Whenever Virginia Tech is notified of a (potential) data exposure, specific steps should take place to work with university officials to determine a course of action to ensure compliance with federal and state regulations. The department responsible for the exposure should inform their department head of the incident and work with the University Legal Counsel and the IT Security Office to determine appropriate action(s).
The department responsible for the exposure assumes primary responsibility for dealing with issues of the exposure. They should work with data stewards to verify the confidentiality of the data and take responsibility for developing a communications plan that includes any publicity, notification to individuals and others, and necessary remediation.
Personal information requiring notification (PIRN) includes sensitive information as covered by Virginia Tech’s Standard for Storing and Transmitting Personally Identifying Information:
PIRN also includes elements of FERPA and HIPPA. Contact the IT Security Office for help determining if data qualifies as PIRN.
For more information on how to deal with data exposures view that the documents below.
Data Exposure - Data Exposure Guidance (PDF | 467KB)
Data Exposure - Critical Compromise Mitigation worksheet (PDF | 447KB)