Breach of Information Notification Policy

Originally Issued: May 2007

Revision Date: April 2015

Contacts: Vito Rocco Don Diener Lori Temple

Download Policy Document Download Procedure Document

Policy

The university shall disclose any breach of its data to any person whose sensitive, personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure shall be made in the most expedient time possible. It is the university’s sole discretion to determine the scope of the breach.

The disclosure may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

The university shall make every reasonable effort to contact individuals impacted. Contact may be made in person, by mail, and/or by e-mail.

If the university does not have sufficient contact information, a general disclosure will be posted on a UNLV web site and appropriate news media outlets will be notified.  

The university will provide information about data breaches as required by federal and state laws, and NSHE regulations and/or policies.

Suspect a data breach? Report it now.

Related Documents

Procedures to Accompany the UNLV Breach of Information Notification Policy (PDF)

Statement of Purpose

The purpose of this policy is to:

ensure that the university meets its disclosure obligation in the event of an inappropriate release of sensitive, personal information.

Entities Affected by Policy

Entities affected by this policy include UNLV students and employees and anyone interacting with UNLV.

Who Should Read This Policy

UNLV students and employees and anyone engaging in business with UNLV should read this policy.

Exceptions

There are no exceptions to this policy.

Frequently Asked Questions

What would be considered a breach? If there is suspicion of a breach will someone be available to check whether or not one has occurred?

Anytime sensitive, personal information is potentially exposed to an unauthorized individual it is considered a suspected breach. The Information Security Office will investigate to determine if a breach occurred.

For example if you handle sensitive, personal information and your computer is found to contain malware, this would be considered a suspected breach. A forensic investigation would reveal whether someone other than the user of the computer had accessed the information. If so, a breach response would be initiated.

Another somewhat common occurrence is a lost or stolen unencrypted flash drive containing an instructor’s grades. In this case, since it is impossible to determine if the information has been accessed, a breach response would be initiated and those possibly impacted notified.

Does the Data Breach Notification Policy apply only to information stored electronically?

The policy applies to all sensitive, personal information irrespective of the manner in which it is stored. Paper documents containing protected information are also subject to this policy.

Whose responsibility is it to notify the university of a suspected breach?

The first person to discover that information could have potentially been breached should notify the university by sending an email to breachreport@unlv.edu. That individual should also notify his or her supervisor that they have reported a suspected breach.

How should a suspected breach be reported? Can a suspected breach be reported in person?

All reports regarding suspected breaches should be made through breachreport@unlv.edu. The report will be handled through the Information Security Office.

If a suspected breach is reported in person, the person will be directed to submit the report via email.

Are there disciplinary actions associated with not reporting potential breaches?

If an employee intentionally neglects to report a suspected breach, the employee would be subject to the existing university procedures for handling personnel matters.

Is there a place where UNLV breach notifications will be available for public review?

All UNLV breach notifications that require a full breach response will be available on the Breach Information website. The notifications will be available for 60 days. For more information on what constitutes a full breach response, see the UNLV Breach of Information Procedures.