Data Security Incident Reporting Policy
Columbia College is committed to protecting personal information from unauthorized disclosure and to taking reasonable steps to limit potential harm arising from the unauthorized access, acquisition, use or disclosure of personal information. The College is also committed to complying with applicable state, federal and other privacy and data security laws and regulations. The purpose of this policy is to set forth the steps individuals are expected to take in response to obtaining knowledge of a potential data or security breach or incident.
The reporting expectations and responsibilities set forth in this policy apply to all members of the College community, including but not limited to College students, faculty, staff, third parties, vendors, and visitors.
For purposes of this policy, potential data or security breach or incident is interpreted as broadly as possible and includes but is not limited to potential unauthorized access to, acquisition, use, or disclosure of data or information maintained by the College, or exposure of personal or private information or data, regardless of the format or medium.
Members of the College community (defined above) are expected to immediately report a potential data or security breach or incident to the College’s Chief Information Officer and General Counsel. Reports can be made to the Office of the General Counsel via email at firstname.lastname@example.org or via phone at 573-875-7722 and to the Office of the Chief Information Officer via email at email@example.com or via phone at 573-875-7353.
Members of the College community (defined above) are not expected to, and shall not, undertake an individual assessment, investigation, or analysis into the nature of the potential data or security breach or incident, but should instead make an immediate report to the College’s Chief Information Officer and General Counsel.
Individuals reporting a potential data or security breach or incident shall provide as much detail as possible regarding the circumstances under which the potential event took place and their knowledge of the same. This includes but is not limited to: the individual’s contact information, the department(s) involved, a brief description of what happened, the dates and times of potential incidents, a general description of the type of information at issue, other parties involved, and any additional relevant information.
The Chief Information Officer and General Counsel will review each report and will coordinate the College’s appropriate response and investigation to each report. Based on information obtained, the College may be subject to certain affirmative legal obligations to investigate the situation and to notify employees, consumers, students, regulators and/or business partners within certain timeframes and could face negative actions for failing to do so and respond appropriately.
The General Counsel shall determine what, if any, actions the College is required to take to comply with applicable law, including whether any notification is required under state or federal law. The General Counsel shall work with other administrators as appropriate to ensure that any notifications and other legally required responses are made in a timely manner.
The College has the right to monitor network traffic, perform random audits, and to take other steps to ensure the integrity and security of its information and compliance with this policy and applicable laws, rules and regulations. Violations of this policy or failure to report a potential data or security breach or incident may lead to disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks, or termination or dismissal from the College.
Questions about this policy or data security should be directed to the College’s Chief Information Officer and General Counsel.