|Morgan County Schools|
|Bylaws & Policies|
8351 - SECURITY BREACH OF CONFIDENTIAL DATABASES
It is the policy of the Board of Education that if any employee suspects, discovers or determines that an unauthorized access or acquisition of data occurs, which would compromise the confidentiality or security of personal information maintained by the District on a database, the District will take appropriate action to assess the risk, and notify the affected individuals in accordance with law.
This policy applies to any security breach involving employees, consultants, vendors, contractors, outside agencies and employees of such agencies, and any other parties having a business relationship with the District and handling personal information on the District's behalf. It is expected that those offices, individuals or entities operating, maintaining, and using databases containing personal information will effectively control access to the databases to protect against unauthorized access, acquisition, modification, use or disclosure of personal information.
In order to better protect personal information and facilitate the investigation of incidents of unauthorized access, employees shall not store personal information on a personal computer, server or other data storage equipment not owned or maintained by the District.
Security Breach and Personal Information – Definitions
A "security breach" means the unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by the District and that:
|A.||causes a material risk of identity theft or other fraud to the person or property of a resident of the State;|
|B.||reasonably is believed to have caused a material risk of identity theft or other fraud to the person or property of a resident of the State; or|
|C.||reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of the State.|
Unauthorized access of information will not be considered a security breach if:
|A.||the employee or agent acted in good faith in accessing the data;|
|B.||the access was related to the activities of the District or the employee's or agent's job-related duties; and|
|C.||the employee or agent did not use the personal information for an unlawful purpose or subject the information to further unauthorized disclosure.|
Also, the acquisition of personal information pursuant to a search warrant, subpoena, or other court order, or pursuant subpoena, order or duty of a regulatory State agency, will not be considered a security breach.
For purposes of this policy, personal information means an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any of or more of the following (when the information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is effectively obscured or unreadable):
|A.||Social Security number;|
|B.||driver's license number or State identification card number; and/or|
|C.||account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.|
Discovery of Security Breach and Notification
If an employee suspects, discovers and/or determines that a security breach has occurred, the employee shall promptly notify his/her immediate supervisor and the Superintendent, in writing.
The Superintendent shall determine and implement the steps necessary to correct the unauthorized access and requirements for notifying those individuals whose personal information may have been compromised.
The Superintendent shall develop and implement administrative guidelines related to this policy.
WV Code 46A-2A-101, 46A-2A-102