Breach of Information Notification Policy
Exceptions
There are no exceptions to this policy.
Frequently Asked Questions
Anytime sensitive, personal information is potentially exposed to an unauthorized individual it is considered a suspected breach. The Information Security Office will investigate to determine if a breach occurred.
For example if you handle sensitive, personal information and your computer is found to contain malware, this would be considered a suspected breach. A forensic investigation would reveal whether someone other than the user of the computer had accessed the information. If so, a breach response would be initiated.
Another somewhat common occurrence is a lost or stolen unencrypted flash drive containing an instructor’s grades. In this case, since it is impossible to determine if the information has been accessed, a breach response would be initiated and those possibly impacted notified.
The policy applies to all sensitive, personal information irrespective of the manner in which it is stored. Paper documents containing protected information are also subject to this policy.
The first person to discover that information could have potentially been breached should notify the university by submitting the Cybersecurity incident form. That individual should also notify his or her supervisor that they have reported a suspected breach.
All reports regarding suspected breaches should be made through the Cybersecurity incident form. The report will be handled through the Information Security Office.
If a suspected breach is reported in person, the person will be directed to submit the report via email.
If an employee intentionally neglects to report a suspected breach, the employee would be subject to the existing university procedures for handling personnel matters.
All UNLV breach notifications that require a full breach response will be available on the Breach Information website. The notifications will be available for 60 days. For more information on what constitutes a full breach response, see the UNLV Breach of Information Procedures.
Anytime sensitive, personal information is potentially exposed to an unauthorized individual it is considered a suspected breach. The Information Security Office will investigate to determine if a breach occurred.
For example if you handle sensitive, personal information and your computer is found to contain malware, this would be considered a suspected breach. A forensic investigation would reveal whether someone other than the user of the computer had accessed the information. If so, a breach response would be initiated.
Another somewhat common occurrence is a lost or stolen unencrypted flash drive containing an instructor’s grades. In this case, since it is impossible to determine if the information has been accessed, a breach response would be initiated and those possibly impacted notified.
The policy applies to all sensitive, personal information irrespective of the manner in which it is stored. Paper documents containing protected information are also subject to this policy.
The first person to discover that information could have potentially been breached should notify the university by submitting the Cybersecurity incident form. That individual should also notify his or her supervisor that they have reported a suspected breach.
All reports regarding suspected breaches should be made through the Cybersecurity incident form. The report will be handled through the Information Security Office.
If a suspected breach is reported in person, the person will be directed to submit the report via email.
If an employee intentionally neglects to report a suspected breach, the employee would be subject to the existing university procedures for handling personnel matters.
All UNLV breach notifications that require a full breach response will be available on the Breach Information website. The notifications will be available for 60 days. For more information on what constitutes a full breach response, see the UNLV Breach of Information Procedures.