Here is the process by which we at UCSC handled "breaches, hacks or
other unauthorized access to computing systems with unencrypted personal
identity information."
p. 16 has a nice flowchart. Think of the VPIT as CIO.
http://iam.ucsc.edu/IP-Staff/PII/UCSC_Breach_Guideline.pdf
the whole website is at:
http://iam.ucsc.edu/IP-Staff/PII/Breach_Notice.htm
Please note that the law does not require you to notice until after the
breach is closed.
Even if 48 hours passes and you still haven't closed the breach, or
discovered the "hole" in the paper process, you don't broadcast notice.
You need to close the breach or resolve the process failure first then
you can (with the police's ok) notify. This
It may take some institutions more that 48 hours after discovering the
breach to close the hole. You don't have tell the world that you are
under attack until the attack is repulsed.
Chuck Piotrowski
CVPS
Records Manager
(802)747-5447
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance