Procedures for response to data security breach incidents.
Federal and state statutes require the notification of governmental agencies and affected individuals when there is reason to believe that legally protected data held by or for the College in certain circumstances was acquired by someone without valid authorization.
The purpose of this policy is to establish procedures to prepare and respond to data breach incidents, including the determination of the systems or applications affected if data has been corrupted, what specific data was compromised, and what actions are required for forensic investigation and legal compliance.
A data breach is defined as an incident that exposes confidential or protected information without authorization.
This policy applies to all students, staff, faculty members, officers, employees, and affiliates of Teachers College, Columbia University, including extended learning sites, guests, tenants, visitors, contractors, consultants, vendors, individuals authorized by affiliated institutions and organizations, and all others granted use of and/or access to Teachers College, Columbia University technology resources and data.
Any suspected or confirmed compromise of protected electronic data must be reported to the Chief Information Officer (CIO), Executive DIrector of Information Security, and/or the Service Desk.
Any individual responsible for a system containing protected data that may have been compromised must take immediate steps to secure that system and preserve it without change. The Vice President of Administration will convene a Response Team (RT), including as appropriate, the General Counsel, the CIO, the Ex. Dir. Information Security, the responsible Director(s) of IT, the VP of Institutional Advancement, the Director of Public Safety, the Vice Provost, the Risk Manager and others.
The Information Security Office will establish detailed internal procedures for compliance, external and internal communications, oversight of the investigation, and technical support associated with a suspected or actual breach of Sensitive Data. The specific incident response procedures are set forth in the applicable Information Security and Privacy Incident Procedure and Checklist.
The general steps in response include the following:
To Report a breach of Sensitive Data, contact:
TCIT Service Desk: firstname.lastname@example.org or 212.678.3300
TCIT Information Security: email@example.com
Responsible Office: Teachers College Information Technology
Effective Date: February 1, 2021
Last Updated: November 1, 2022