DLs) and Applications and Project Management (APM). Common examples are available on ITS' PII Resources web page.
  • DLs and ITS Directors are responsible for assessing classes of systems under their purview that are likely to contain PII, and for assessing the likelihood that a compromised system may contain PII.

2. Identify authoritative source systems containing PII. For each system, identify the System Steward, Data Integrator, if applicable, and Service Provider.

  • The ITS Director of APM is responsible for developing and maintaining this inventory.

3. Establish triggers for checking systems for PII and removing it when possible.

  • Triggers are established in conjunction with ITS DLs and appropriate ITS Directors.
  • Established triggers include:
    • re-purposing/re-assigning a computer
    • transferring files from an old computer to a replacement computer
    • response to a potential security breach
    • DL/Local IT Specialist acquiring a new server to support or manage
    • new server going into the ITS Data Center
    • development or acquisition of a new application
    • equipment or media disposal
    • when an individual changes jobs and takes their files with them
  • Service Providers are responsible for performing system review according to these established triggers, as well as for reviewing results with the owner of the data.
  • Where PII is identified and must be retained, the Service Provider shall work with the IT Service Manager for Policy and Compliance to update the inventory in item 1 of this section, above.

V. Security Breach Procedure

A. Reporting Suspected Breaches

Any suspected security breach of electronic Personally Identifiable Information (PII) or other restricted data whose unauthorized access might cause serious loss of privacy and/or financial damage must be reported to the ITS Support Center or UCSC IT Security regardless of how the suspicion arose. The ITS Support Center will escalate reports to UCSC IT Security. UCSC IT Security, in partnership with the Service Provider, will confirm the security breach of unencrypted electronic PII or electronic restricted data. If no one is available to receive a report, individuals may contact ITS Security directly.  Individuals should also inform their supervisor or appropriate management of possible security breaches involving restricted data.

Any suspected theft of UCSC-related computing equipment should be reported to the UCSC Police Department.  The report should include whether the stolen equipment contains any restricted data, including PII. Local authorities should also be contacted for incidents occurring away from campus.

Service Providers, System Stewards, Unit/Departmental Managers, and Deans are also to report suspected incidents to affected Unit/Departmental Managers and System Stewards.

B. Incident Response Process

The incident response process is initiated with a suspected security breach of unencrypted electronic restricted data, or a significant or high-visibility incident, as the terms are defined in Section II, Definitions, of these Procedures. As soon as UCSC IT Security becomes aware that a suspected security breach involves a system containing electronic restricted data, directly involves electronic restricted data, or may be a significant or high-visibility incident, it will notify IS Policy (ispolicy@ucsc.edu ) and the Vice Chancellor, Information Technology (VC IT). Upon receipt of this notification, the VC IT will send an alert to the Campus Incident Response Team (CIRT) and file an initial report of the suspected breach to the Associate Vice President for Information Resources and Communications at UCOP via the UC EthicsPoint reporting tool. If a suspected security breach potentially involves credit card data, the Campus Credit Card Coordinator must be included in the CIRT.

The System Steward or designee must complete the Initial Incident Report (Appendix A), and submit same to UCSC IT Security or IT Policy as soon as possible, but no later than 24 hours after becoming aware of the suspected breach. UCSC IT Security and IT Policy will coordinate to ensure Appendix A is completed and forwarded to the VC IT as the campus Designated Authority. The VC IT will forward the Initial Incident Report to the CIRT. The System Steward or designee may also file a police report with the UCSC Police Department if criminal activity is suspected.

UCSC IT Security and the Service Provider shall work together to disable unauthorized access to electronic restricted data where applicable and restore the service and integrity of the system with appropriate documentation and preservation of evidence. Decisions to disrupt services must be made in conjunction with the System Steward. UCSC IT Security and IT Policy are authorized to direct IT Security or other IT Service Providers to scan systems for PII in response to a security breach or compromise (see Sec. IV.B.3, above).

As soon as UCSC IT Security has conclusively determined whether restricted data may have been acquired by an unauthorized individual, they will send a second communication to IT Policy and the VC IT, informing them of the determination. If there is no possibility of unauthorized access, the VC IT will so inform the CIRT and UCOP and will forward closure reports (Appendix B for the CIRT, UC EthicsPoint reporting tool for UCOP) when applicable. If there is a possibility of unauthorized access, the VC IT will convene the CIRT to determine whether criteria for notification have been met. The CIRT will complete the CIRT Checklist (Appendix C) for all incidents for which they are convened.

Upon resolution of the breach, UCSC IT Security and IT Policy will coordinate to ensure completion of the CIRT Report (Appendix B) and submission of the report to the VC IT as the campus Designated Authority as soon as possible.

