an Information Technology Services Policy
Tennessee State Code 39-14-150 defines the rights of victims of identity theft. The University Personal Information Security Breach Notification Policy governs how ETSU will respond to incidents involving theft of sensitive data.
"Personal Information" is defined to mean any of the following items:
Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, and does not include information made lawfully available to the general public from federal, State, or local government records.
"Security Breach" is defined to mean: an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.
Good faith acquisition of personal information by an employee or agent of the University for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the University and is not subject to further unauthorized disclosure.
The first priority after a security breach is discovered is to contain the breach and notify supervisory personnel as quickly as possible. For any category of breach, the data must be secured, and the reasonable integrity, security, and confidentiality of the data or data system must be restored.
The next step is to determine the exact nature of the breach in terms of its extent and seriousness. Is personal information easily accessible?
As soon as a breach has been identified, the employee who discovered it must take immediate steps to report the breach to his or her supervisor. The supervisor must take immediate action to determine the extent and category of the breach and to take such further action as is necessary to contain the breach or recover the missing data. Assistance from Information Technology Services, Public Safety or other office with relevant expertise should be requested as soon as possible. If the potential or actual breach involves loss or theft of University-owned equipment or other criminal activity, notify the Public Safety. In all cases of a breach, University Counsel's Office must be notified as soon as practicable.
The supervisor must document the breach, noting the category involved, the scope of the breach, steps taken to contain the breach, and the names or categories of persons whose personal information was, or may have been, acquired by an unauthorized person. A copy of that documentation must be sent to University Counsel.
The University shall notify affected individuals without unreasonable delay. However, notification shall be delayed if law enforcement informs the University that disclosure of the breach would impede a criminal investigation or jeopardize national or homeland security.
The responsibility for providing notification shall lie with the Head of the Division that has primary authority for the data. The University Counsel will review the proposed notification before it is sent and will assist in drafting as required. A copy of the notification will also be provided to the Director of University Relations prior to the time it is posted or sent to affected individuals.
Notification shall be clear and conspicuous and include a description of the following:
Notification to affected persons must be provided by one of the following methods unless substitute notification is permitted: