The Ohio State University
www.osu.edu
  1. Help
  2. Campus map
  3. Find people
  4. Webmail

Ohio State University logo Office of the CIOIT Policies
  1. Affiliations
  2. CIO Stakeholders
  3. Governance
  4. IT Strategic Plan
  5. Initiatives
  6. OSU Academic Directory
  7. OSU Administration
  8. OSU IT Resources

  9. Additional Resources
  10. Copyright Resources
  11. Legislative Updates

Office of the Chief Information Officer
320 Baker Systems Engineering
1971 Neil Avenue
Columbus, OH 43210
Phone: (614) 292-6553
Fax: (614) 688-4226

Policy Development Process | Deployment and Use of Wireless Data Networks | Interim Policy on Disclosure or Exposure of Personal Information | Draft Identity Theft Red Flags | Policy on Institutional Data | Payment for Employee Home and Off-Campus Internet Access | Responsible Use of University Computing and Network Resources | Retention of Electronic Records | Web Policy and Guidelines

Information Technology Policy and Services

Draft Interim University Policy on Disclosure or Exposure
of Personal Information

January 10, 2007

General Statement
Ohio legislation commonly known as House Bill 104 established requirements for notification of Ohio residents in the event that certain personal information is disclosed or reasonably believed to be disclosed to unauthorized persons through a system security breach. Specific requirements vary depending on the size and certainty of the disclosure. The university intends to fully comply and will also take certain steps beyond those required by law. This interim policy will help to ensure protection of the specified personal information and responsive notification. This interim policy will remain in effect until superceded by broader permanent policies as well as policies based on the expected State of Ohio Administrative Rule on Sensitive Data Protection.

Applicability
This policy applies to all university academic and administrative units. It also applies to all affiliated units as well as agents and contractors handling personal information on the universityÕs behalf.

Policy Statements

A. For the purpose of compliance with Ohio House Bill 104 and this policy personal information means an individual's name in combination with the individualÕs social security number; driver's license number or state identification card number; or account number or credit or debit card number with security codes or passwords.

B. For the purpose of compliance with Ohio House Bill 104 and this policy an unauthorized person is any person who does not require access to personal information in the course of university employment or to perform duties or meet needs in support of the university mission. A person who receives personal information in response to an Ohio Public Records Law request is not an unauthorized person.

C. For the purpose of compliance with Ohio House Bill 104 and this policy personal information that is encrypted, redacted, or effectively obscured will not be considered to have been disclosed or exposed.

D. University units operating, maintaining, and using systems containing personal information must effectively control access to those systems to protect against disclosure or exposure of personal information to unauthorized persons.

E. To help ensure the protection of personal information and facilitate the investigation of exposure and disclosure incidents, personal information in the universityÕs custody may not be placed on employee-owned or student-owned computing or data storage devices or equipment.

F. Notwithstanding the House Bill 104 requirement for notification of Ohio residents, the university will make a best attempt to notify all persons whose information was disclosed or exposed regardless of state of residence.

G. The university may choose to make notifications relative to an exposure or disclosure incident that does not trigger Ohio House Bill 104 notification requirements.

H. Any proven or suspected disclosure or exposure of personal information in the custody of the university and stored in a computer, system, or data network resource must be immediately reported to the Office of the CIO Director of Information Security via e-mail to Security@osu.edu. CIO security staff and the university unit responsible for the computer, system, or resource will immediately block any further unauthorized access to the personal data.

I. The Office of the CIO Director of Information Security will notify the CIO and any affected university unitÕs higher management of disclosure or exposure incidents, convene and chair a University Response Team for each disclosure or exposure incident under this policy, and manage the overall university response to each incident.

J. The University Response Team for each computer or network-related disclosure or exposure incident will include representatives from the Office of University Relations; The Office of Legal Affairs; the Office Business and Finance and the University Risk Management Coordinator; the university unit responsible for the category of data disclosed or exposed and any university unit responsible for a security lapse causing the disclosure or exposure; the Office of Information Technology Manager of the Technology Support Center; the Office of the CIO Director of Communications, Marketing and Planning; and the Office of the CIO Director of IT Policy and Services. Additional university personnel appropriate to a specific incident may be added as necessary.

K. The University Response Team for each computer or network-related disclosure or exposure incident will be responsible for determining whether or not an actual disclosure or exposure has taken place; whether or not Ohio House Bill 104 notification requirements have been triggered; and which individuals, government agencies or political subdivisions, news organizations, and commercial or nonprofit entities should be notified either to comply with Ohio House Bill 104 or to serve the best interests of the university.

L. The Office of the CIO and University Relations, in collaboration with the Office of Legal Affairs, will develop template individual and public notification letters and announcements. The templates will be tailored by the university response team for use in the response to specific incidents.

M. Any individual or public notifications relative to a specific incident will be issued in the name of the university unit responsible for the category of disclosed or exposed data jointly with any university unit responsible for a security lapse causing the disclosure or exposure.

N. Costs of remediation and notification efforts will be born by the university unit or units responsible for the disclosure or exposure.

O. The Office of the CIO Director of Information Security will develop and publish procedures as needed to implement this policy.

Enforcement
The Office of the CIO Director of Information Security will notify the CIO, other university administration as appropriate, and a violating unitÕs higher management of any violation of this policy with recommendations for corrective measures.

In a perceived emergency situation, Office of the CIO security staff or other university technical staff may take immediate steps, including denial of OSUNet and Internet access, to secure personal data, ensure the integrity of the university data network and systems, or protect the university from liability.

All decisions, notifications, or measures taken under this policy may be appealed to the CIO through the Office of the CIO Director of Information Technology Policy and Services. Appeals should be submitted by e-mail to ITPolicy@osu.edu.

 

Draft Interim Policy Version 1.0

Approved for interim use by PresidentÕs Cabinet on January 10, 2007.

For More Information

Submit comments, questions, and suggestions to ITPolicy@osu.edu using the ITPolicy web form.

return to top