Data Breach Response Procedures

Purpose

For LEADx any breach of private information has the potential to result in losses to the company and its customers. Security incidents could arise in a myriad of contexts relating to paper documents and electronically stored and transmitted information such as theft, misuse of data, and computer- or technology-based violations. They may result in disclosure of personal information, diminished intellectual property, a tarnished reputation in the community, loss of trust among company employees, reduction of economic resources and funding opportunities, the loss of employees’ time in responding and reacting to the breaches, and legal sanctions. Because of these potential harms, LEADx places a high priority on the security of its information. It is LEADx’s intention to investigate and respond appropriately to each information breach, depending upon the level of potential consequential harm, and legal obligations, related to each particular situation.

All individuals and management centers within the LEADx community are responsible for reporting information breaches and upholding company privacy policies and practices.

This document defines and describes the communication and response procedures in the event of a data breach. The overarching consideration is that all regulatory requirements and institutional policies be met.

Roles and Responsibilities regarding responding to information breaches

Privacy Office (PO)/Compliance Office

Responsible for developing and maintaining the system-wide incident response process for data breaches. Acts as a central and the first point of contact in the event of data breaches. Responsible for notifying individuals affected by privacy-related breaches.

Information Technology Services Security

Responsible for conducting computer diagnostic support in computer- or technology-based breaches, providing expertise and advice regarding data security, and suggesting remedies to prevent future breach occurrences.

Office of General Counsel

Responsible for providing legal advice during the investigation, including guidance on providing notifications as required by law (e.g. HIPAA, state law, etc.)

Marketing & Communications

Responsible for providing Privacy Officer with communication strategies with regard to affected parties and internal stakeholders. Also responsible for communicating with the media after consultations with the PO and campus constituencies.

Other offices as necessary, such as the offices of the President, Provost, Vice President for Student Affairs, and/or leaders of affected offices.

Procedures [Flow of responsive actions]

1. LEADx personnel discovers a possible breach of private information.
2. Immediately, an alleged breach is reported to the PO. To report a breach, personnel should contact Kevin Kruse at kevin@leadx.org.
3. PO investigates the alleged breach event as quickly as possible.
4. If PO determines no actual breach of private information was made, the PO documents this determination, and the process ends.
5. If PO determines there was a breach of private information, PO works with the affected office or department to contain the breach. PO assesses the extent and impact of the event. May also bring in other offices.
6. After containing the breach, the PO confers with the Office of General Counsel (OGC) to determine whether specific legal protections relate to the breached information and identify the relevant reporting obligations. PO and OGC will work together to identify all laws that may impact LEADx’s response, including but not limited to the following: Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Ohio state law, other federal laws such as the Federal Trade Commission Act and Gramm-Leach-Bliley Act, plus any relevant contractual obligations. PO and OGC may consult other internal LEADx offices as necessary.
7. PO drafts standard notification letters to individuals affected by the breach and sends letters per applicable legal requirements.
8. In addition to legally required notifications, PO identifies whether other actions are required to remedy the effects of the breach (e.g. identify theft protection, notification to third parties, etc.) The PO also identifies other institutional process deficiencies that must be addressed. If so, PO works with affected groups to ensure their work processes are modified to avoid similar, future breaches. Also, PO notifies Human Resources of any employment policy violations so that appropriate corrective action may be taken.
9. A breach incident is closed when PO drafts a Breach Report, an internal record that shall be considered a confidential company document. The PO shall share the breach report, at its discretion, with parties that were involved in the incident, as well as appropriate company leadership. The breach report shall include at least all of the following items, to the extent the information is available:
   • Date and time the breach was detected
   • Physical location, system, and company services involved in breach
   • Department or office responsible for the system or service
   • Type and scope of data that was compromised
   • A brief overview of the vulnerability that contributed to the breach
   • Potential impact to individuals and/or campus operations and resources
   • Summary of response activities
10. PO collects each Breach Report and may use the report to fulfill legal reporting obligations to appropriate federal agencies. Additionally, appropriate company offices shall maintain records for purposes of compliance with privacy-related laws.