OIT Breach of Private Information Procedure rev02042019

Office of Information Technology

SOP No: OIT-SEC-PROC -002-01

SOP Name:
Breach of Private Information Procedure

Updated: February 4, 2019

Issued By: Office of Information Technology

Process Owner: Information Security

1.0     Purpose
The purpose of this document is to ensure that the CUNY Breach of Private Information Procedure is adhered to and that all known requirements specific to The City College of New York, including but not limited to the CUNY School of Medicine, that are not specified in the CUNY Procedure are met.

2.0     Scope
This procedure covers The City College of New York, including but not limited to the CUNY School of Medicine.

3.0     Procedure
When a possible privacy breach has occurred, immediate action should be taken. The following procedure will assist in controlling the situation and ensuring that, if a breach of private, non-public information occurs, steps will be taken to minimize the risks of a similar breach from happening again.  This procedure will also ensure that notification is performed in accordance with current requirements and legal obligations.

Step 1) Confirm and Contain
Confirm the validity of the suspected information breach. If the breach can be reasonably ascertained, containment should occur immediately. Containment includes, but is not limited to, disconnection of the host (e.g., server or other device) from the network or shutting down an application. Care should be taken not to destroy data, but to preserve it without any form of network connection. Reconnection of the device to the network is not allowed until such time as remedial steps have been completed and reconnection is specifically approved by the Chief Information Officer or the University Chief Information Security Officer.

Step 2) Report
The following individuals are required to be informed as soon as possible:

  1. The City College of New York President.
  2. The City College of New York, Executive Counsel to the President; and the CUNY Office of General Counsel.
  3. The City College of New York Chief Information Officer.
  4. University Chief Information Officer.
  5. University Chief Information Security Officer.
  6. The City College of New York or CUNY School of Medicine division head from which the information was breached.
  7. The City College of New York or CUNY School of Medicine department head from which the information was breached.
  8. The grant-funded program, whenever required by contract, grant, or award. Note: The Principal investigator (PI) must inform the Office of Information Technology, in writing when this is a requirement of a grant.

The report should indicate whose personal information was disclosed, to whom it was disclosed, when it was disclosed, how it was disclosed/accessed, and what steps have been taken in response to the disclosure.

Step 3a) Retrieve.
Any documents or contents of electronic documents that have been disclosed to, or taken by, an unauthorized recipient should immediately be retrieved and/or secured (electronic documents or paper documents in facsimile form or printed e-mail messages) or taken offline. Documents, in any form, should not be destroyed until specific instruction is received. This may require personal attention to secure the documents and return them to their original location, remove them permanently from electronic storage, or send them to the intended authorized recipient.

Step 3b) Remove
Private information taken offline (Step 1 and Step 3a) may still be accessible and discoverable on the Internet via Internet Search engines (e.g., Google).
The usual time periods for information to be removed by the search engines through routine web crawling techniques is too elongated (e.g., weeks) and requests must be made to remove the information from search engine indexes and cache directly to the Internet Search engines companies.  These requests must be made as quickly as possible.
Support request procedures for the major search engines are available as links at security.cuny.edu under Security Resources. This step will be coordinated with the University Chief Information Security Officer.

Step 4) Notify
In cases where the breach results in the disclosure of personal information, New York law may require that the University notify the individuals affected.
Determination of the reporting requirements will be made by the CUNY Office of the General Counsel in consultation with The City College of New York’s Executive Counsel to the President on a case-by-case basis. All notification letters must be reviewed the CUNY Office of the General Counsel prior to being sent. Notification letters should include the information sheet from the Federal Trade Commission entitled, "What to do if your personal information has been compromised."

Step 5) Investigate
The City College of New York’s Executive Counsel to the President, the Vice President/Dean for the affected area, The City College of New York CIO, the University Chief Information Officer, and the University Chief Information Security Officer will investigate the details of any breach, for the purpose of determining and recording all the relevant facts concerning the breach and making recommendations. The objectives of this investigation should include a review of the circumstances surrounding the event, as well as the adequacy of existing policies and procedures in protecting personal private information.

Step 6) Management Review
The City College of New York’s Executive Counsel to the President with the Vice President/Dean of the affected area will document and report the detail of the breach of privacy and remedial steps to the President of the City College of New York. The CUNY Office of the General Counsel, in collaboration with the University Chief Information Officer, will report on recommendations and actions to the appropriate parties within the Chancellor’s office.
Additional incident reporting will occur by the University Chief Information Security Officer to comply with internal incident reporting policies.

4.0 Conclusion
A breach of private information is a serious matter. The City College of New York and CUNY School of Medicine staff and faculty must make every reasonable effort to prevent breaches from occurring. If one does occur, staff and faculty must ensure that compliance with this procedure is followed.

5.0 Reference and Related Documents
CUNY Breach of Private Information Procedure - http://www2.cuny.edu/wp-content/uploads/sites/4/page-assets/about/administration/offices/cis/information-security/security-policies-procedures/BreachReportingProcedureV07182006.pdf