Purpose

The goal of this procedure is to establish the communication and notification process associated with loss of personal identifying information as described in the definition section.

Scope

This SOP equally applies to all individuals that have, or may require, access to the University’s data.

Prerequisites

Personal identifying information loss must be reported to the Information Security Office before proceeding with the steps outlined in the procedure section.

Responsibilities

Responsible parties may vary from incident to incident and may include the following:

• Information Security Office (956) 316-7124
• University Relations (956) 381-2741
• Office of the President (956) 381-2100
• Office of the VP for Information Technology (956) 381-2014
• Office of the Provost (956) 381-2111
• Office of the Registrar (956) 381-2209
• Office of the VP for Business Affairs (956) 381-2121
• Office of the VP for Community Engagement (956) 381-3361
• Office of the VP for Enrollment and Student Services (956) 381-2147
• Office of the VP for University Advancement (956) 381-3361

Procedure

1. Initial Notification
   1. The Chief Information Security Officer (CISO), or other designated Information security staff, reports the data loss incident to the Vice President for IT or designee.
   2. The Vice President for IT contacts the Chief Administrative Officer and the Vice President responsible for the individual that has reported the loss of sensitive data.
   3. UTPA’s CISO, or designee, contacts the U.T. System CISO and reports on the details of the data loss. Additional advice is requested for the specific scenario. Recommendations are provided to responsible parties.
2. Notification to affected individuals:
   1. Notification letters are drafted by the department head or the Vice President's Office responsible for the individual that reported the data loss in conjunction with University Relations.
   2. The University Relations Office consults with Information Security Office for content accuracy.
   3. The University Relations Office consults with the U.T. System Public Relations office who forwards the notification letters to the Office of General Counsel for review and additional modifications.
   4. Final draft is provided to the President's Office and the Information Security Office for submission to the appropriate division or department head.
   5. Department head and/or Vice President responsible for the individual that has reported the data loss, submits notifications to affected individuals employing the services of the U.S. postal services.
   6. Human Resources or the Registrars office assists in providing mailing addresses for the affected individuals.
3. Contact with the media:
   1. At the discretion of the President's Office, the University Relations Office may release a statement and/or grant interviews to the Department head and/or VP responsible for the individual that has reported the loss.
4. External reporting requirements:
   1. The CISO, or designee, reports the incident to the Texas Department of Information Resources.
   2. The CISO, or designee, records the details of the event using the U.T. System incident report tool.

References

UTS 165 http://www.utsystem.edu/policy/policies/uts165.html

Definitions

Data: Recorded data, regardless of form or media in which it may be recorded, which constitute the original data necessary to support UTPA’s business or original observations and methods of a study and the analyses of such original data that are necessary to support Research activities and validate Research findings.  Data may include but is not limited to: printed records, observations and notes; electronic data; video and audio records, photographs and negatives, etc.

Personal Identifying Information:  Information that alone or in conjunction with other information identifies an individual, including an individual’s name, social security number, date of birth, or government-issued identification number; mother ’s maiden name; unique biometric data, including the individual ’s fingerprint, voice print, and retina or iris image; unique electronic identification number, address, or routing code; and telecommunication access device.