To report a data breach, please phone the toll-free number 866-236-5752 or internal UVM number 6-2123 to reach the UVM Information Security Office

Breach Notification Procedures

Notification is required when the security of high risk personal non-public information is compromised per Vermont Statue, Act 162, An Act Relating to the Protection of Personal Information.

Purpose

The University's breach notification procedures are in place to ensure that University community members are informed when there is a breach in the security of their highly sensitive personal information. Following the discovery of a breach in the security of a system -- including theft of a computer in which computer forensic analysis indicates there is a reasonable expectation that unencrypted high risk personal non-public information has been viewed or taken, University policy is to notify all persons whose personal information might have been acquired by unauthorized persons.

What is high risk non-public personal information?

High risk non-public personal information or personally identifiable information (PII) means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security number
  • Motor vehicle operator's license number or non-driver identification card number
  • Financial account number or credit or debit card number
  • Account passwords or personal identification numbers or other access codes for a financial account.

What are the department's responsibilities?

Whenever possible, personal non-public information, including Social Security and credit card numbers, should not be stored on unit-administered computers.  University departments are responsible for the security of information in their possession and must be vigilant in safeguarding it. 

When a University department becomes aware of a breach of the security of any of its computer systems that contain unencrypted high risk personal non-public information it must:

  • Advise UVM's CIO office at (802) 656-5598, and the Dean or Vice President to which the department reports.  If a computer has been stolen, Police Services must also be notified.
  • Notify affected individuals whose highly sensitive personal information is at risk.  The department will work with their Dean or AVP office, as well as University Communications to provide notifications.  Notices must be given in writing by US Mail except in specific situations as described in Vermont Statue, Act 162, Sec 2435, (b) (5) (B).
  • Submit final text to be used in any breach notification for review by University General Counsel prior to mailing.
  • Advise UVM's CIO office and the Information Security Office when notifications are complete.

What should notices include?

The final text that is used in any breach notification must be reviewed by the office of General Counsel, and University Communications.  Notifications will vary depending on the circumstances of each system breach and could include the following elements:

  • A description of the incident in general terms.
  • The type of personal information that was subject to unauthorized access or acquisition.
  • The general acts of the business to protect the personal information from further unauthorized access or acquisition.
  • The toll free number to call for further information and assistance.
  • Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

How should the notice be provided?

Notice may be provided by one of the following methods

  • Written notice mailed to the individual's residence.
  • Electronic notice (email) can be used only for those individuals for whom UVM has a valid email address, UVM does not have a residence address, and the normal method of communicating is via email.  If email is used, UVM General Counsel must be consulted to ensure that additional restrictions and specifications of Vt Act 162 regarding email notification have been met.
  • Notification by telephone provided the contact is made directly with each affected individual, and the telephonic contact is not through a prerecorded message.
  • Exception -- If the cost of providing written or telephonic notice would exceed $5,000 or if the affected class of individuals exceeds 5,000, or if UVM does not have sufficient contact information then substitute notice shall be provided as follows.
  • Substitute notice shall consist of conspicuous posting on the UVM website and notification to major statewide and regional media.

How quickly do notices have to be sent?

Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

Sample Notification Text

This sample text is intended to provide guidance to university departments in developing a notice to individuals whose personal information might have been involved in a computer security breach.

 

Dear:

This message is being sent to you as a formal notice that the security of your (specify personally identifiable information at risk, i.e. "your name, Social Security number and credit card number") maintained in a University of Vermont Department of (the name of your department, i.e. Department of Zoology) database, may have been compromised by a recent security breach.

The possible security breach consisted of (insert non-technical description of the scope and nature of breach). As of this writing (state the degree to which you can attest that their personal information has been acquired by unauthorized persons). Therefore, it is possible information that may lead to identity theft is in the hands of an unauthorized person or persons.

For further information and assistance, please call UVM Information Security toll free at (866) 236-5752. For additional information about identity theft please visit the Federal Trade Commission's Consumer Information website, Recovering from Identity Theft.

I deeply regret this incident and will keep you informed of further developments. Please feel free to contact my office at 802-656-4900 with any questions you may have.

Regards,

Name

Title

What is a breach of security of the system?

A computer security breach is any incident in which the security of a computer system is compromised, including theft or loss of a computer, or storage device or medium, where unauthorized person(s) might have been able to access, copy or read data files on it.   It does not include normal business use by employees or University business partners.