IT Security Information Breach Notification Policy and Plan

Overview

An information technology (IT) security incident is an actual or suspected event that may adversely impact the confidentiality, integrity, or availability of an IT resource used by New York University (NYU) or any information processed, stored, or transmitted by those resources. IT resources include individual computers, servers, storage devices, and media, and mobile devices, as well as the information stored on them (see also, Data and Systems Security Policy). Prompt detection and appropriate handling of these security incidents are necessary to protect information assets critical to the University’s mission, preserve personal data privacy and confidentiality, and facilitate compliance with applicable laws and regulations.

Scope

This Policy applies to all University Information and IT resources owned or operated by or on the University's behalf. The entire NYU community (faculty, staff, students, contractors/consultants, alumni, vendors, and guests) who access these assets must adhere to this Policy.

Purpose

The IT Security Information Breach Notification Policy defines the minimum requirements and responsibilities for reporting security incidents to minimize the negative impact on the confidentiality, integrity, and availability of University Information Resources and University Information and systems.

Policy Statement

This Policy requires all individuals with access to NYU IT Resources and Information to immediately report any suspected or actual security incidents to the Global Office of Information Security.

In addition, the Policy requires maintenance of a process to help identify and act on security incidents quickly and effectively, including:

• handling of such incidents by authorized personnel to allow for proper and complete investigation;
  
• cooperation with those charged with investigating security incidents to help identify required actions;
  
• engagement of the relevant and appropriate levels of University management to foster a coordinated determination of the response actions;
  
• documentation of security incidents for recordkeeping;
  
• an assessment on the impact of security incidents to help identify and take measures that will prevent recurrence or mitigate harm;
  
• availability of records for internal and external reviews;
  
• timely notice and communication as required to external bodies and affected individuals;
  
• compliance with any state, federal or international laws governing security incident and data breach events;
  
• expeditious handling of security incidents to facilitate the restoring of normal operations;
  
• review of security incidents for any patterns and areas of risk to help improve incident handling policies and procedures;
  
• periodic testing of the information security handling process to measure efficacy; and
  
• delivery of awareness and training on security incident reporting and handling periodically to maintain, enhance, or reinforce understanding of these measures.

• A. Introduction
• B. Overview of Workflow
• C. Overview of Roles
• D. Identification
• E. Verification
• F. Containment
• G. Analysis
• H. Recovery
• I. Internal Reporting
• J. Data Retention
• APPENDIX A: Breach of GDPR Data
• APPENDIX B: PHI/EPHI Breach Definitions
• APPENDIX C: Notification in the case of PHI/EPHI exposure
• APPENDIX D: New York Breach Notification Law
• APPENDIX E:  Abu Dhabi Breach Notification
• Revision History
• Notes   

The purpose of the IT Security Information Breach Notification Plan (IT Breach Plan or the Plan) is to supplement the Policy with general guidance to the University community to enable quick and efficient recovery from security incidents; respond systematically to incidents and carry out the steps necessary to handle an incident; and minimize disruption to critical computing services or loss or theft of sensitive or mission critical information. The sections below describe: 1) Who to notify upon discovery of an incident; 2) procedures for handling and recovering from an incident in a manner appropriate to the type of security incident; and 3) how to establish a reporting format and evidence retention procedure. This document provides an overview of the process. Any questions about this Plan should be directed to the Global Privacy and Data Strategy Office (GPDS): privacy@nyu.edu.

This Plan also applies to breaches concerning all NYU's Health Insurance Portability and Accountability Act (HIPAA) Covered Components and Support Components, and to NYU's Business Associates included under HIPAA. HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and their implementing regulations (e.g., the Omnibus Rule) expand the privacy and security aspects of HIPAA. The NYU Grossman School of Medicine follows HIPAA-related policies and procedures created specifically for its environment; NYU Grossman School of Medicine compliance with HIPAA is coordinated through Langone Medical Center.

One of the most significant HIPAA expansions is the requirement that Covered Entities (i.e., the individual NYU Covered Components or Support Components) notify individuals when there is a Breach of unsecured PHI. In addition, Business Associates and their subcontractors are directly liable for compliance and must prove their efforts to prevent Breaches. The Breach notification obligation also requires that Covered Entities provide notice of the Breach to the Secretary of the Department of Health and Human Services ("Secretary" and "HHS"), and in some instances, to the media. This document complements the Breach notification information included within the HIPAA Privacy Policies of the NYU College of Dentistry and the HIPAA Privacy Policies of the NYU Student Health Center. It sets forth NYU's process for determining if a Breach of protected health information (PHI) or electronic protected health information (EPHI) has occurred and sets forth the procedures for making the appropriate notifications. Definitions concerning PHI/EPHI potential Breaches are specified in Appendix B. See also the Electronic Data and System Risk Classification Policy for further guidance.

The NYU Abu Dhabi healthcare component, Student Health Center, is subject to regulations set forth by The Department of Health (DOH) in the Emirate of Abu Dhabi. As an NYU portal campus, NYU Abu Dhabi must abide by this IT Security Information Breach Notification Policy and Plan. See Appendix E: Abu Dhabi Breach Notification for further information.

