You are here

Information Security Breach Response Procedure

Information Security Breaches are defined in Policy 8.  They may involve any kind of record, paper or electronic, and include the loss or theft of portable electronic media such as laptops or USB flash drives.

Audience

This procedure is to be used by Information Custodians, as defined in Policy 8.

Purpose

The purpose of this procedure is to ensure that all Information Security Breaches at UW are handled in a consistent manner with the following objectives:

  • To ensure UW complies with applicable legislation and regulatory guidelines.
  • To identify the cause of the breach and implement measures to prevent further incidents of a similar nature.

Procedure

Information Custodians must report Information Security Breaches to the Privacy Officer for all Information Security Classifications, as defined in Policy 8, except public, as soon as they become aware of them.

Information Custodians must:

  1. Contact the Privacy Officer (fippa@uwaterloo.ca or ext. 33183) and provide the following information:
  • the nature of the breach;
  • the information that was exposed;
  • to whom it was exposed; and
  • for how long it was exposed.

The Privacy Officer will advise whether notice to affected individuals and the Office of the Information and Privacy Commissioner of Ontario (IPC) is required. If notice is required, the Privacy Officer will provide guidance to the Information Custodian about the contents of the notice to the individuals and will liaise with the IPC. You will be required to provide more information regarding the breach, how it happened, and what is being done to address it at this time.

  1. Where an Information Security Breach involves electronic information or portable electronic media, advise the Information Security Officer (abuse@uwaterloo.ca or ext. 38393) and follow the Security Incident Response Procedure; and
  2. Where an Information Security Breach involves electronic commerce, advise the Manager, Accounts Receivable, Finance (phancock@uwaterloo.ca or ext. 36618); and
  3. Where an Information Security Breach involves Public Works and Government Services Canada contracts or other contracts governed by regulations of the Canadian and International Security Directorate, or controlled goods and technology or technical data as defined by the relevant regulations to the Defence Production Act, advise Mike Szarka, Director Research Partnerships, Office of Research (mszarka@uwaterloo.ca or 33948) or Dave Gerencser, Director UW Police (dgerencser@uwaterloo.ca or ext. 32828); and
  4. Report all breaches involving the unintended exposure of information to the Information Steward, as defined in Policy 8.