The VC IT or designee will submit a final incident report to the Associate Vice President for Information Resources and Communications at UCOP via the UC EthicsPoint reporting tool as soon as the incident is closed, or if any problem is encountered during the notification process (see below).

C. Notification Procedures

If unencrypted electronic PII is reasonably believed to have been acquired by an unauthorized person, state law requires notification to subjects.  The CIRT may also determine that notification is appropriate in situations involving other types of restricted data, or in the case of a significant or high-visibility incident. The CIRT must consult UC’s “Information Breach Decision Tree for California State Law” and/or “Information Breach Decision Checklist for HIPAA” (available from UC HIPAA Officers or Health Lawyers) as necessary.

Law enforcement must be consulted to ensure that notification will not impede a criminal investigation.

Notification must occur without unreasonable delay, except

  • when a law enforcement agency has determined that notification will impede a criminal investigation (in this case, notification must occur as soon as the law enforcement agency determines that it will not compromise the investigation) or
  • when necessary to discover the scope of the breach and restore the integrity of the system.

The CIRT Report (Appendix B) and the authorization from Law Enforcement initiate the notification procedures. 

The VC IT works with the System Steward or designee and Service Provider to determine the availability of contact information for notification.

The VC IT along with the CIRT determines the notification plan, including the means and text of notification, consistent with IS-3 Section III.D, Incident Response Planning and Notification Procedures. Sample language is included as Appendix D, below, and on UC’s Security Breach Notification website. The VC IT and the CIRT will determine if additional advice or assistance will be given to the affected subjects.

Upon approval of the notification plan by Campus Counsel, the VC IT works with the Public Information Office (PIO) to deliver the notification. The VC IT will work with the System Steward or designee and Service Provider as required for additional advice or assistance to affected subjects.

Where applicable, notification will typically inform affected subjects about free credit protection services, such as annual credit reports and credit fraud alerts from the three major credit bureaus (Equifax, Experion, TransUnion). Under certain circumstances, credit monitoring services may be offered to individuals who are notified that their personal information was involved in a security breach. The CIRT is responsible for this decision.

D. Release of Information

Requests for information regarding a security incident from University employees without a clearly defined business need to know, or from any individuals or entities outside the University, must be directed to the Chief Privacy Officer in the Office of Campus Counsel. The decision to release information based on these requests will be made on a case-by-case basis, consistent with the University’s obligations under the law and University policy. Information about any incident that is under police investigation will not be released until the case is closed.

Note: Written correspondence, such as email, created during the discovery or investigation phase of a security incident may be considered a public record subject to release under the California Public Records Act and/or the Information Practices Act. Therefore, information that is not appropriate for release based on the protection of privacy interests or security considerations, e.g. names of individuals or other identifying information or technical information that could enable another breach, should not be included in this correspondence. This is especially important to take into consideration where notification may be required.


VI. Responsibilities and Authority

The UCSC PII Inventory and Security Breach Procedures implement the regulations of the University of California, which prescribe compliance with existing state and federal laws. Additional authorities and specific areas of responsibility are as follows:

A. Vice Chancellor, Information Technology Services

The Vice Chancellor, Information Technology, has been designated by the Chancellor to act as the lead campus authority for this Implementation Plan and has the following responsibilities under these procedures: 
  • Ensure that the campus incident response process is followed, including ensuring appropriate representation on the CIRT for each incident, and that representation does not include conflicts of interest.
  • Ensure that system-wide and campus notification procedures are followed.
  • Coordinate campus procedures with Campus Counsel and other members of the Campus Incident Response Team.
  • As required for breaches of unencrypted Restricted Data, provide initial and closing reports to University of California, Office of the President (UCOP).

B. System Steward

This is the individual with ultimate responsibility for a defined set of University electronic information. This person is responsible for determining the purpose, function, appropriate access to and use of, degree of sensitivity, criticality, and risk tolerance of a data set, and for communicating this information to Service Providers, Unit or Departmental Managers/Supervisors and Deans to enable appropriate implementation.

Each System Steward has the following additional responsibilities under these procedures:

  • Ensure that the procedures in this document are followed for all breaches of electronic restricted data under their jurisdiction.
  • Submit Initial Incident Reports to UCSC IT Security; this responsibility may be delegated.
  • Participate on the CIRT as requested by VC IT.
  • Participate in notification as requested by VC IT and the Campus Incident Response Team.

C. Service Provider

Service Providers are responsible for ensuring the appropriate technical protection of restricted data on systems under their control, including any downloading of such information or temporary storage on other systems, in partnership with a System Steward, as appropriate. Service Providers are also responsible for regular operational support, backup, and system maintenance of a system with electronic restricted data.

