R05.08.023 Records Management: Security Breach Involving Personal Information
To the extent required by applicable law, the University of Alaska will notify any individual whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person as the result of a security breach. However, notice will not be required if a reasonable investigation determines that there is no reasonable likelihood of harm, in which case the university will comply with AS 45.48.010(c), including notice to the Attorney General.
For purposes of this regulation, “personal information” means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of the individual’s name or initial and last name, and one or more of the following:
- Social security number.
- Driver's license number or state identification card number.
- The individual's account number, credit card account number, or debit card account number in combination with any required security code, access code, or password that would permit access to an individual’s financial accoun.
- Passwords, PINs, or access codes for financial accounts.
The following factors, among others, will be considered in making a reasonable belief of acquisition determination:
- Indications that the personal information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information.
- Indications that the personal information has been downloaded or copied.
- Indications that download or copy activity consistent with download or copying of personal information has occurred, even if there is no specific evidence that there was a download or copy of personal information.
- Indications that the personal information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
- Duration the personal information was exposed.
- The extent to which the compromise indicates a directed attack to acquire personal information, such as a pattern showing a machine containing personal data was specifically targeted.
Acquisition determinations will be made in accordance with delegated authority and this regulation: in the case of electronic records, by the applicable MAU Director of Information Resources, in concurrence with the Chief Information Technology Officer and General Counsel; in the case of paper records, by the applicable MAU Vice Chancellor for Administration, in concurrence with the System Vice President for Administration and General Counsel.
Notice may be by individual mail or delivery, electronic mail, internet posting, notice to the media, or some combination thereof. In choosing the method of notice, cost and effectiveness shall be considered in accordance with AS 45.48.030.
Unless an appropriate law enforcement agency determines that disclosing the breach will interfere with an ongoing criminal investigation, notice shall be given without unreasonable delay, except as necessary to determine that personal information was, or is reasonably believed to have been, acquired by an unauthorized person, the scope of the breach and the method of notice, and to restore the reasonable integrity of the information system.
This regulation is intended to provide internal guidance with respect to applicable law, including AS 45.48, and is not intended to create an independent basis for liability.