PROCEDURE FOR BREACH OF COMPUTERIZED PERSONAL INFORMATION
Notice of a breach of information security will be provided to the individual whose restricted personal information has been acquired by an unauthorized person.
Once it has been determined that a security breach has occurred, the following steps will be taken by the designated employee:
1. If the breach involved computerized data owned or licensed by the district, the district will directly notify those residents whose private information was or is reasonably believed to have been acquired by a person without valid authorization.
2. If the breach involved computer data maintained by the district, the district directly will notify the owner or licensee of the information of the breach immediately following discovery, if the private information was or is reasonably believed to have been acquired by a person without valid authorization.
3. The disclosure to affected individuals will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system. Notification should be provided within three (3) working days of discovery of the breach, when possible, but not later than thirty (30) working days.
4. The required notification will include:
a. District contact information.
b. Description of the categories of information that were or are reasonably believed to have been acquired without authorization.
c. Which specific elements of personal or private information were or are reasonably believed to have been acquired.
5. The notification requirement may be delayed if a law enforcement agency determines that such notification will impede a criminal investigation. The required notification will then be made after the law enforcement agency determines that such notification does not compromise the investigation.
The district will provide notice by at least one (1) of the following methods:
1. Written notice to last known home address for the individual.
2. Telephone notice if the individual can be reasonably expected to receive the notice and the notice is given in a clear and conspicuous manner; describes the incident in general terms; verifies the personal information but does not require the individual to provide personal information; and provides a telephone number to call or Internet website to visit for further information or assistance.
3. Email notice, if a prior business relationship exists and the school district has a valid email address for the individual.
4. Substitute notice if the district determines that the cost of individual notice will be excessive (the district should set a maximum level in writing, such as the level provided for notification through risk coverage), or the district does not have sufficient contact information. Substitute notice shall consist of an email notice, conspicuous posting of the notice on the district's website, and notification to major statewide media.
