Data Incident Response Plan

1. Overview

The DePauw University Data Incident Response Plan outlines the University’s actions following a data breach or other type of data related incident in order to ensure timeliness of response, compliance with applicable laws and regulations and ensure consistency in all aspects of the University’s response.

2. Background

Academic institutions face a barrage of malicious cyber attacks as a result of actors attempting to capture confidential and/or protected information. Institutions are at risk because of the kinds of sensitive information they maintain. Data incidents can occur anywhere that information resides, including computer systems, portable media, etc.

DePauw University is committed to protecting the privacy of its community, which includes safeguarding the sensitive and protected data that is owned and maintained by the university. DePauw University has taken many steps to reduce the risk of breach of such data, many of which are outlined in the University’s Written Information Security Plan (WISP). However, no protection is foolproof, therefore, DePauw University must be prepared to respond to an incident if one should occur.

3. Purpose

In accordance with federal and state laws and regulations, DePauw University is required to provide notice about security breaches of protected information at the University to affected individuals and appropriate state agencies. DePauw University is also committed to protect other kinds of sensitive institutional information that is maintained at the University. If sensitive and/or protected information at DePauw University is exposed as a result of an incident, the University must take steps to:

• Prevent further exposure,
• Investigate the incident and support law enforcement if criminal activity is suspected,
• Determine any legal obligations,
• Notify the departments and individuals affected,
• Respond to media inquiries,
• Document any responsive actions taken, and
• Conduct a post-incident review of these actions.

Accomplishing the above tasks will necessarily involve individuals from diverse areas of the University and will require that a plan be in place to address an incident before it occurs. The purpose of this plan is to outline the University’s response to a data incident, including procedures for reporting an incident and individual team members’ responsibilities following an incident.

4. Scope

The Data Incident Response Plan addresses four types of information compromises:

• Computing Devices Compromised by Malware
• Computing Devices Compromised by Unauthorized Access (e.g., any devices accessed without permission, either by stolen or compromised credentials, or other attempts to access a device without authorization, etc.)
• Lost or Stolen Computing Devices
• Lost or Stolen Paper Records containing Confidential Data, as defined below

The scope includes all computing devices (both University-owned and personal), including computers, servers, portable media, and external hard drives or other mobile devices, and paper records, which contain Confidential data. All DePauw University employees that maintain or access Confidential data, both electronic and paper, at the university must comply with this plan.

5. Definitions

Breach of security. The unauthorized acquisition or use of sensitive or protected data that creates a substantial risk of identity theft, fraud or harm to the reputation or business interests of an individual or institution.

Compromised computer. Some ways a compromised computer can be identified include: The computer user suspects that his/her system is exhibiting suspicious behavior or has suspicious files stored on the device; network or system logs indicate unusual network behavior coming from or going to the device; or individuals either at DePauw or from outside of the University report cyber-attacks or unusual network behavior emanating from the device.

Confidential data. Refers to any information, both paper and electronic, that is protected by Federal, state, or local laws and regulations, or other sensitive personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations, or reputation of DePauw University. Protected data includes Personally Identifiable Information, student education records, and Protected Health Information (PHI). For a more complete description of these terms and the types of data identified as Confidential, see the University’s Written Information Security Plan (WISP) and the related policies cross-referenced at the end of this document.

Personally Identifiable Information (PII). Personally Identifiable Information (PII) is a person’s Social Security number or the first name or first initial and last name of a person linked to any one or more of the following data elements that relate to the person:

• Social Security number
• Driver’s license number or state-issued identification card number
• Account number, credit card number, or debit card number, if such a number could be used without additional identifying information, access codes or passwords
• Account passwords or personal identification numbers or other access codes
• Medical/health information

DePauw University employees. Includes all DePauw University employees, whether full- or part-time, including faculty, staff, contract and temporary workers, hired consultants, interns, and student employees.

6. Responsibilities

The CIO (the ISP Coordinator as designated by the University’s WISP) is charged with the identification of all data security incidents involving electronic data or paper records where the loss, theft, unauthorized access, or other exposure of Confidential data is suspected. When the CIO confirms an incident involving Confidential electronic data, the CIO will contact the VP for Business and Finance or the University Chief of Staff. This individual will consult with the Critical Incident Management Team (CIMT) Manager, who will convene the Critical Incident Management Team (CIMT) as needed. The CIMT Manager is responsible for coordinating CIMT and determining appropriate actions in their response to the incident.

The CIMT includes representatives from several college departments. The CIMT Manager, in consultation with the CIO, will determine which CIMT members will respond to the incident depending on the nature of the incident. CIMT will designate an on-site Incident Leader, typically the VP for Business and Finance or CIO, who will oversee the investigation of the incident and involve legal counsel, local, state, and federal law enforcement as necessary. The severity of the incident will determine the nature of the investigation, including what authorities are involved and how evidence is collected.

The CIO will document all breaches and subsequent responsive actions taken. All related documentation will be stored in the Business and Finance Office and in Information Services records.

All DePauw University employees are responsible for identifying and reporting potential security breaches.

7. Response Plan

For suspected data incidents, the CIO and their designated staff members will:

• Conduct a preliminary investigation: Gather details about the incident, including when the breach was first discovered and how the employee or involved person responded. In cases involving electronic data, they will also inquire about symptoms of the compromised computing device.
• Determine if Confidential data was involved: Research the nature of records or data involved in the incident and what kinds of information it contained. For electronic data incidents, they will use a variety of technologies to determine if Confidential data was present on the compromised device. If a computing device was stolen, they will do the analysis on backups. If backups are not available, the severity of the incident will be classified based on the individual’s access to various sensitive data.

If an incident involving Confidential data is confirmed, the CIO will inform the VP for Business and Finance or the University Chief of Staff who will:

1. Notify Senior Staff: Provide details about the incident and provide status updates.
2. Engage University cybersecurity insurance provider.
3. Consult the Critical Incident Management Team (CIMT) manager who will determine how/if to engage the CIMT team.
4. Consult legal counsel: Review the incident to determine the University’s legal obligations for reporting under applicable federal and state laws.
5. Coordinate notification of affected individuals: Under various state and federal laws the University is required to notify any individuals whose personal information or protected health information (respectively) may have been compromised as a result of this incident (regardless of confirmation of identity theft). Depending on the circumstances of the incident, the University may be obligated to notify other individuals and agencies as prescribed as law. The nature of the incident will also determine the method(s) of notification.

8. Enforcement

Any employee who neglects to report a known security breach, or who fails to comply with this plan in any other respect, may be subject to disciplinary action

9. Policies Cross-Referenced

• Written Information Security Plan (WISP)
• Electronic Communications and Acceptable Use Policy
• Data Classification Policy and Handling Recommendations
• Record Retention and Document Destruction Policy
• FERPA Student Records Policy
• University Policies and Procedures

10. Effective Date

This plan is effective May 1, 2024.

Last update: 05-20-2024