Carnegie Mellon University

Data Breach Notification (Pennsylvania)

Enacted on December 22, 2005, Pennsylvania's "Breach of Personal Information Act" provides for the notification of residents whose personal information data was or may have been disclosed due to a system security breach.

If, after investigating a suspected security breach, the Information Security Office determines, in coordination with other University officials, that there was unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information and is reasonably believed to result in loss or injury, the Information Security Office will organize the notification of affected individuals by written notice to the last known home address of the individual, by e-mail, by telephone, or by substitute notice as allowed.

"Personal information” is defined as an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

  1. Social Security number
  2. Driver's license number or a State identification card number
  3. Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.

User Practices

Users are required to follow the Procedure for Responding to a Compromised Computer if they suspect that the security or privacy of a Carnegie Mellon computing resource has been compromised.

 HIPAA Breach Notification >>

GDPR Breach Notification >>


Revision History

Status:  Published 
Published:  12/05/2013 
Last Reviewed:  03/13/2014
Last Updated:  03/13/2014