Security
Sensitive Data Guide
Data Exposure
For better or worse, our data is valuable and not just to the University, but also to external entities. Exposure of data classified as sensitive by law begins a costly process that impacts the University as a whole, regardless of which unit was originally responsible for the breach. Ohio House Bill 104 states that in the event of the release of protected data the University has 45 days to investigate and begin the process of notifying all Ohioans whose personally identifiable information is believed to have been exposed.The process commences with an internal investigation when suspicion of a data exposure incident exists. The unit responsible for the possible data breach must immediately notify HIS Support Services. The Office of the CIO Information Security Group Director will then be notified. The director will contact the relevant person(s) as defined in the Draft Interim University Policy on Disclosure or Exposure of Personal Information at this point, and the process of identifying which systems are compromised, how they were accessed, and who is affected begins in earnest.
Notification:
Once the investigation process is completed, the Incident Response Committee will determine if the mandates of House Bill 104 or another controlling legislation are activated. The University also reserves the right to enact notification in cases where the force of law may not apply. While House Bill 104 only requires the notification of Ohio residents, every effort will be made to notify any parties whose information was likely exposed in the incident.Notification is the responsibility of the unit found to be responsible for the data breach.The costs associated with the notification process, including manpower, publication, and shipment will be borne by the unit found responsible by the investigation. In cases where there is more than one unit involved, the committee may rule that the responsibility be split.