In the event of a Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, GDPR Data (“GDPR Breach”), NYU is legally required to assess the risks to data subjects and may be required to notify data protection authorities and affected data subjects.

In the event of a Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, GDPR Data (“GDPR Breach”), NYU is legally required to assess the risks to data subjects and may be required to notify data protection authorities and affected data subjects.

"GDPR Data" includes any personal information that is transmitted, stored, or otherwise processed by NYU relating to an identified or identifiable natural person that is subject to the European Union (EU) General Data Protection Regulation (“GDPR”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. For further guidance as to which personal information is subject to the GDPR, please consult with NYU’s GDPR Data Protection Officer (the “DPO”).

To comply with the requirements of the GDPR, all of the steps outlined in this Plan occur within seventy-two (72) hours of the first point at which an incident is discovered. In all cases, regardless of jurisdiction, the process must be completed as expeditiously as is reasonably feasible.

In the United States, state legislatures increasingly have imposed significant privacy-security obligations, especially regarding computerized data. Although the particulars (e.g., type, timing, and target) vary from state to state, all 50 states and the District of Columbia require disclosure of a breach.  For more information about the New York breach reporting law, see Appendix D. In the event of a potential breach, the Office of General Counsel must be consulted to determine whether the data breach reporting laws of any other states may be implicated. 

When a security incident is detected or reported, key first steps are to (1) contain the incident, (2) initiate an investigation of its scope and origins, and (3) decide if it qualifies as a Breach.

If High Risk Data (including PHI/EPHI) or GDPR Data is present on the compromised system, the Critical Incident Response (CIR) is followed.  

1. Incident Handler: This role is filled by IT security staff from NYU IT GOIS.
2. System Administrator: This role is filled by the technical staff responsible for deploying and maintaining the system at risk. Also referred to as a "first responder" in the context of this process.
3. System Owner: This role is filled by the staff member or management member responsible for the business function performed by the system. The System Owner is not necessarily the person who paid for the system, but rather the person who has control over it.
4. Network Operations: This role is filled by the technical staff responsible for network infrastructure at the site housing the system at risk. At Washington Square, this is NYU IT Networking Services.
5. HIPAA Privacy Officer and HIPAA EPHI Security Officer: Designated individuals fill these roles at each HIPAA Covered Component. At the University level, the Associate Vice President for Strategic Initiatives is the HIPAA Privacy Officer, and the Vice President, Information Technology and Global University Chief Information Officer is the HIPAA EPHI Security Officer.
6. PCI Compliance Manager: This role is filled by the person responsible for overseeing NYU's PCI compliance program.
7. DPO: This role is filled by NYU's GDPR Data Protection Officer, who may be assisted by designated Data Protection Officers at each of NYU’s Global Sites in the EU.   

The identification phase of incident response has as its goal the discovery of potential security incidents and the assembly of an incident response team that can effectively contain and mitigate the incident:

1. Identify a potential incident. The incident handler may do so through monitoring of security sensors. System owners or system administrators may do so by observing suspicious system behavior. Any member of the University community may identify (i.e., detect) a potential security incident though external complaint/notification, or other knowledge of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, High Risk Data or GDPR Data.
2. Notify: Members of the University community that suspect an IT system or paper-based files have been subject to accidental or unlawful destruction, loss, or alteration, or unauthorized disclosure or access, must immediately report the situation to privacy@nyu.edu. Once the incident handler is aware of a potential incident, s/he will alert local system administrators. If an incident is discovered by a member of the Covered Component or Support Component or by a Business Associate, the person should notify GOIS and the relevant Covered Component's or Support Component's HIPAA EPHI Security Officer and HIPAA Privacy Officer immediately, and follow GOIS' instructions on how to proceed. No one should interact with the system, unless approved by GOIS.
3. Quarantine: The incident handler will quarantine compromised hosts at the time of notification unless they are on the Quarantine Whitelist. If they are on the Quarantine Whitelist, the incident handler will promptly reach out to the system administrator or system owner to create a plan to contain the incident. Note that the incident handler may notify on suspicious behavior when s/he is not confident of a compromise; in these cases, they do not quarantine the host immediately, but wait 24-48 hours and quarantine only if the registered contact is unresponsive.  

This phase also precedes CIR, and has the primary goal of confirming that the compromise is genuine and presents sufficient risk to engage the CIR process:

1. Classify: The CIR must be initiated if...
   1. The system owner or system administrator indicates that the system is a High Criticality System according to the Electronic Data and System Risk Classification Policy.
   2. or the system owner or system administrator asserts that the system contains High Risk Data as defined by the Electronic Data and System Risk Classification Policy, or GDPR Data, including PHI/EPHI.
   3. or someone of appropriate authority (for example, an NYU IT Associate Vice President or higher) with input from a cognizant NYU school or administrative officer determines that the system poses a unique risk that warrants investigation.
2. Verify: The CIR process should be initiated only if...
   1. The incident handler verifies that the triggering alert is not a false positive. The incident handler will double-check the triggering alert, and correlate it against other alerting systems when possible.
   2. and the type of data or system at risk is verified to be of an appropriate classification, as determined above. The system owner or system administrator should provide a detailed description of the data at risk, including the approximate number of unique data elements at risk, and the number, location, and type of files it is stored in.
      

