[ skip to content ]

More Information about this image

Handbook and paperwork for the newly hired.

Old Dominion University

Information Technology Standard

05.2.0 Data Breach Notification Standard

Date of Current Revision or Creation: October 1, 2021

The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

  1. Purpose

    The purpose of this standard is to specify the data breach notification requirements for Old Dominion University by identifying the triggering factors and necessary responses to unauthorized release of unencrypted sensitive information.

  2. Definitions

    Data Breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen and/or used by an individual unauthorized to do so.

    Personal Information is any piece of data that can potentially be used to identify a single person. Generally, NAME and one or more personal information data elements are necessary to place identity at serious risk.

  3. Standards Statement

    ODU will identify all University systems, processes, and logical and physical data storage locations, including those held by third parties, which contain Class 1,2, and 3 regulated data as described in the ITS Standard 02.3.0 Data Administration and Classification.

    ODU will include provisions in third-party contracts that involve Class 1,2 and 3 regulated data, requiring that the third party and third-party subcontractors:

    1. Provide timely notification to the agency of suspected breaches
    2. Allow the agency both to participate in the investigation of incidents and exercise control over decisions regarding external reportings.

    ODU will provide appropriate notice to affected individuals upon the unauthorized release of any unencrypted Class 1,2, and 3 regulated data by any mechanism, including, but not limited to:

    1. Theft or loss of digital media including laptops, desktops, flash drives, smart phones, tablets, CD's, DVD's, tapes, etc.
    2. Theft or loss of physical hardcopy
    3. Security compromise of any system containing Class 1,2, and 3 regulated data
    4. Encrypted data in which the encryption key is also compromised

    ODU will provide this notice without undue delay as soon as verification of the unauthorized release is confirmed, except as delineated below.

    ODU will provide notification that consists of:

    1. A general description of what occurred and when
    2. The type of personal information was involved
    3. Whether actions have been taken to protect the individual's personal information from further unauthorized disclosure
    4. What, if anything, ODU will do to assist affected individuals, including contact information for more information and assistance
    5. What actions ODU recommends that the individual take

    ODU will provide this notification by one or more of the following methods, listed in order of preference:

    1. Standard mailing to any affected individuals whose mailing addresses are available
    2. Electronic mail to any affected individuals whose email address has been provided to the agency as a contact mechanism
    3. In the case of large-scale breaches or data breaches where neither form of communication listed above is available or feasible, public communications channels, including:
      1. Conspicuous notification on the agency website
      2. Notification by statewide public media, including newspaper, radio and television

    ODU will not provide notification immediately following verification of unauthorized data disclosure only if requested by:

    1. Law Enforcement entities where it would interfere with an ongoing investigation
    2. CIO, ISO or designee where it would interfere with a determination of the scope of the data breach or investigation of root cause

  4. Procedures, Guidelines & Other Related Information

    Federal and State Law

    Data and System Breach Response Framework

    University Policy 3505 - Information Technology Security Policy

    IT Standard 02.3.0 - Data Administration & Classification Standard

  5. History

    Date

    Responsible Party

    Action

    October 2008

    ITAC/CIO

    Created

    October 2009

    ITAC/CIO

    Reaffirmed

    October 2010

    ITAC/CIO

    Reaffirmed

    October 2011

    ITAC/CIO

    Reaffirmed

    October 2012

    ITAC/CIO

    Reaffirmed

    December 2012

    IT Policy Office

    Minor rewording for clarity

    Link updated; departmental name update; numbering revision
    December 2016 IT Policy Office
    		 Minor rewording for clarity
    December 2019 IT Policy Office Minor rewording for clarity
    October 2021 CISO Minor edits for clarification

Contact

IT Project Management

IT Project Management coordinates the efforts and resources of ODU ITS to produce effective, quality solutions for the University's students.

Student Computing

Faculty & Staff Computing

Site Navigation

Experience Guaranteed

Enhance your college career by gaining relevant experience with the skills and knowledge needed for your future career. Discover our experiential learning opportunities.

Academic Days

Picture yourself in the classroom, speak with professors in your major, and meet current students.

Upcoming Events

From sports games to concerts and lectures, join the ODU community at a variety of campus events.