What is a Security Breach?

A security breach occurs when sensitive data from the University is exposed to the incorrect person or persons. Sometimes this is done intentionally by someone trying to access the data to commit identity theft or fraud, but sometimes it occurs when an application malfunctions and the data is exposed unintentionally to other users of the application.

Sensitive data is defined by our Office of Campus Information Security as:

Institutional data that could, by itself or in combination with other such data, be used for identity theft, fraud or other crimes, including but not limited to: social security numbers, driver's license number, educational records, medical records, etc.

The full definition can be found in the CIO's Sensitive Information Definition document.

How to Identify a Potential Security Breach

Customers may not use the words "security breach" when reporting a potential security breach. Here are some examples of how a customer may report a security breach:

• "My laptop has been stolen"
• "I see someone else's data when I log into My Webspace"
• "Student records have been publicly available for the last 24 hours on my server"

To determine whether or not these situations are potentially data breaches, you'll want to find out if any sensitive data has potentially been exposed to an unintended audience. It is not your job to prove that a security breach has occurred; rather, it is your job to determine if one MAY HAVE occurred. If a security breach may have occurred, use Possible Sensitive Information Security Breach Handling Information to gather information and forward to HDQA. Let HDQA know immediately of the breach so that they can start working proactively to contact SNCC.

A note on stolen electronic devices: Stolen electronic devices can include desktops, laptops, tablets, smart phones, or any other electronic devices that stores data. Stolen electronic devices fall into the category of security breach when they contain university-related sensitive data. This means, devices with university business data (pay, social security, etc.), research data, or other sensitive data to the University. A personal laptop with no sensitive data of the university is not a security breach.

Individuals who have a device stolen with personal data only on it should contact campus security or Madison police.

Talking Points

Speak calmly and be sensitive that this is a potentially embarrassing or upsetting situation for the person you are speaking with. Sympathize—what if this happened to you? What would you want to have happen or hear? How would you talk to a family member if they came to you for help resolving a situation of this nature?

Reporting a Potential Security Breach

Customers should call the Help Desk with full details about the potential security breach.

• If they are reporting a potential breach, use Possible Sensitive Information Security Breach Handling Information to forward the case to HDQA.
• If they are not reporting a potential security breach (e.g. virus, spam, etc.), exhaust all troubleshooting options. If troubleshooting does not work, fill out the appropriate handling information (Virus or Malware Handling Information, Microsoft 365 Handling Information, etc.) and escalate to HDQA.