Kent City Community Schools
Administrative Guidelines
 

8351 - SECURITY BREACH OF CONFIDENTIAL DATABASES

Upon receiving information of a security breach in one of the District's databases, the Superintendent and the chief business officer shall:

 

A.

determine how the breach occurred;

   
 

B.

take immediate steps to correct and stop further unauthorized access;

   
 

C.

determine if notification is required to any individuals whose personal information may have been accessed.

Notification is not required, but may be done, when there is a determination, based on a reasonable review of all the facts, that the security breach is not likely to result in identity theft or result in substantial loss or injury to the individuals who are affected by the security breach. In making this determination, the Superintendent shall consider, at a minimum, whether the information accessed by an unauthorized individual was:

 

A.

unencrypted and unredacted personal information; or

   
 

B.

encrypted but accessed by a person with access to the encryption code.

If the Superintendent determines that notice should be given, it shall be done without unreasonable delay.

The notice shall be by one of the following methods:

 

A.

written notice to the address on record for the individual(s)

   
 

B.

written notice sent electronically, provided the individual has expressly consented to receive electronic notice or there is a business relationship which uses electronic mail communications, and there is reasonable belief that the e-mail address is current

   
 

C.

by telephone, provided that actual direct conversation is held with the individual within three (3) days of the first attempted call

The notice shall include:

 

A.

description of the security breach in general terms;

   
 

B.

the type of personal information that may have been accessed;

   
 

C.

general description of the measures taken to stop further security breaches;

   
 

D.

a telephone number where the person may obtain assistance or additional information;

   
 

E.

reminder to be vigilant and monitor for fraud or identity theft.

If over 1,000 Michigan residents are affected by the security breach, credit reporting agencies shall be notified.

M.C.L. 445.60 et seq.

© Neola 2012