Each Service Provider has the following responsibilities under these procedures:

  • Ensure appropriate technical measures and checks are in place for protection of electronic restricted data under their control, including any downloading of such information.
  • Ensure that the procedures in this document are followed for all breaches of electronic restricted data, or of systems containing or accessing electronic restricted data, under their management.
  • Alert System Steward or designee and UCSC IT Security of possible security breaches.
  • Provide ongoing protection of electronic restricted data.
  • Work with UCSC IT Security to restore system integrity and provide information about the breach and scope.

For electronic PII, each Service Provider has the following additional responsibilities:

  • Ensure that the procedures in Section IV, Personally Identifiable Information (PII) Inventory, are followed, as appropriate to his or her title and job duties.
  • Participate on the CIRT as requested by VC IT.
  • Participate in notification as requested by VC IT and the Campus Incident Response Team.
D. UCSC IT Security
  • Confirm that a security breach of unencrypted electronic PII or electronic restricted data has taken place.
  • Consult with service providers and System Stewards, as appropriate, to resolve the security breach.
  • Work with System Stewards or their designees and the members of IT Policy to ensure timely, complete Initial Incident Report and CIRT Report (Appendices A and B)
  • Notify IT Policy and the VC IT as soon as Team members become aware that a suspected security breach involves a system containing electronic restricted data, or directly involves electronic restricted data, and again when a determination is made as to whether this data may have been accessed without authorization.

E. ITS Support Center

Escalate reports of potential security breaches involving restricted data to UCSC IT Security.

F. IT Policy

  • Work with UCSC IT Security to facilitate timely completion and submission of Initial Incident Report and CIRT Report (Appendices A and B) to VC IT.

G. Campus Incident Response Team

Campus units have responsibilities within these procedures as members of the Campus Incident Response Team (CIRT).  In partnership with the VC IT, and as required, the System Steward and/or Service Provider, they ensure the consistency of response and when required the completion of notification procedures.

VC IT as member of the CIRT:
  • Determine that the criteria for notification have been met.
  • Develop notification plan.
  • Perform notification and respond to inquiries from affected subjects.

Campus Information Security Officer:

  • Serve as CIRT coordinator for breaches of electronic information

UCSC Police Department (Law Enforcement):

  • Advise if criteria for notification have been met.
  • Authorize that proceeding with notification will not impede a criminal investigation.
  • Advise and review means and text of notification.
Campus Counsel: 
  • Advise if criteria for notification have been met.
  • Advise, review and approve means and text of notification.
  • Provide other legal advice as requested or required.
Public Information Office (PIO):
  • Advise if criteria for notification have been met.
Internal Audit:
  • Validate and/or substantiate the methods and conclusions for determining if criteria for notification have been met; provide related advice as appropriate.
  • Advise and review means and text of notification.

Risk Services:

Chief Privacy Officer:

  • Advise if criteria for notification have been met.
  • Identify if breach resulted in violations of additional elements of the California Information Practices Act or other laws or regulations governing the management of information.

Campus Registrar:

  • Participate on the CIRT for incidents potentially involving student data.
  • Ensure compliance with applicable FERPA requirements.

Campus Credit Card Coordinator: 

  • Participate on the CIRT for incidents potentially involving credit card data.
  • Ensure compliance with applicable payment brand incident response procedures. [3]

H. Human Resources – Staff or Academic, as appropriate 

Advise in the event that personnel or disciplinary action is deemed necessary in response to a security breach or violation.


VII. Contact Information and Getting Help

Contact Information for Security Breach Procedures:

Internal Audit

(831) 459-3205, internal.audit@ucsc.edu

IS Policy

ispolicy@ucsc.edu

ITS Divisional Liaisons

http://its.ucsc.edu/get-help/dls

ITS Support Center

help@ucsc.eduslughub.ucsc.edu, or (831) 459-HELP

ITS Service Manager for Policy and Compliance

ispolicy@ucsc.edu ,  (831) 459-2779

UCSC IT Security

security@ucsc.edu
Reporting security incidents

UCSC Police Department

(831) 459-2231, http://police.ucsc.edu

Getting Help:

For help with…

Contact…

…technical or other questions about this Implementation Plan and related procedures
...training and assistance to campus units on topics associated with systems security and appropriate systems controls

The ITS Support Center or your ITS Divisional Liaison - see above

...compliance controls and procedures

Internal Audit - see above


VIII. Related Policies/References for More Information

Federal Statutes

State of California Statutes

University of California

University of California, Santa Cruz

Industry Partners


IX. Appendices


[1] See References for all listed laws and policies.

[2] See Practices for Protecting Electronic P3-P4 Data for information and tools.

[3] See References for links to payment card brand incident response procedures.

---

Rev Jan 2015