I. Executive Summary and Purpose
In accordance with the North Carolina Identity Theft Protection Act of 2005, N.C. Gen. Stat. § 75-60 et seq. (the "Act”), as applied by N.C. Gen. Stat. § 132-1.10(c1), The University of North Carolina at Charlotte is required to notify persons whose personal information has or may have been compromised by a breach of the University’s security. This procedure sets forth the circumstances and procedures under which such notification will be made.
A. "Personal Information" is defined by the Act to mean a person’s first name or first initial and last name in combination with any of the following items:
Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address and telephone number, and does not include information made lawfully available to the general public from Federal , State or local government records.
B. " Security Breach" is defined by the Act as an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.
Good faith acquisition of personal information by an employee or agent of the University for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the University and is not subject to further unauthorized disclosure.
III. Procedures in the Event of a Security Breach
As soon as a breach has been identified, the employee who discovered it must take immediate steps to report the breach to his or her supervisor. The supervisor must take immediate action to determine the extent and category of the breach and to take such further action as is necessary to contain the breach or recover the missing data. Assistance from Information and Technology Services, UNC Charlotte Police and Public Safety or any other University unit with relevant expertise should be requested as soon as possible. For example, if the potential or actual breach involves electronically stored information, the Information and Technology Services Security Officer should be immediately notified. If the potential or actual breach involves loss or theft of University-owned equipment or other criminal activity, UNC Charlotte Police and Public Safety should be immediately notified. In all cases of a breach, the Office of Legal Affairs should be notified as soon as practicable.
B. Notification to Victims
The University shall notify affected individuals without unreasonable delay upon discovery of a Category I or II breach. Notification shall be delayed, however, if a law enforcement agency informs the University that disclosure of the breach would impede a criminal investigation or jeopardize national or homeland security. A request for delayed notification must be made in writing or documented contemporaneously by the University in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The required notification shall be provided without unreasonable delay after the law enforcement agency communicates to the University its determination that notification will no longer impede the investigation or jeopardize national or homeland security.
The responsibility for providing notification shall lie with the supervisor of the department or administrative unit that has primary authority for the data. If the breach involves data from more than one department or administrative unit, or if primary authority for the data cannot be determined, the responsibility for notification shall lie with the Office of the Chancellor. The Office of Legal Affairs will review the proposed notification before it is sent and will assist in drafting as required. A copy of the notification will also be provided to the Vice Chancellor for University Advancement prior to the time it is posted or sent to affected individuals.
a. The incident in general terms.
b. The type of personal information that was subject to the unauthorized access and acquisition.
c. The actions taken by the University to protect the personal information from further unauthorized access. However, the description of those actions may be general so as not to further increase the risk or severity of the breach.
d. A telephone number that the person may call for further information and assistance.
e. Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
a. The cost of providing the notification exceeds $250,000;
b. The University does not have the necessary contact information to notify an individual in any of the aforementioned manners; or
c. The University is not able to identify particular affected individuals
Responsible Office: Business Affairs