Procedure for Reporting Unauthorized Release or Access of Data
- Applies To
- Regulatory Requirements
- Data Exposure Examples
- Revision History
The purpose of this Procedure is to provide step-by-step instructions for responding to an actual or suspected breach or exposure of private or restricted Institutional Data including unauthorized access, use, or disclosure.
This Procedure applies to all faculty, staff and third-party Agents of the University as well as any other University affiliate, including students, who suspects that the security or privacy of non-public Institutional Data has been compromised.
All terms and definitions in this document can be located in the Information Security Office Glossary.
Carnegie Mellon University is required by various state and federal regulations to investigate any incident that may involve the breach of personally identifiable information. Carnegie Mellon University is also required to notify an individual if the privacy of their personally identifiable information has been breached – including accidental release of data. Failure to preserve evidence or conduct an investigation related to a data breach could result in unnecessary financial costs for the institution. It is also important that the details of a breach and the ensuing investigation remain confidential. All related communications should be coordinated with the Information Security Office (ISO) and the Office of General Counsel. Any contact with law enforcement should be immediately referred to or be authorized by the Office of General Counsel.
The steps in this procedure relate to any situation in which non-public Institutional Data might be exposed to unauthorized individuals. Examples include:
- A University computer or information system may have been compromised.
- A computer, mobile device, or storage medium such as an external disk or thumb drive is lost or stolen.
- Non-public information is discovered to be accessible to unauthorized individuals, whether they are affiliated or unaffiliated with the University.
- Non-public information was accidentally or purposefully distributed to unauthorized individuals.
The following steps should be taken to respond to an actual or suspected breach of data:
- Contact the Information Security Office
As soon as an individual suspects that a breach or exposure of data has occurred, they should contact the Information Security Office immediately by phone prior to taking any additional action. The Information Security Office can be contacted at 412-268-2044. In the event that the Information Security Office is unavailable to take your call, emergency contact information will be provided in the pre-recorded answering system.
The Information Security Office will conduct a preliminary investigation to determine the best course of action. While waiting further instructions, do not share any details related to the suspected data breach unless absolutely necessary and only with those individuals with a need to know. Additionally, do not attempt to contact law enforcement officials. Such communication must be coordinated with the Information Security Office and the Office of General Counsel due to the potential legal implications.
- Contain the System
In cases where it is suspected that the data breach was the result of a compromised computer or compromise of any information system, follow the steps below:
- Remove the system from the local network (unplug ethernet cords and turn off Wi-Fi)
- Contact the Information Security Office as soon as possible
- Keep th esystem running in the state it was when the compromise was detected
- Notify users of the computer, if any, of a temporary service interruption
It is important that NO further commands or actions be taken on the related Information System. Doing so may destroy relevant forensic data and impede ISO investigations.
- Scan the system with antivirus software
- Attempt to clean off any malicious software
- Attempt to clear the mail system
- Attempt to retract an email message that contained confidential data
- Run a backup