Information Security Breach Response Procedure

Information Security Breach Response Procedure

Information Security Breaches are defined in Policy 46.  They may involve any kind of record, paper or electronic, and include the loss or theft of portable electronic media such as laptops or USB flash drives.

Audience

This procedure is to be used by Information Custodians, as defined in Policy 46.

Purpose

The purpose of this procedure is to ensure that all Information Security Breaches at UW are handled in a consistent manner with the following objectives:

  • To ensure UW complies with applicable legislation and regulatory guidelines.
  • To identify the cause of the breach and implement measures to prevent further incidents of a similar nature.

Procedure

1. Information Security Breaches. Information Custodians must report Information Security Breaches to the Privacy Officer for all Information Security Classifications, as defined in Policy 46, without undue delay and, where feasible, not later than 72 hours after having become aware of it. 

Information Custodians must contact the Privacy Officer (fippa@uwaterloo.ca or ext. 36101) and provide the following information:

  • the nature of the breach;
  • the information that was exposed and approximate number of individuals and records concerned; 
  • to whom it was exposed; 
  • for how long it was exposed;
  • likely consequences of the breach;
  • measures taken or proposed to contain the breach; and
  • the reason for delay for any report not made within 72 hours.

Using the Privacy Breaches: Guidelines for Public Sector Organizations as a guide, the Information Custodian will work with the Privacy Officer to respond to and contain the breach. As part of this, the Privacy Officer will advise whether notice to affected individuals and the Office of the Information and Privacy Commissioner of Ontario (IPC) is required. If notice is required, (i.e, where a breach is likely to result in high risk to rights and freedom of an individual) the Privacy Officer will provide guidance to the Information Custodian about the contents of the notice to the individuals and will liaise with the IPC. You will be required to provide more information regarding the breach, how it happened, and what is being done to address it at this time.

  1. Health Information. Where an Information Security Breach involves personal health information, immediately advise the Privacy Officer (fippa@uwaterloo.ca) or ext. 36101) and engage Responding to a Health Privacy Breach: Guidelines for the Health Sector.
  2. Electronic Information/Portable Electronic Media. Where an Information Security Breach involves electronic information or portable electronic media, advise the Information Security Officer (abuse@uwaterloo.ca or ext. 41125) and follow the Security Incident Response Procedure: and 
  3. Electronic Commerce. Where an Information Security Breach involves electronic commerce, advise the Manager, Accounts Receivable, Finance (phancock@uwaterloo.ca or ext. 36618): and 
  4. Public Works & Contracts. Where an Information Security Breach involves Public Works and Government Services Canada contracts or other contracts governed by regulations of the Canadian and International Security Directorate, or controlled goods and technology or technical data as defined by the relevant regulations to the Defence Prodution Act, advise Mike Szarka, Director Research Partnerships, Office of Research (mszarka@uwaterloo.ca or 33948) or Alan Binns, Director UW Police (ambinns@uwaterloo.ca or ext. 32828).