Fordham’s Electronic Data Security Breach Notification and Response Policy
Actual or suspected security breaches involving confidential personal data must be reported immediately to the University Information Security Office (UISO) and the University Chief Information Security Officer. Once the nature and extent of the breach has been determined, the University will notify affected individuals as necessary. Violations of this policy may lead to disciplinary action.
The Office of the General Counsel is responsible for overseeing legal compliance in the case of a compromise of protected data.
Any individual responsible for a system containing protected data that may have been compromised must take immediate steps to secure that system and preserve it without change according to the appended procedure.
Reason(s) for the Policy
Confidential personal data compromised by a security breach may lead to identity theft and invasion of privacy for affected individuals. Federal and state statutes require the notification of governmental agencies and affected individuals when there is reason to believe that legally protected data held by or for the University was acquired by someone without valid authorization or inadvertently disseminated.
This policy establishes measures that the University will take to prepare and respond to security breach incidents including the determination of the systems or applications affected, whether the data has been corrupted, what specific data was compromised, and what actions are required for forensic investigation and legal compliance.
Primary Legislation to Which This Policy Responds
This policy responds to all applicable federal and state statutes pertaining to security breaches of protected electronic data. These statutes include, but are not limited to, the New York State Information Security Breach and Notification Act, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).
What is the New York State Information Security Breach and Notification Act? The New York State Information Security Breach and Notification Act, effective December 7, 2005, requires notification to any New York resident whose “private information” was, or is reasonably believed to have been, acquired by a person without valid ‘authorization”. The Act requires Fordham to notify:
• Affected individuals upon discovery of the breach of electronic protected information.
• Consumer reporting agencies if more than 5,000 New York residents are to be notified.
• The Attorney General’s office, the Consumer Protection Board and the New York State Office of Cyber Security & Critical Infrastructure Coordination, of the timing, content and distribution of the notices and approximate number of affected persons.
You can read more about the Act at http://www.oag.state.ny.us/bureaus/consumer_frauds/tips/id_theft_law.html or www.cscic.state.ny.us/security/securitybreach/index.cfm.
What is the Family Educational Rights and Privacy Act (FERPA)?
The Family Education Rights and Privacy Act (FERPA) is a Federal law that protects and safeguards the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Individuals cannot bring a case against the institution, but the Department of Education can enforce FERPA by depriving an institution of federal funding (including financial aid to students). You can read more about FERPA at www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of medical records for health care providers, health maintenance organizations and health records clearinghouses. A major goal of HIPAA is to assure that individual’s health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and protect the public’s health and well being. HIPAA establishes, for the first time, a foundation of federal protections for the privacy of protected health information. However, it does not replace federal, state, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices. You can read more about HIPAA at www.hhs.gov/ocr/hipaa/.
What is the Gramm-Leach-Bliley Act (GLBA)?
The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, is a comprehensive, federal law that governs a financial institution’s retention, use and disclosure of customer records and information. GLBA sets forth a financial institution’s privacy obligations to its customers and its duties concerning the safeguarding of customer’s personal information. The GLBA is composed of several parts, including the Privacy Rule (16 CFR § 313) and the Safeguards Rule (16 CFR § 314). The GLBA applies to the University because it processes student loans and provides other financial services. As such, the University falls within the definition of “financial institution” under the GLBA and must comply with the law’s requirements. “Financial Institution” means any institution which engages in financial activities. Examples of financial activities that are covered by GLBA include the following: student or other loans, including receiving application information, and the making and servicing of such loans, collection of delinquent loans, check cashing services, financial or investment advisory services, credit counseling services, travel agency services provided in connection with financial services, tax planning or tax preparation, obtaining information from a consumer report career counseling services for those seeking employment in finance, accounting or auditing. Additional guidance regarding GLBA is available at: www.ftc.gov/privacy/privacyinitiatives/glbact.html.