The order of the steps above can vary from incident to incident, but for the CIR process to be initiated the criticality of the asset must be confirmed, and it must be confirmed that the triggering event is not a false positive. In cases where the CIR process is not required, the incident handler can resolve the case as follows:

1. Obtain a written (email in the GOIS ticketing system ServiceLink is acceptable and preferred) statement from the system owner or system administrator documenting that the system has no High Risk Data or GDPR Data and is not a high-criticality asset.
2. Obtain a written statement from the system owner or system administrator that the system has been reinstalled or otherwise effectively remediated before the quarantine is lifted.
3. Obtain a written statement that the access point has been disabled for incidents involving an unauthorized wireless access point.    

The containment phase represents the beginning of the CIR workflow and has the following goals:

1. If the host cannot immediately be removed from the network, the incident handler will initiate a full-content network dump to monitor the attacker's activities and to determine whether interesting data is leaking during the investigation.
   
2. Eliminate attacker access: Whenever possible, this is done via the incident handler performing network quarantine at the time of detection and by the system administrator unplugging the network cable. In rare cases, the incident handler may request that network operations staff implement a port-block to eliminate attacker access. In cases where the impact of system downtime is very high, the incident handler will work with system administrators to determine the level of attacker privilege and eliminate their access safely.
3. The incident handler will collect data from system administrators quickly assess the scope of the incident, including:
   1. Preliminary list of compromised systems
   2. Preliminary list of storage media that may contain evidence
   3. Preliminary attack timeline based on initially available evidence
4. Preserve forensic evidence:
   1. System administrators will capture first responder data if the system is turned on. The incident handler will provide instructions for capturing this data to the individual performing that task.
   2. The incident handler will capture disk images for all media that are suspected of containing evidence, including external hard drives and flash drives. System administrators will deliver the system to GOIS after the first responder data is captured; disk imaging and analysis will occur at GOIS. The system owner should expect to have it returned within five (5) business days.
      
   3. The incident handler will dump network flow data and other sensor data for the system.
   4. The incident handler will create an analysis plan to guide the next phase of the investigation.

This is the most time-sensitive and also the most contextually-dependent phase of the investigation. The actions that need to be taken will depend on the uptime requirements of the compromised system, the suspected level of attacker privilege, the nature and quantity of data at risk, and the suspected profile of the attacker. The most important goals of this phase are to eliminate attacker access to the system(s) as quickly as possible and to preserve evidence for later analysis.

Additionally, this is the phase where the incident handler works most closely with system administrators and system owners. During this phase, they are expected to take instruction from the incident handler and perform on-site activities such as attacker containment, gathering first response data, and delivering the system to GOIS in cases where host-based analysis is required.    

The analysis phase is where in-depth investigation of the available network-based and host-based evidence occurs. The primary goal of analysis is to establish whether there is a reasonable belief that the attacker(s) successfully accessed High Risk Data or GDPR Data on the compromised system. Secondary goals are to generate an attack timeline and ascertain the attackers' actions. All analysis steps are primarily driven by the incident handler, who coordinates communications between other stakeholders, including system owners, system administrators, and relevant compliance officers. Questions that are relevant to making a determination about whether data was accessed without authorization include:

1. Suspicious Network Traffic: Is there any suspicious or unaccounted for network traffic that may indicate data exfiltration occurred?
   
2. Attacker Access to Data: Did attackers have privileges to access the data or was the data encrypted in a way that would have prevented reading?
   
3. Evidence that Data Was Accessed/Altered: Are file access audit logs available, or are file system mactimes intact that show whether the files have been accessed post-compromise? Also, is evidence of data alteration, containing changes to file extensions, included in the numbered list?
   
4. Length of Compromise: How long was the host compromised and online?
   
5. Method of Attack: Was a human involved in executing the attack or was an automated "drive-by" attack suite employed? Did the tools found have capabilities useful in finding or exfiltrating data?
   
6. Attacker Profile: Is there any indication that the attackers were data-thieves or motivated by different goals?

In the case of a potential GDPR Breach, this analysis will include the University’s DPO. The analysis will include an evaluation of the likelihood of risk to data subjects, including, for example, risks related to identity theft or fraud, financial loss, damage to reputation, and discrimination. The analysis should include whether the data has been encrypted, coded, or protected through any other appropriate organizational, physical and technological controls from use by an unauthorized person. The process and facts considered in reaching a determination as to the likely risks to data subjects must be documented.

In the case of a potential Breach of PHI/EPHI, this analysis will include the HIPAA EPHI Security Officer and the Privacy Officer at the relevant Covered Component or Support Component in conjunction with GOIS. They will conduct a risk assessment to determine the probability that the security or privacy of the PHI/EPHI has been compromised based on an evaluation of the elements above in addition to the following four (4) factors:

1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification,
   
2. the unauthorized person who used the PHI or to whom the disclosure was made,
   
3. whether the PHI was actually acquired or viewed, and
   
4. the extent to which the risk to the PHI has been mitigated.

