5260 Security Breach Notification
Original Date: 5/17/2006 * Last Revision Effective: 5/7/2015
Policy Contact: Vice President, Information Technology Services
The state of Washington requires that agencies who own or license computerized data which includes certain unencrypted personal information disclose any breach in the security of that data under certain circumstances (RCW 42.56.590). This policy is intended to ensure that all Bellevue College personnel are aware of the college’s responsibilities under the law.
This policy governs the actions of any Bellevue College school official (defined below) who discovers or is notified of a breach or possible breach of the security of unencrypted personal information collected and retained by Bellevue College as computerized data. This breach can be the result of a compromise of a Bellevue College computing system or network, the loss or theft of any physical device in which personal information is stored, or the loss or theft of any storage medium upon which personal information is maintained.
This policy is intended to complement, not to supplant, Bellevue College policy #2600: Family Education Rights and Privacy Act: Disclosure of Student Information.
Bellevue College maintains computerized data on various college systems which includes personal information. If the security of any Bellevue College system storing or processing computerized data that includes unencrypted personal information is compromised, the owner or licensee of that information must be notified by the college of the breach of the system if the information was, or is reasonably believed to have been, acquired by an unauthorized person.
This disclosure shall be made as expediently as possible following discovery or notification of the breach—without unreasonable delay and consistent with any measures taken to determine the scope of the breach and restore the integrity of the affected data system. This notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. In that case, the notification may be made after the law enforcement agency determines that such notification doesn’t compromise an ongoing investigation.
Good faith acquisition of personal information by a Bellevue College school official with a legitimate educational interest in the data or information is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure.
Bellevue College is not required to disclose a technical breach of system security which does not seem reasonably likely to subject the owners of personal information stored on those systems to a risk of criminal activity.
All school officials have a duty to comply with and to understand their responsibilities as expressed in this policy. Certain Bellevue College administrative units also have additional responsibility for maintenance and for execution of this policy. These additional responsibilities include:
- Information Technology Services (ITS)
Primary responsibility for maintenance and administration of this policy rests with the vice president of information technology services or designee. ITS is responsible for drafting any updates and changes to the policy and procedures, with input from the technology advisory committee and the human resources office. After appropriate campus review and final approval by the college president, ITS will publish the new or revised policy to the campus, providing a brief description of the policy and its implications for employees and other affected individuals or groups.
- Technology Advisory Committee (TAC) The technology advisory committee (TAC) is responsible for reviewing Bellevue College technology strategies and serving as a conduit for dialogue between ITS and the campus regarding all technology policies and procedures. Membership is representative of the campus, and supports the vice president of information technology services by advocating for and presenting campus technology needs.
- Human Resources (HR)
The vice president of human resources is responsible for reviewing any updates or changes to this policy and for providing input on the policy and its implications for employees and other affected individuals or groups.
Breach of the Security of the System
- Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by Bellevue College.
- Defined by statute as an individual’s first name or first initial, and last name in combination with any one or more of the following data elements:
- Social security number;
- Driver’s license number or Washington identification card number; or
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- Bellevue College policy #2600: Family Education Rights and Privacy Act: Disclosure of Student Information defines a school official as:
- A person employed by the college in an administrative, supervisory, academic or research, or support staff position.
- A person appointed to the board of trustees.
- A person assigned, employed by or under contract to the college to perform a special task, such as an attorney or auditor.
- A person who is employed by public safety.
- A student serving on an official committee, such as a disciplinary or grievance committee, or who is assisting another school official in performing his or her tasks.
Legitimate Educational Interest
- Bellevue College policy #2600: Family Education Rights and Privacy Act: Disclosure of Student Information defines a school official who has a legitimate educational interest as one who is:
- Performing a task that is specified in his or her position description or contract agreement.
- Performing a task related to a student’s education.
- Performing a task related to the discipline of a student.
- Providing a service or benefit relating to the student or student’s family, such as health education, counseling, advising, student employment, financial aid, or other student service related assistance.
- Maintaining the safety and security of the campus.
Relevant Laws and Other Resources
- Bellevue College Policy #2600: Family Education Rights and Privacy Act: Disclosure of Student Information
- U.S. Code 15, Sec. 7001: General Rule of Validity
- RCW 42.56.590
- Bellevue College IT Security Standard: Intrusion Detection and Incident Response
- Bellevue College Procedure #5260P Security Breach Notification
Revised 5/21/2009; 9/13/2012; 5/7/2015