5260P Security Breach Notification (Procedures)

Original Date: 5/17/2006 * Last Revision Effective: 5/7/2015
Policy Contact: Vice President, Information Technology Services

Purpose

The following procedures are established to meet the requirements for implementing policy #5260 – Security Breach Notification.

Procedures

Any school official who discovers or is notified of a breach of the security of any Bellevue College technology system will report it. The initial report of a potential security breach involving computerized data will likely be made in one of three ways:

  • A report to the Bellevue College public safety office of the theft of a computing or storage device.
    • If the presenting incident is a theft, the public safety office will:
      • follow their normal procedures regarding theft of state property;
      • report it to law enforcement, and act as liaison with any law enforcement agency involved in the situation;
      • notify computing services of the incident, through the help desk; and
      • notify the IT security administrator (or designee) of the incident.
  • A report to computing services of the theft of a computing or storage device.
    • If the presenting incident is a theft, computing services will:
      • advise the reporting school official to notify the public safety office, facilitating communications however possible. If appropriate, help desk personnel will notify public safety directly;
      • follow normal computing services inventory procedures regarding loss or theft of technology;
      • notify the IT security administrator (or designee) of the incident;
  • The discovery of a breach of security of a computer or the Bellevue College network by technical support staff.
    • If the presenting incident is discovery of a network breach, technical support personnel will:
      • begin network and computer technical investigations following the guidelines articulated in the Bellevue College IT security standard addressing intrusion detection and incident response. This will continue until the security and technical aspects of the situation are resolved.
      • notify computing services of the incident, through the help desk; and
      • notify the IT security administrator (or designee) of the incident.
    • In some circumstances, it may be appropriate to report a breach of the security of the network or Bellevue College computers to law enforcement, as well.
      • The IT security administrator (or designee) and the director of public safety (or designee) will consult regarding the nature and scope of the security breach and to determine whether law enforcement needs to be notified.
      • The IT security administrator (or designee) will notify the vice president of information technology services (or designee) regarding the incident and will have responsibility for guiding the initial investigation by ITS technical representatives into the situation and determining the nature of any unencrypted data which may have been compromised.

Incident Response Team

If it is determined that a breach may have compromised the security, confidentiality, or integrity of Bellevue College-managed personal information, the vice president of information technology services (or designee) will initiate a meeting as soon as possible of the college’s Incident Response Team, consisting of the following or their designees:

  • Vice president of information technology services (chair)
  • Director of public safety
  • Vice president of institutional advancement
  • Associate dean of enrollment services (if student data may be involved)
  • Vice president of human resources (if staff data may be involved)
  • Bellevue College risk manager
  • IT security administrator
  • Technical representatives from computing services and/or student information technology services may be added, as needed for consultation and response.

The vice president of information technology services will notify the president of the college that the incident response team has been activated and will provide updates regarding actions taken, as appropriate. The assistant attorney general assigned to Bellevue College should also be notified of the situation.

Institutional Response

The incident response team will:

  • Assign from the team membership a scribe responsible for maintaining notes, minutes and a final written report to the college president regarding the incident, its resolution and the institutional response.
  • Gather information regarding the situation and the type and nature of the unencrypted data that has potentially been compromised.
  • Determine if a legal responsibility exists to notify individuals that their personal information has or may have been disclosed.
  • Determine who is affected by the breach and should be notified.
  • Determine which of the methods of disclosure (below) prescribed by law is appropriate.
  • Assign appropriate tasks to team members based on their institutional responsibilities and expertise. These tasks will be determined by the team based on the specific situation.
  • Conduct a debriefing meeting once the situation is resolved to review and approve the report to the college president.

Methods of Disclosure

Notification of disclosure of personal information may be made in one of the following methods:

  • Written notice
  • Electronic notice consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. Sec. 7001
  • Substitute notice. This is allowed if the cost of providing notice to all affected individuals would exceed two hundred fifty thousand dollars or if Bellevue College does not have sufficient contact information. Substitute notice is defined as ALL of the following:
    • E-mail notice when Bellevue College has an e-mail address for the subject persons,
    • Conspicuous posting of a notice on Bellevue College’s web site, and
    • Notification to major statewide media.

Relevant Laws and Other Resources

Revision History

Original 5/17/2006
Revision 5/21/2009; 9/13/2012; 5/7/2015

Approved By

President’s Cabinet

Last Updated April 8, 2019