Using these factors, GOIS will determine the degree of technical probability that the security or privacy of the PHI/EPHI has been compromised, but the final determination belongs to the affected HIPAA Covered Component or Support Component. To make this determination, the Privacy Officer at the affected HIPAA Covered Component or Support Component will document each impermissible use and disclosure and the risk assessment conducted for each. That HIPAA Privacy Officer will be responsible for conducting the risk assessment, documenting the results of the assessment and whether the impermissible use or disclosure poses a significant risk of financial, reputational, or other harm to the individual whose PHI/EPHI was compromised.

Exceptions to the definition of a Breach of PHI/EPHI are:

1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a Covered Entity or a Business Associate, if such acquisition, access, or use was made in good faith and within the course and scope of authority and does not result in further access, use, or disclosure in a manner not permitted under 45 CFR 164.402.
   
2. Any inadvertent disclosure by a person who is otherwise authorized to access protected health information as a Covered Entity or Business Associate to another person authorized to access protected health information at the same Covered Entity or Business Associate, or organized health care arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further accessed, used, or disclosed in a manner not permitted under 45 CFR 164.402.
   
3. A disclosure of protected health information where a Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

In the case of a potential breach of Private Information (as defined in Appendix D), GOIS will conduct a risk assessment to determine the probability that a “breach of the security of the system" has occurred, which is defined under New York law to mean an unauthorized access to or acquisition of, or access to or acquisition without valid authorization of, computerized data that compromises the security, confidentiality, or integrity of Private Information maintained by NYU. Good faith access to, or acquisition of, Private Information by an employee or agent of NYU for the purposes of NYU is not a breach of the security of the system, provided that the Private Information is not used or subject to unauthorized disclosure.

In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, GOIS may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.

In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, GOIS may consider the following factors, among others:

1. indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or
   
2. indications that the information has been downloaded or copied; or
   
3. indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

If, during analysis, it appears probable that High Risk Data (including Private Information) or GDPR Data has been exposed, the incident handler should consult with the Vice President for IT/CIO (i.e., the NYU HIPAA Security Officer) or other appropriate NYU IT executives to determine the appropriate University Officials to inform regarding the situation and also should consult with the Office of General Counsel to determine NYU’s notification and reporting obligations under applicable law. Those individuals may include, but are not limited to: the Vice President for Public Affairs, the Vice President for Campus Safety, the relevant Dean, the GDPR Data Protection Officer, and the NYU HIPAA Privacy Officer. In the case of payment card data, this will include the PCI Compliance Manager.

At the conclusion of the analysis, but before the final report is written, a peer review should be requested of the other GOIS technical staff. Then, the write-up of the notes should be completed, including conclusions, and processed source materials (e.g., grep-results, file-timelines, and filtered flow-records) should be archived. The peer review may result in some issues that must be addressed and some issues that may optionally be addressed. All recommendations should be resolved or acknowledged and deferred. The incident handler's role is to determine, from a technical perspective, whether there is a reasonable belief that High Risk Data or GDPR Data, including PHI/EPHI, was available to unauthorized persons. The determination of whether the circumstances warrant a Breach notification will be made jointly by the University Officials convened upon review of the results of the investigation, the technical opinion of GOIS, and the advice of the Office of General Counsel. 

The primary goal of the recovery phase is to restore the compromised host to its normal business function in a safe manner.

1. The system administrators will remediate the immediate compromise and restore the host to normal function. This is most often performed by reinstalling the compromised host; although if the investigation confirms that the attacker did not have root/administrator access other remediation plans may be effective.
   
2. The system administrators will make short-term system, application, and business process changes to prevent further compromise and reduce operating risk.    

The final report serves two (2) main purposes. First, a recommendation is made to the Office of General Counsel and relevant compliance officers as to whether the incident handler and the responsible officials feel there is a reasonable belief that High Risk Data (including PHI/EPHI and Private Information), or GDPR Data was subject to accidental or unlawful destruction, loss, or alteration, or unauthorized disclosure or access, and the degree of probability of risks to data subjects or that the security or privacy of any PHI/EPHI has been compromised. The report must be made in sufficient time to allow notification, if appropriate, within any legally-mandated time period. As noted, under the EU GDPR, notification to authorities must occur, wherever feasible, within seventy-two (72) hours of the discovery of a GDPR Breach. Regarding NYU Abu Dhabi, the Abu Dhabi Department of Health (Abu Dhabi DOH) Policy on Abu Dhabi Health Information Exchange (ADHIE) requires notification to the affected individual “patient” without undue delay, but within 60 days of discovery of the breach, and to Abu Dhabi DOH as soon as reasonably practicable within five (5) business days after it has been determined that a breach occurred. In the case of HIPAA/HITECH/Omnibus, that notification must occur within 60 days of discovering the Breach. Under the NY data breach reporting law, the notification must be made in the most expedient time possible and without unreasonable delay.

