John Glenn School Corporation
Administrative Guidelines
 

8305C - NOTIFICATION OF INFORMATION SECURITY INCIDENT

As required by AG 8305B, if a user, who has access to Corporation Confidential Data/Information and/or to any mission-critical system, suspects that there may have been an information security incident, the user promptly must report the incident to a Corporation administrator who shall notify the Superintendent and the Corporationís Information Technology Office and/or Security Office immediately.

If an information security incident occurs that involves the release of Corporation Confidential Data/Information, the Corporation will take action in accordance with State and Federal law to address the situation, including, when appropriate and/or legally required, notifying affected individuals that their personally identifiable information was improperly accessed and/or released. Any required notices will be provided in a timely manner. To the extent that State or Federal law is amended to provide greater protections than those contained in this guideline, the Corporation will comply with the amended State or Federal law.

The Corporation shall disclose any security breach of computerized personal information data ("breach of the security of the system"), following its discovery or notification of the breach of the security of the system, to any Indiana resident whose personal information (as defined below) was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident. In addition to notifying the affected Indiana resident(s), the Corporation will disclose the breach of the security of the system to the Indiana Attorney General.

For purposes of this policy, "breach of the security of the system" means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by the Corporation and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of an Indiana resident.

"System" means any collection or group of related records that are kept in an organized manner, that are maintained by the Corporation, and from which personal information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.

"Personal information" means an individualís name, consisting of the individualís first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (a) social security number; (b) driverís license number or state identification card number; or (c) account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individualís financial account.

The notice to individuals required by this guideline shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the Corporation to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than forty-five (45) days after the discovery or notification of a breach, unless subject to an authorized delay.

If a Federal, State, or local law enforcement agency determines that disclosure or notification to individuals required under this guideline would impede a criminal investigation, or jeopardize homeland or national security, the notice shall be delayed until the law enforcement agency determines the disclosure or notification will not compromise the investigation or jeopardize homeland or national security.

Notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant Federal, State, or local law enforcement agencies, the Corporation reasonably determines that the breach has not and likely will not result in identity theft or any other financial harm or fraud to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least five (5) years.

The Corporation will make the disclosure or notification required by this guideline by one of the following methods:

 

A.

written notice;

     
 

B.

electronic notice, if the Corporationís primary method of communication with the resident is by electronic means; or

     
 

C.

telephonic notice.

The Corporation may provide substitute notice in lieu of direct notice if (a) the Corporation does not have sufficient contact information to provide notice in one of the manners described above, (b) the cost of providing disclosure or notice would exceed $250,000, or (c) the affected class of residents exceed 500,000 persons. Such substitute notice shall include all of the following:

 

A.

Electronic mail notice if the Corporation has an e-mail address for the resident;

     
 

B.

A conspicuous posting of the disclosure or notice on the Corporationís website; and

     
 

C.

Notification to major media outlets (including print and broadcast) in the geographic area where Indiana residents affected by the breach of the security of the system reside.

If the Corporation discovers circumstances that require disclosure pursuant to this guideline to more than 1,000 residents involved in a single occurrence of a breach of the security of the system, the Corporation shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the Corporation to affected Indiana residents.

In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the Corporation of the breach of security as expeditiously as practicable, but no later than ten (10) days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, the Corporation shall provide the notices required above. A third-party agent shall provide the Corporation with all information that the Corporation needs to comply with its notice requirements.

An agent, pursuant to a contract entered into by the Corporation prior to the date of the breach of the security of the system occurred, may provide notice as required on behalf of the Corporation, so long as the contract does not conflict with any provision of law.

Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. 1232g
34 C.F.R. Part 99

Approved 9/26/17

© Neola 2017