DATA BREACH NOTIFICATION POLICY



Similar documents
MOBILE DEVICE SECURITY POLICY

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

STANDARD ADMINISTRATIVE PROCEDURE

BUSINESS ASSOCIATE AGREEMENT

SaaS. Business Associate Agreement

CODE OF ETHICS AND BUSINESS CONDUCT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

FirstCarolinaCare Insurance Company Business Associate Agreement

Exhibit 2. Business Associate Addendum

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

BUSINESS ASSOCIATE AGREEMENT

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

Information Security Program Management Standard

BUSINESS ASSOCIATE AGREEMENT

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Standard: Information Security Incident Management

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

BUSINESS ASSOCIATE AGREEMENT

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

Information Resources Security Guidelines

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

HIPAA BUSINESS ASSOCIATE AGREEMENT

SECTION-BY-SECTION ANALYSIS

This form may not be modified without prior approval from the Department of Justice.

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

SAMPLE BUSINESS ASSOCIATE AGREEMENT

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

Sample Business Associate Agreement Provisions

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

CODE OF ETHICS FOR SENIOR FINANCIAL OFFICERS

Breach Notification Policy

ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

MEAD JOHNSON NUTRITION COMPANY CODE OF ETHICS FOR SENIOR FINANCIAL OFFICERS

BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE ADDENDUM

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

KRS Chapter 61. Personal Information Security and Breach Investigations

Business Associate Agreement

Business Associate Agreement

January An Overview of U.S. Security Breach Statutes

Business Associate Agreement Involving the Access to Protected Health Information

BUSINESS ASSOCIATE AGREEMENT

CUBIC ENERGY, INC. Code of Business Conduct and Ethics

Michie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of [Acts 1999, ch. 201, 2.

HIPAA Breach Notification Policy

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Subject: Safety and Soundness Standards for Information

HIPAA BUSINESS ASSOCIATE AGREEMENT

The Institute of Professional Practice, Inc. Business Associate Agreement

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008

PBGC Information Security Policy

HIPAA Privacy and Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Louisiana State University System

Business Associate and Data Use Agreement

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

BUSINESS ASSOCIATE AGREEMENT

FERRELLGAS CODE OF ETHICS FOR PRINCIPAL EXECUTIVE AND FINANCIAL OFFICERS

Enclosure. Dear Vendor,

EDI REGISTRATION FORM Blue Cross of Idaho 3000 E Pine Ave Meridian, Id Fax

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Transcription:

State of Illinois Department of Central Management Services DATA BREACH NOTIFICATION POLICY Effective December 1, 2007

State of Illinois Department of Central Management Services Bureau of Communication and Computer Services Effective December 1, 2007 Version 2.0 Revised January 01, 2010 APPROVAL SHEET Please Return to: Thank You. CMS/BCCS Chief Information Security Office 120 W. Jefferson Springfield, IL 62702

TABLE OF CONTENTS POLICY STATEMENT PURPOSE BUSINESS CASE RELEVANCE SCOPE DEFINITIONS RESPONSIBILITY POLICY

POLICY STATEMENT It is the intent of the Illinois Department of Central Management Services (CMS) to have in place a reasonable information security policy and a Data Breach Notification Policy including procedures that address both the protection of certain information, including Personal Information as defined in (815 ILCS 530/5) and the prompt notification of those individuals actually or potentially affected by a breach of the security of the system data as defined in (815 ILCS 530/5). CMS will make all reasonable efforts to protect confidential information and specifically nonpublic personal information as a Data Collector as defined in (815 ILCS 530/5) when it acts in that capacity. CMS will also make all reasonable efforts to protect confidential and nonpublic personal information that CMS may be managing on behalf of another state Agency that is the Data Collector. CMS will make all reasonable efforts to protect such information under CMS control from unauthorized access, use, disclosure, deletion, destruction, damage, or removal. Though reasonable efforts are made to protect resources and data, there exists the possibility that resouces and data under the control of the State may be breached. As a result, this policy requires that CMS have a reasonable and appropriate breach notification procedure or action plan in place should security procedures not prevent a breach. Such procedures should be in concert with existing laws that address notice requirements for individuals and/or entities that may actually or potentially be affected by unauthorized access or breach. In Illinois, the Personal Information Protection Act 815 ILCS 530 outlines the requirements for notification in the event of a Breach of Personal Information. PURPOSE The purpose of this Policy is to recognize the importance of information security and to realize that a breach may still occur and therefore to establish a framework for addressing a breach that occurs notwithstanding the reasonable efforts to prevent such a breach. BUSINESS CASE State and Federal law, as well as best business practice, suggest that an organization should make reasonable efforts to secure and protect certain information that it possesses thereby protecting the integrity and confidentiality of any such maintained information. A breach of security of the protected information that occurs in spite of measures taken to protect physical and/or logical resources could result in financial loss as well as loss of customer confidence. RELEVANCE There are various Federal and State Laws that may apply to both security and breach situations depending upon the type of equipment, information or data that is being protected. The Illinois Statute that addresses a breach of information security is the Personal Information Protection Act 815 ILCS 530. 1 of 3

SCOPE This Policy applies to the Department of Central Management Services (CMS) and the various Bureaus within CMS that manage, maintain, operate, store, or are otherwise active in the control of certain information that if breached would trigger notification. This Policy should also be followed by any Agency that utilizes CMS BCCS for telecommunications and technology services. This Policy does not address human safety. Other policies, procedures, and plans address the top priority of human health and safety. These include but may not be limited to emergency (or incident) response plans, evacuation plans, personal conduct rules, emergency management plans, public health procedures, and homeland security guidelines and recommendations. This Policy, and the procedures directed by it, address environments that require system access control, computer and operations management, system development and maintenance, physical and environmental security of information, compliance, personnel security, security organization, asset classification and control, and business continuity and response(s) to any resulting breaches of such security measures as well as other environments that handle information that must be secured. DEFINITIONS For purposes of this Policy, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector (specifically the State Agency that collected the information and/or the Agency that manages the equipment that houses that data). RESPONSIBILITY Users of state resources are responsible for following the intent of this Policy, any published associated procedure(s), and using reasonable due diligence. Anyone observing what appears to be a breach of security, violation of this or other state policy, violation of state or federal law, theft, damage, or any action placing state resources at risk must report the incident to an appropriate level supervisor, manager, or security officer within their organization. Those reporting alleged incidents will be protected from retaliation by existing whistleblower protection laws currently enforce. Managers and supervisors are responsible for ensuring that workers follow the intent of this Policy and are adhering to all related procedures. Where appropriate, procedures and operational manuals that detail specific actions that implement this Policy should be created. Procedures developed to support this Policy should be monitored and tracked for compliance with this Policy. To the extent operationally feasible and cost-effective standards of responsibility will be followed as set forth in ISO 17799 and an appropriate defense-in-depth strategy. 2 of 3

POLICY 1. Any Agency that utilizes CMS BCCS for telecommunications and technology services should have a breach notification procedure in place that can immediately be implemented in the event of a data breach. CMS has a breach notification procedure in place titled CMS Action Plan for Notification of a Security Breach. 2. Any Bureau within CMS that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system data following discovery or notification of a breach of the security of the system data pursuant to the CMS Action Plan for Notification of a Security Breach. 3. An Agency that has a Security Policy in place and maintains a breach notification procedure that is consistent with the requirements of the Statute (815 ILCS 530/5) shall be in compliance with the requirements of this Policy. 3 of 3

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information