Second, a series of mid-term and long-term recommendations are made to the owners of the compromised system/files, including responsible management, suggesting improvements in technology or business processes that could reduce operating risk in the future.

1. The incident handler will draft the final report after the investigation is complete. Preliminary reports should be avoided whenever possible since working conclusions can change substantially through the course of an investigation.
   
2. After the draft report is completed, signoff on the content of the report should be obtained from GOIS management. Technical personnel can offer comments now as well, but typically technical issues should be resolved by this stage. Again, a list of issues will be raised which should be resolved or acknowledged/deferred until GOIS management accepts the report.
   
3. For critical incidents involving payment card data, the PCI Compliance Manager will receive a copy of the report and appropriate entities will be notified in the event that cardholder data is accessed without authorization. The PCI Compliance Manager will be responsible for all communication with the payment card brands and will be responsible for coordinating the activities mandated by the payment card brands with respect to the incident.
   
4. For incidents involving GDPR Data, the report will address each accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, GDPR Data. The notification procedure outlined in Appendix A will be followed.
   
5. For critical incidents involving PHI or EPHI, the report will include each impermissible use and disclosure and the risk assessment conducted for each. The notification procedure outlined in Appendix C will be followed.
   
6. If appropriate, given the analysis, the incident handler will obtain sign-off from the Office of General Counsel on the report.
   
7. The incident handler will schedule a meeting to deliver the final report to the system administrator, the system owner, and responsible officials. Although the correct management contact will vary on a case-by-case basis, it should typically be Director-level or above and should not distribute electronic copies of the report via email. If delivery in-person on-paper is not acceptable, the incident handler should use a secure process to deliver incident-reports.
8. The incident handler will ensure that the final report includes the details of the investigation and mid-term and long-term recommendations to improve the security posture of the organization and limit the risk of a similar incident occurring in the future. 

1. The incident handler will archive the final report in case it is needed for reference in the future; reports must be retained for six (6) years.
   
2.  Incident notes should be retained for six (6) months from the date that the report is issued. This includes the confluence investigation page, processed investigation materials like grepped file-timelines and filtered network-flows, etc.
   
3. Raw incident data should be retained for thirty (30) days from the date that the report is issued. This includes disk-images, unfiltered netflow-content, raw file timelines, and other data that was collected but deemed not relevant to the investigation.
   
4. ServiceLink tickets from the GOIS ticketing system related to the investigation should be retained for three (3) years. 
   

1. Within twenty-four (24) hours of the discovery of a GDPR Breach, the DPO, after consultation with the Office of General Counsel, will determine whether reporting to supervisory authorities and/or data subjects is required by law or is otherwise prudent.
   
   
2. A determination from the DPO that notification is required and the authorization from an authorized member of management will initiate the external notification procedure. Notification to EU data protection authorities is required unless a determination is made that the Breach is unlikely to result in a risk to data subjects. If the Breach is likely to result in a High Risk to data subjects, notification to data subjects is also required.
   
   
3. The DPO, after consultation with the Office of General Counsel, will determine the appropriate authorities to notify. Notification to authorities must: (i) describe the nature of the Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and the approximate number of Personal Information records concerned; (ii) communicate the name and contact details of the DPO or other contact point where more information can be obtained; (iii) describe the likely consequences of the Breach; and (iv) describe the measures taken or proposed to be taken by NYU to address the Breach, including, where appropriate, measures to mitigate its possible adverse effects.
   
   
4. External reporting to the EU GDPR supervisory authorities must be conducted within seventy-two (72) hours of discovery of the security incident, wherever feasible. If any delay in reporting is necessary, the reasons for this delay must be documented. In all cases, external reporting must be conducted within thirty (30) days.
   
   
5. The business process owner of the compromised system/files will compile the list of the specific individuals whose GDPR Data is reasonably believed to have been accessed and/or acquired by an unauthorized person. When specific individuals cannot be identified, all individuals who are likely to have been affected, such as all whose GDPR Data is stored in the files involved, should be notified. The process for determining inclusion in the notification group must be documented.
   
   
6. The DPO, after consulting with the Office of General Counsel, will determine the plan for notifying individuals affected by the Breach consistent with the following guidelines:

• The method of notification –
  • In general, notices should be sent by postal mail or, preferably, email. NYU’s standard Breach notice will consist of an email message featuring the official NYU logo, addressed to the individual at the last recorded email address registered with NYU. Any notices returned as undeliverable should be re-sent via another channel, such as by first class mail, if alternate contact information is available.
  • In the case of a severe, widespread Breach of security, as determined by the DPO, after consulting with the Office of General Counsel, (a) a "Notice of Breach" must be conspicuously posted on NYU’s website; and (b) major media outlets, including television, radio, and print must be notified.

• The content of the notice –
  • The notice should include a description of the incident in general terms;
  • The notice should include a description of the type of GDPR Data that was the subject of the Breach;
  • The notice should include a description of the general acts of NYU to protect the information from further unauthorized access and/or acquisition;
  • The notice should include a telephone number that the individual may call for further information and assistance; and
  • The notice should include advice that directs the individual to remain vigilant by reviewing account statements and monitoring free credit reports, where applicable to the nature of the Breach.

