Guidelines for Responding to Information Security Breaches

This guidance document outlines the general procedures to be followed once a report of an actual or suspected data breach has been received at Washington and Lee University - the specific course of action may differ based on the circumstances of a particular breach.

The General Process

A. Initial Notifications

1. As further detailed in the university's Guidelines for Reporting Information Security Breaches, anyone with information regarding an actual or suspected data breach should contact:

i. the university's Information Security Program Coordinator ("Coordinator"), if the breach involves printed information; OR
ii. the university's Information Security Officer ("ISO"), if the breach involves electronic information or loss/theft of an electronic device.

2. Upon receiving a report of an actual or suspected data breach, the Coordinator and/or the ISO should contact Office of General Counsel ("OGC") for legal advice. The OGC will:

i. Provide advice with respect to data breach notification requirements under Federal and/or Virginia law; and
ii. Evaluate the applicability of other laws, regulations, and/or contractual obligations triggered by the breach, and provide such information and advice to the Information Security Program Committee ("Committee"), as needed.

B. Incident Investigation

After initial consultation with the OGC, the university will investigate the circumstances giving rise to the breach, as well as the scope of the breach.

1. If the breach involves printed information, the Coordinator will initiate and coordinate the investigation.
2. If the breach involves electronically-stored information, the ISO will convene the university's ITS Incident Response Team ("IRT") to investigate and conduct computer forensics (in accordance with the Incident Response Procedures contained in the ITS Security Plan) as necessary.
3. In general, the investigation will seek to establish the following information:

i. The scope of the breach;
ii. The nature of the breach;
iii. Whether the breach remains ongoing or has ceased;
iv. Whether there is evidence, or reason to believe, that the breached data:

a. Was accessed or acquired by an unauthorized person; and/or
b. Will be used to cause identity theft or other fraud.

4. If the breach is ongoing, initial efforts will be focused on stopping the breach.
5. University Public Safety, local law enforcement, and/or 3rd-party computer forensics experts may be brought into the investigation as appropriate. Such a decision will be made by the Coordinator or the IRO, as appropriate, in consultation with the Provost and the OGC.

C. Determining the Appropriate Response

1. During the course of the investigation, the Coordinator (and/or ISO) may inform appropriate members of the Committee as needed (and in consultation with the OGC, in order to preserve any applicable attorney-client privilege).
2. In consultation with OGC (and the ISO, if the breach involves electronic information or the loss/theft of an electronic device), the Coordinator will provide a recommended course of action to the Provost or designee. To assist in developing an informed recommendation, the Coordinator may convene a meeting of the Committee. The recommendation will include, as appropriate:

i. Responsive action to be taken by the university, including whether to:

a. Notify individuals confirmed by the investigation to have been affected. (In accordance with Virginia law, any required notice to Virginia residents will be made without unreasonable delay.);
b. Notify individuals who may have been affected (but which investigation has not confirmed);
c. Provide a general information release to the campus community, news media, etc. and, if so, the suggested content of such an information release;
d. Notify law enforcement officials; and/or
e. Provide credit monitoring services to individuals affected by the breach.

ii. A proposed timeline for taking any recommended action(s).

3. The recommendation will be provided to the Provost or designee, who will then determine the appropriate response and the timeline for implementing that response (if any).

D. Deterring Future Incidents

After the incident has been resolved, whether at a specially-called meeting or at its next regularly-scheduled meeting, the Committee will review the incident investigation, response, and resolution and may provide recommendations to the Provost on how similar breaches might be avoided, minimized, or handled differently in the future.

For more information on the policies that relate to information security at W&L, see the Information Security Program.

Last updated: September 25, 2013