A. Introduction

On April 29, 2003, the University of California amended Business and Finance Bulletin IS-3, Electronic Information Security, to address new legal requirements of the California Information Practices Act, California Civil Code 1798.29 and 1798.82. Civil Code now requires state agencies with computerized data containing personal information to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Consistent with UCI policy that all campus departments comply with University of California directives, these guidelines are intended to assist campus departments in implementing the University requirements.

B. Definitions

1. Protected data - Personal information governed by these guidelines which includes an individual's first name or first initial, and last name, in combination with any one or more of the following:
   • social security number
   • driver's license number or California identification card number
   • financial account or credit card number in combination with any password that would permit access to the individual's financial account
2. Computing System - Any server, desktop, laptop computer, PDA, or other device that contains or provides network access to protected data.
3. Lead Campus Authority - A person designated by the Chancellor to investigate and report to the Office of the President instances of campus security breaches involving protected personal information data.
4. IS-3 Area Coordinator - A person assigned responsibility for coordinating electronic security in a UCI division or school. This includes maintaining an inventory of computing systems containing protected data, participating in campus-wide electronic security coordination activities, and facilitating security in the division or school.
5. Data Proprietor - A person who has responsibility for oversight of data or computing systems with access to protected data and with primary responsibility for determining the purpose and function of any data resource; often the chief administrative official of the Office of Record for the data resource.
6. Data Custodian - A technical partner of the Data Proprietor who is responsible for the implementation of data systems and the technical management of data resources, as directed by the Data Proprietor.
7. Third-Party User - A contractor or affiliate outside of UCI who uses redistributed information containing protected data.

C. Responsibilities

1. Security Breach Lead Campus Authorities for UCI is the Assistant Vice Chancellor - Information Technology, who is responsible for ensuring that the campus incident response process and systemwide and campus notification procedures are followed. They will coordinate campus procedures with Campus Counsel and others as appropriate.
2. Data Proprietors are responsible for identifying which computing systems contain protected data, or have access to protected data. They will ensure that adequate procedures are developed for access to protected data and adequate security plans, consistent with IS-3, are in place for computing systems within their jurisdiction. Data Proprietors will work with their IS-3 Area Coordinator to maintain an inventory of systems containing protected data. An up-to-date inventory of the data will usually include its location and use, its custodian, and type of security protection. Data Proprietors will inform their Data Custodians, affected staff within their jurisdiction, and third-party users, of University policy and their responsibilities regarding any use they may make of protected data.
3. Data Custodians and Third-Party Users are responsible for protecting the resources under their control, such as access passwords, computers, and downloaded data. Contractual arrangements with outside affiliates must include the third-party user's obligations regarding protected data. Data Custodians and Third-Party Users will ensure implementation of adequate security measures for computing systems containing protected data, and appropriate encryption strategies for both the transmission and storage of protected data. Monitoring access logs for computing systems housing protected data can disclose unauthorized access or anomalous activity. Departments may wish to consult with Office of Information Technology (OIT) for assistance in determining strategies appropriate to their particular technological environment.

D. Incident Response Process

1. If a breach of security is suspected on a computing system that contains or has network access to unencrypted protected data, the Data Custodian will immediately:
   1. Remove the computing system from the campus network and notify the Data Proprietor.
   2. Conduct a local analysis of the breach to determine the number of individuals whose protected data may have been acquired.
   3. Contact the OIT Response Center at (949) 824-2222 to report that a potential security breach has occurred and request immediate notification of the OIT security staff and the Security Breach Lead Campus Authorities. Send additional information via email to security@uci.edu with a copy to security-lca@uci.edu.
2. OIT will examine the evidence of a breach with the Data Custodian to assess the possibility that unencrypted protected data has been acquired by an unauthorized source and report their conclusions to the Lead Campus Authorities.
3. If, after consulting with OIT security staff and the Data Custodian, the Lead Campus Authorities are reasonably certain that a security breach has occurred, they will immediately report the breach to the UCI Executive Vice Chancellor's Office and to the Associate Vice President for Information Resources and Communications at Office of the President.
4. If the situation dictates, the Data Custodian or Data Proprietor will file a police report with UCI Police Department.
5. The Lead Campus Authorities will consult with the appropriate individuals to analyze the situation, prepare an incident report, and recommend an appropriate course of action. The individuals consulted will include representatives from the Office of Campus Counsel, Administrative & Business Services, Office of the Executive Vice Chancellor, and University Communications. The incident report will describe the nature of the security breach, report the number of individuals affected and the availability of address information, and will include other pertinent information about the breach.
6. The incident report will be submitted to the Executive Vice Chancellor's office which will determine whether criteria for notification under California Civil Code 1798.29 and 1798.82 have been met, and whether the recommended course of action is consistent with IS-3, Systemwide Notification Procedures.
7. With the approval of the Executive Vice Chancellor's office, the Lead Campus Authorities will work with the Data Proprietor to ensure that the notification procedure is executed. The Data Proprietor is responsible for carrying out the actual notification and for covering the costs of any expenses incurred.

E. Reporting Requirements

When the incident is closed, the Lead Campus Authorities will report the incident response and notification process to the Associate Vice President for Information Resources and Communications, including the actions taken to prevent further breaches of security.