• The timing of notification –
  • Affected individuals must be notified as expeditiously as possible, and without unreasonable delay, consistent with any measures necessary to determine the scope of the Breach and to restore the reasonable integrity of the data system.
  • Delay is permitted when a law enforcement agency has determined that notification will impede a criminal investigation. In such a case, notification must occur as soon as the law enforcement agency determines that notification will no longer compromise the investigation. The factors considered when determining the timing of notification must be documented.     

The following definitions apply to NYU patient privacy and security policies and procedures.

Breach - means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under 45 CFR 164.402 which compromises the security or privacy of the protected health information. The term Breach excludes:

1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a Covered Entity or a Business Associate, if such acquisition, access, or use was made in good faith and within the course and scope of authority and does not result in further access, use, or disclosure in a manner not permitted under 45 CFR 164.402.
2. Any inadvertent disclosure by a person who is otherwise authorized to access protected health information as a Covered Entity or Business Associate to another person authorized to access protected health information at the same Covered Entity or Business Associate, or organized health care arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further accessed, used, or disclosed in a manner not permitted under 45 CFR 164.402.
   
3. A disclosure of protected health information where a Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
   

Apart from the exceptions as provided in the paragraphs above of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under 45 CFR 164.402 is presumed to be a Breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
   
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
   
3. Whether the protected health information was actually acquired or viewed; and
   
4. The extent to which the risk to the protected health information has been mitigated.

Business Associates - Business Associates mean a person or organization that creates, receives, maintains, or transmits protected health information in any form or medium, including electronic media, in fulfilling certain functions or activities for a HIPAA-Covered Entity and that performs a function or activity involving the use or disclosure of protected health information for or on behalf of the Covered Entity. A person or organization who only assists in the performance of the function or activity is also a Business Associate. This includes a person or organization that receives PHI from the Covered Entity, and one who obtains PHI for the Covered Entity.

Critical Incident Response (CIR) - See "B. Overview of Workflow" and “E. Verification,” sections above, for description.

Discovered Breach - A Breach is to be treated as discovered by a Covered Entity or a Business Associate if any person, other than the individual committing the Breach, that is an employee, officer, or other agent of such entity or associate knows or should reasonably have known of the Breach. The time period for notification begins when the incident becomes known, not when it is determined that a Breach as defined by the rule has occurred.

Electronic Protected Health Information or EPHI - means all electronic protected health information that New York University creates, receives, maintains, or transmits in electronic media. Protected Health Information stored, whether intentionally or not, in a photocopier, facsimile, and other devices is subject to the HIPAA Privacy and Security Rules.

HIPAA Breach Notification Regulations - means the interim final Breach notification regulations (Breach Notification for Unsecured Protected Health Information), issued in August 2009 by the Department of Health and Human Services (HHS) to implement section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009, by requiring HIPAA Covered Entities and their Business Associates to provide notification following a Breach of unsecured Protected Health Information.

HIPAA Omnibus Rule - means the amendments to the HIPAA Security Regulations published in the Federal Register on January 25, 2013, entitled "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule."

Protected Health Information or PHI - means individually identifiable health information, as defined in the Privacy Regulations promulgated pursuant to HIPAA, transmitted or maintained in any form or medium. PHI excludes (1) individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. - 1232g, (2) records described at 20 U.S.C. - 1232g(a)(4)(B)(iv), and (3) employment records held by New York University in its role as employer.

Unsecured PHI - means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.

Additional Definitions - For additional definitions, refer to the HIPAA Privacy Standards, 45 CFR Parts 160.101 and 164.501, and to the NYU HIPAA Security Policies. 

There is a presumption of Breach unless the Covered Component or the Support Component or Business Associate demonstrates through a documented risk assessment that there is a low probability that the PHI/EPHI has been compromised. If it has been determined that PHI/EPHI has been exposed, and that such exposure has resulted in the probability that PHI/EPHI was compromised, those patients must be notified following the procedure below. It is the responsibility of the Covered Component's or Support Component's compliance/privacy officer to make the final determination whether notification is required.

The Covered Component or Support Component or Business Associate should maintain documentation that all required notifications were made, or, alternatively, that notification was not required.

1. Patient Notification
   1. If the risk assessment determines that a Breach has occurred, the Component will provide written notice without unreasonable delay and in no event later than sixty (60) days from incident discovery, to the patient or:
      1. If the patient is deceased, the next of kin or personal representative.
      2. If the patient is incapacitated/incompetent, the personal representative.
      3. If the patient is a minor, the parent or guardian.   
   2. Written notification will be in plain language at an appropriate reading level with clear syntax and language with no extraneous materials. Americans with Disabilities Act (ADA) and Limited English Proficiency (LEP) requirements must be met. 
      