Fordham University is committed to compliance with all applicable legal statutes pertaining to the breach of security of protected electronic data. Compliance includes all actions and notifications defined by the governing federal or state statutes as well as University policies associated with data security and privacy.
Responsible University Officer and Office
Legal Compliance Responsibility: Office of the General Counsel
Policy and Technical Support: University Information Security Office (UISO)
Who is Governed by This Policy
This policy applies to all individuals who access, use, or control a University information technology resource. Those individuals covered include, but are not limited to, staff, faculty, students, those working on behalf of the University, guests, and visitors.
Who Should Know This Policy
This policy is to be distributed to all users who use University-owned systems and networks including, but not limited to, Senior Executive Officers, Deans, Vice Presidents, Data Stewards, Chairs, Directors, Senior Administrative Officers, Departmental Administrators, Instructional Staff, Researchers, and IT support staff.
It is the responsibility of all users to report promptly all suspected or confirmed breaches of protected electronic data to one of the contacts listed below in “Contacts”
Compliance and University Response
The University has established a University Response Team to deal with electronic data breaches. The core University Response Team (URT) consists of representatives of the following units:
Fordham University Information Security Office
Office of Marketing and Communications
Office of Safety and Security
Student Affairs (Dean of Students for the campus)
The Chief Information Security Officer, his/her delegate, or other cognizant representative of the URT will convene the URT upon receiving a report of a possible breach. An individual will be appointed to manage the ensuing investigation.
The General Counsel is responsible for all legal issues associated with an actual or suspected compromise of protected data.
The Office of General Counsel will work with the Office of Safety and Security which is responsible for all contacts with law enforcement and for the non-technical and possible criminal aspects of any investigation.
The Dean of Students or a designate appropriate to the school in which the student is enrolled is responsible for the adjudication of any student who may be responsible for violation of the University Code of Conduct relative to this policy (possible language).
The Office of Marketing and Communications is responsible for all internal and external communications and media relations after consultation with the URT’s members.
The University Response Team will establish detailed internal procedures for compliance, external and internal communications, and oversight of the investigation and technical support associated with a suspected or actual breach of protected electronic data.
The core URT will call on any necessary additional offices and resources required to carry out the investigation and remediation of any breach. This expanded URT will be responsible for the investigation of the incident and any technical support required. Incident team members will include representatives of affected data owners, any other units/offices/individuals responsible for the devices or data involved, and any associated information technology or investigative resources.
The following major units/offices/individuals will participate in the development of procedures for an investigation, in periodic reviews of these procedures and in regular training. Any area of responsibility that is not represented by the table below will be handled through the Office of General Counsel.
Breach--The actual or probable exposure of protected data to an unauthorized person by any means. This includes inadvertent disclosure of the data as well as the unauthorized action of a person authorized to access the data.
||Area of Responsibility
|Safety and Security
||Law enforcement/criminal investigation
|University Information Security
|Marketing and Communications
|University Information Security
|University Information Security
||Human resources data
|Development and University Relations
||University Health and Medical Data, Judicial Affairs
information, counseling and mental health information
Device -- Devices include computers and any other equipment such as PDAs, handheld devices (Treos, Blackberry, Palm devices), copiers, printers, disk drives, diskettes, CDs, USB (“thumb”) drives, or other devices that store or display data.
Incident--A report of a possible breach and its follow-up investigation and remediation.
User--Any individual who accesses, uses, or controls a University electronic information resource. Users include, but are not limited to, staff, faculty, students, those working on behalf of the University, guests, and visitors.
Confidential/personal/sensitive protected data/information - Any information in or sourced from an electronic information system likely to result in an identity theft such as name, addresses, University ID Number, Social Security Number, bank account information, driver's license number, credit or debit card numbers, etc.
To report a possible data breach: Fordham University Information Security Office Web:
Fordham IT Anonymous Incident Reporting Form
For legal issues: General Counsel Telephone: 718-817-3110
Cross References to Related Fordham and Other Governmental Policies
This policy was established in April, 2008.