Notification of Security Incidents

Notification of Security Incidents

#Why is this Important
#Reference
#Overview
#Criticality
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Many institutions of higher education have state notification laws that they must follow if any confidential information regarding its constituents is impermissibly disclosed to third parties or otherwise made available to third parties through a data breach. In many instances the institution's duty to notify its constituents cannot be alleviated by contracting with a third party. This type of provision requires a contracting third party to notify the institution in the event of some sort of breach or disclosure and otherwise coordinate notification procedures.

Reference:
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(b)(4); (j); (p)

Overview:
Note that this type of provision may vary due to various state laws regarding security breach investigations and notifications. Institutions of higher education must still manage incidents involving the institution's data, regardless of where that data is hosted.

Criticality: Category 1, Category 2, and Category 3 (State notification laws bring Category 1 into play).

Sample RFP Language:

  1. Describe what procedures the Proposer has in place to isolate or disable all systems that would interact with the service proposed in case a security breach should be identified? Including any systems that would hold, process, or from which Institution data may be accessed.
  2. What procedures, methodology, and timetables does the Proposer have in place to detect information security breaches and notify Institution, and customers? [Include definition of security breach if it has not been defined in the RFP Definitions section already.]
  3. Describe the procedures and methodology in place to detect information security breaches and notify customers in a manner that meets the requirements of the state breach notification law.

#Top

Sample Contract Clauses:

  1. The [Vendor] agrees to notify the University when any [Vendor] system that may access, process, or store Institution data is subject to unintended access. Unintended access includes compromise by a computer worm, search engine web crawler, password compromise or access by an individual or automated program due to a failure to secure a system or adhere to established security procedures. [Vendor] further agrees to notify the Institution within twenty-four (24) hours of the discovery of the unintended access by providing notice via email to [email address, typically security office or CIO].
  2. [Vendor] agrees to notify the Institution of within XX minutes/hours if there is a threat to [Vendor]'s product as it pertains to the use, disclosure, and security of the Institution's data.
  3. If an unauthorized use or disclosure of any Sensitive Data occurs, [Vendor] must provide: Written notice within one (1) business day after [Vendor]'s discovery of such use or disclosure and all information Institution requests concerning such unauthorized use or disclosure.
  4. [Vendor], within one day of discovery, shall report to Institution any use or disclosure of [term for sensitive data] not authorized by this Addendum or in writing by Institution. [Vendor]'s report shall identify: ( i) the nature of the unauthorized use or disclosure, (ii) the [term for sensitive data] used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what [Vendor] has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action [Vendor] has taken or shall take to prevent future similar unauthorized use or disclosure. [Vendor] shall provide such other information, including a written report, as reasonably requested by Institution.
  5. [Vendor] shall report, either orally or in writing, to Institution any use or disclosure of Covered Data not authorized by this Agreement or in writing by Institution, including any reasonable belief that an unauthorized individual has accessed Covered Data. [Vendor] shall make the report to Institution immediately upon discovery of the unauthorized disclosure, but in no event more than two (2) business days after [Vendor] reasonably believes there has been such unauthorized use or disclosure. [Vendor]'s report shall identify: ( i) the nature of the unauthorized use or disclosure, (ii) the Institution Covered Data used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what [Vendor] has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action [Vendor] has taken or shall take to prevent future similar unauthorized use or disclosure. [Vendor] shall provide such other information, including a written report, as reasonably requested by Institution.
  6. [Vendor] agrees to comply with all applicable laws that require the notification of individuals in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of [Vendor]'s security obligations or other event requiring notification under applicable law ("Notification Event"), [Vendor] agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify, hold harmless and defend the Institution and its trustees, officers, and employees from and against any claims, damages, or other harm related to such Notification Event.

#Top

common security items


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).