   3. Written notification will be sent by first-class mail to the last known address of the patient or, if deceased, the next-of-kin, or, if specified by the patient, by encrypted electronic mail. 
   4. Written notification will contain:
      1. A brief description of what occurred with respect to the Breach, including, to the extent known, the date of the Breach and the date on which the Breach was discovered;
      2. A description of the types of unsecured PHI that were involved in the Breach;
      3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm resulting from the Breach;
      4. A description of what the Component is doing to investigate and mitigate the Breach and to prevent future Breaches; and
      5. Contact procedures for individuals to ask questions or learn additional information, which will include a toll-free telephone number, an email address, website, or postal address.
   5. In the case where there is insufficient or out-of-date contact information:
      1. For less than ten (10) individuals, a substitute form of notice shall be provided such as a telephone call.
      2. In the case that there are ten (10) or more individuals for which there is insufficient or out-of-date contact information and contact information is not obtained, the Component will:
         
         • Post a conspicuous notice for ninety (90) days on the homepage of its website that includes a toll-free number; or
         • Provide notice in major print or broadcast media in the geographic area where a patient can learn whether or not their unsecured PHI is possibly included in the Breach. A toll-free number will be included in the notice.
   6. If the Component determines the patient should be notified urgently of a Breach because of possible imminent misuse of unsecured PHI, the Component may, in addition to providing notice as outlined in steps B, C, and D above, contact the patient by telephone or other means, as appropriate.
2. Media Notification
   In the case where a single Breach event affects more than 500 individuals, notice shall be provided to prominent media outlets without unreasonable delay and in no event later than sixty (60) days from incident discovery. NYU will make any such media contact pursuant to its media communications policies and procedures.
3. HHS Notification
   1. Notice will be provided by the Component without unreasonable delay and in no case later than sixty (60) days from the incident discovery to the Secretary of the Department of Health and Human Services (Secretary) if a single Breach event affects 500 or more individuals. NYU must also provide such notification to the New York Attorney General within five (5) business days of notifying the Secretary, even if the applicable Breach did not include Private Information as defined under the New York breach reporting law.
   2. If a Breach affects fewer than 500 individuals, the Component will maintain a log of those Breach occurrences in any given calendar year and notify the Secretary annually within sixty (60) days of the end of the calendar year in which the Breach occurred.
4. Law Enforcement Delay
   If a law enforcement official notifies NYU that a required notification, notice, or posting would impede a criminal investigation or cause damage to national security, the Component will:
   1. If the statement is in writing and specifies the time for which a delay is required, delay notification, notice, or posting for the specified time period;
      or
   2. If the statement is oral, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than thirty (30) days from the date of the oral statement, unless a written statement is submitted within that time.
      

Background

New York’s data breach reporting law requires entities and persons or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to any NY residents (State entities must also notify non-residents) whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.

1. Definitions

Personal Information - means any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

Private Information - means either:

1. Personal Information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of Personal Information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
   • Social Security number; driver’s license number or non-driver identification card number;
   • Account number, credit or debit card number, in combination with any required security code, access code or password, or other information that would permit access to an individual’s financial account;
     
   • Account number, credit or debit card number, if circumstances exist under which such numbers could be used to access an individual’s financial account without additional identifying information, security code, access code, password; or
     
   • Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, other unique physical representation, or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or
2. A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

2. Disclosure Requiring Notification

In the event GOIS has determined it is probable that a “breach of the security of the system” has occurred pursuant to Section G of this Plan, GOIS will consult with the Office of General Counsel to determine NYU’s obligations under the NY data breach notification law (NY GBS Section 899-AA), as well as under any other state data breach reporting laws that may be applicable.  

Notification to individuals is not required under NY law if:

1. the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and NYU reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials; provided that such a determination must be documented in writing and maintained for at least five (5) years; and provided further that if the incident affects over 500 residents of New York, NYU shall provide the written determination to the NY Attorney General within ten (10) days after the determination; or
2. notification of the breach is made to affected persons pursuant to the breach notification requirements of any other data security statutes, rules, and regulations of New York or the federal government; provided that NYU still must notify the relevant state agencies as set forth below. For example, HIPAA Covered Entities need not further notify affected New York residents regarding breaches of Private Information that also count as reportable HIPAA breaches, although notification must be provided to the NY Attorney General, Department of State, and Division of State Police.

If NYU does not own the Private Information in question, NYU is required to notify the owner or licensee of the information of any breach of the security of the system immediately following discovery.

3. Methods of Notice

The required notice must be provided directly to the affected persons by one of the following methods:

• Written notice;
  
• Electronic notice, provided that the person to whom notice is sent has expressly consented to receiving the notice in electronic form and a log is retained of each notification;
  
• Telephone notification, provided that a log is retained of each such notification;
  
• Substitute notice, which is allowed under certain circumstances with approval of the State Attorney General.

4. Information Required in Notice

NY law requires certain specific information to be included in the breach notification. Regardless of the method by which notice is provided, such notice shall include the following:

• Contact information for the person or business making the notification;
  
• The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information;
  
• A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization, including specification of which of the elements of Personal Information and Private Information were, or are reasonably believed to have been, so accessed or acquired.

