What would be considered a breach? If there is suspicion of a breach will someone be available to check whether or not one has occurred?
Anytime sensitive, personal information is potentially exposed to an unauthorized individual it is considered a suspected breach. The Information Security Office will investigate to determine if a breach occurred.
For example if you handle sensitive, personal information and your computer is found to contain malware, this would be considered a suspected breach. A forensic investigation would reveal whether someone other than the user of the computer had accessed the information. If so, a breach response would be initiated.
Another somewhat common occurrence is a lost or stolen unencrypted flash drive containing an instructor’s grades. In this case, since it is impossible to determine if the information has been accessed, a breach response would be initiated and those possibly impacted notified.
Does the Data Breach Notification Policy apply only to information stored electronically?
The policy applies to all sensitive, personal information irrespective of the manner in which it is stored. Paper documents containing protected information are also subject to this policy.
Whose responsibility is it to notify the university of a suspected breach?
The first person to discover that information could have potentially been breached should notify the university by sending an email to email@example.com. That individual should also notify his or her supervisor that they have reported a suspected breach.
How should a suspected breach be reported? Can a suspected breach be reported in person?
All reports regarding suspected breaches should be made through firstname.lastname@example.org. The report will be handled through the Information Security Office.
If a suspected breach is reported in person, the person will be directed to submit the report via email.
Are there disciplinary actions associated with not reporting potential breaches?
If an employee intentionally neglects to report a suspected breach, the employee would be subject to the existing university procedures for handling personnel matters.
Is there a place where UNLV breach notifications will be available for public review?
All UNLV breach notifications that require a full breach response will be available on the Breach Information website. The notifications will be available for 60 days. For more information on what constitutes a full breach response, see the UNLV Breach of Information Procedures.