Notification Procedure for Electronic Breach of Information Security

Purpose

This document defines the notification procedure that the Research Foundation (RF) will follow if an electronic security information breach should occur at central office or at a campus.

Background

Under the provisions of the New York State Information Security Breach and Notification Act (NY Gen. Bus. L. Sec. 899-aa Art. 39-F), the RF is required to provide notification when an electronic security breach occurs that results in "personal" and "private" information being available to unauthorized individuals. The RF is required to notify RF staff and any person for whom protected information is held in the RF business applications when an electronic security breach occurs.

Breaches of information security are widespread in nature and not just limited to computer hacking. An electronic information security breach can occur if an unauthorized person gains access to personal and private information, such as from a stolen or misplaced laptop or hand-held wireless e-mail device (for example, BlackberryTM) that contains private information saved on the hard disk, or by any other unauthorized receipt of personal and private information.

Personal vs. Private Information

The provisions of the New York State Information Security Breach and Notification Act define "personal" and "private" information as follows:

Personal information is any information that can be used to identify a specific person, such as his or her name.

Private information is personal information that is released with one additional piece of information from the following list:

If a Suspected Security Breach Occurs at Central Office

The following table outlines the steps to take when a suspected electronic security breach occurs at central office:

Step

Action

1

The person who suspects that an electronic security information breach may have occurred notifies his/her respective RF department vice president (VP).

2

The VP notifies one of the following Information Security personnel:

Mike Bartoletti, Director of Solution Architecture and Information Assurance, Primary Contact
Mike.Bartoletti@rfsuny.org; Phone: (518) 434-7204

Gerard Drahos, Vice President Chief Information Officer, Corporate Information Security Officer
Gerard.Drahos@rfsuny.org; Phone: (518) 434-7205

3

Information Security works with appropriate technical and other personnel to analyze the situation to determine if a breach has occurred.

4

In the event of a suspected breach, Information Security notifies the Executive Office and the Office of Human Resources, the Office of General Counsel and Secretary, the Office of Internal Audit, and the Office of External Relations:

Lynn Manning, Vice President for Human Resources, Privacy Officer
Lynn.Manning@rfsuny.org; Phone: (518) 434-7107

Joshua Toas, Deputy General Counsel
Joshua.Toas@rfsuny.org; Phone: (518) 434-7045

Michael Barone, Interim Vice President for Internal Audit
Michael.Barone@rfsuny.org; Phone: (518) 434-7019

Peter Taubkin, Associate Director of External Relations
Peter.Taubkin@rfsuny.org; (518) 434-7063

5

The Office of General Counsel and Secretary advises on the situation and, if a breach has occurred, notifies the New York State attorney general, consumer protection board, and New York State Office of Cyber Security. If more than 5000 New York State residents are directly affected, consumer reporting agencies will also be notified (e.g., credit reporting services, to be supplied by the New York State attorney general).

6

Information Security communicates status information with the affected person's department VP.

7

The Office of Corporate Communications develops a notification message to the affected individual in consultation with the Executive Office, the Office of Human Resources, and the Office of General Counsel and Secretary and determines from which office the notification will be issued.

If a Suspected Breach Occurs at a Campus

The following table outlines the steps to take when a suspected electronic security breach occurs at a campus:

Step

Action

1

Campus representative who suspects that an electronic information breach has occurred related to RF data or systems notifies the operations manager at the campus.

2

Operations manager notifies one of the following central office Information Security personnel:

Mike Bartoletti, Director of Solution Architecture and Information Assurance, Primary Contact
Mike.Bartoletti@rfsuny.org; Phone: (518) 434-7204

Gerard Drahos, Vice President Chief Information Officer, Corporate Information Security Officer
Gerard.Drahos@rfsuny.org; Phone: (518) 434-7205

3

Information Security works with appropriate technical and other personnel to analyze the situation to determine if a breach has occurred.

4

In the event of a suspected breach, Information Security notifies the Executive Office and the offices of Human Resources, General Counsel and Secretary, Internal Audit, and External Relations:

Lynn Manning, Vice President for Human Resources, Privacy Officer
Lynn.Manning@rfsuny.org; Phone: (518) 434-7107

Joshua Toas, Deputy General Counsel
Joshua.Toas@rfsuny.org; Phone: (518) 434-7045

Michael Barone, Interim Vice President for Internal Audit
Michael.Barone@rfsuny.org; Phone: (518) 434-7019

Peter Taubkin, Associate Director of External Relations
Peter.Taubkin@rfsuny.org; (518) 434-7063

5

The Office of General Counsel and Secretary advises on the situation and, if necessary, notifies the New York State attorney general, consumer protection board, and office of New York State Cyber Security. If more than 5000 New York State residents are directly affected, consumer reporting agencies will also be notified (e.g., credit reporting services, to be supplied by the New York State attorney general).

6

Information Security communicates status information with the campus RF operations manager.

7

The Office of Corporate Communications develops a notification message to the affected individual in consultation with the Executive Office, the Office of Human Resources, and the Office of General Counsel and Secretary and determines from which office the notification will be issued.

Change History

 

 

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.

Copyright © 2011 The Research Foundation of State University of New York