5. Notification Time

New York law does not specify a single time period within which notification of a breach must be made. However, disclosures must be made within the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system. Notification may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation, in which case the notification shall be made after such law enforcement agency determines that such notification does not compromise such investigation.

6. Notification of Relevant Agencies

If individuals are to be notified, then NYU also must notify the NY Attorney General, Department of State, and Division of State Police as to the timing, content, and distribution of the notices and the approximate number of affected persons and provide a copy of the notice template sent to affected persons. If more than 5,000 New York residents are to be notified at one time, NYU also must notify consumer reporting agencies as to the timing, content, and distribution of the notices and approximate number of affected persons. All such notices shall be made without delaying notice to affected individuals. 

NYU Abu Dhabi healthcare component, Student Health Center is subject to regulations set forth by The Department of Health (DOH) in the Emirate of Abu Dhabi. The Abu Dhabi DOH requires healthcare facilities to participate in the Abu Dhabi Health Information Exchange (ADHIE) pursuant to the Abu Dhabi Health Information and Cyber Security Standard (ADHICS) for the exchange of Patient Health Information (“PHI”). NYU Abu Dhabi Student Health Center is a participant of the ADHIE.  The Abu Dhabi DOH in its Policy on the ADHIE requires notification to Abu Dhabi DOH and patients affected by a security breach of their Patient Data.

Abu Dhabi DOH defines Patient Data in relation to each individual who receives healthcare services in the Emirate of Abu Dhabi, Data (including but not limited to medical records) relating to each Encounter with that individual that resides and is processed on a ADHIE Participant’s System. Patient Health Information “PHI” is any Patient Data, including any health and other information, text, radiological images, medical reports, electronic claims and coding, drawings, health and other records, documents and other materials which are embodied in any medium (including any electronic, optical, magnetic, or tangible medium). This would include any oral or recorded information relating to the past, present, or future physical or mental health of a patient, the provision of health care to the patient, or the payment for health care. Abu Dhabi DOH requires notification within five business days to the Abu Dhabi DOH after the ADHIE has investigated and determined that a breach occurred.  

Entities must mitigate, to the extent practicable, any harmful effect they learn was caused by the use or disclosure of protected health information (PHI) by their staff, trainees, vendors, third party contractors or business associates in violation of their privacy policies and procedures and communicate with relevant health authorities within 24hrs of initial knowledge of the breach.

Definitions: The following definitions apply to patient privacy at NYU Abu Dhabi.

Breach: The Abu Dhabi DOH’s April 16, 2020 Policy on the Abu Dhabi Health Information (ADHIE) defines breach as any unauthorized access, disclosure, acquisition or use of Patient Data, whether by willful misconduct or other or any breach of DOH policies. 

Critical Incident Response (CIR) - See "B. Overview of Workflow" and “E. Verification,” sections above, for description.

Discovered Breach - A Breach is to be treated as discovered by NYU Abu Dhabi, other than the individual committing the Breach, that is an employee, officer, or other agent of such entity knows or should reasonably have known of the Breach. The time period for notification to the patients begins when the incident becomes known, not when it is determined that a Breach. 

Patient Health Information: Patient Health Information “PHI” is any Patient Data, including any health and other information, text, radiological images, medical reports, electronic claims and coding, drawings, health and other records, documents and other materials which are embodied in any medium (including any electronic, optical, magnetic, or tangible medium). This would include any oral or recorded information relating to the past, present, or future physical or mental health of a patient, the provision of health care to the patient, or the payment for health care.     

ADHIE Operator: The entity that owns and operates the ADHIE Platform. 

Participant: An entity or person who enters into the Participant Agreement (between the ADHIE Operator and Participant) on behalf of one or more Healthcare Facilities, which authorizes those Healthcare Facilities and their respective Healthcare Personnel to access, use or receive services via, or supply data to, the ADHIE Platform.

Pursuant to the Policy on ADHIE, Section 4.3.18, a Breach excludes the following, as determined by the ADHIE Operator:

1. Any unintentional acquisition, access, disclosure, or use of Patient Health Information by a workforce member or person acting under the authority of the ADHIE or a Healthcare Facility, if such acquisition, access, or use was made in good faith, the root cause is remedied promptly, and within the scope of authority and does not result in further use or disclosure in a manner not permitted under Applicable Laws;
2. Any inadvertent disclosure by a person who is authorized to access Patient Health Information at the ADHIE or Participant to another person authorized to access Patient Health Information at the ADHIE or participant, or organized health care arrangement in which a participant participates, and the information received because of such disclosure is not further used or disclosed in a manner not permitted under Applicable Laws; or
3. A disclosure of Patient Health Information where the ADHIE Operator or participant has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

The Critical Incident Response, investigative measures, analysis described in this policy also applies to NYU Abu Dhabi.  

A breach risk analysis will be performed consistent with Appendix B. 

NYU Abu Dhabi will notify patients affected by the breach and any applicable regulatory bodies and Laws, without undue delay, but in no event later than 60 days from discovery, and based on Appendix C Section 1(a-d).

The DPO, after consulting with the Office of General Counsel, will determine the plan for notifying individuals affected by the Breach.