Data Security Breach Communications Plan

The Texas A&M University at Galveston Campus Data Security Breach Communications Plan has been developed to provide guidance in the event that there is an actual release or a significant possibility that confidential data has been released or exposed.

No amount of planning can replace the solid leadership and sound judgment that must be exercised at all levels during a crisis or emergency situation. This plan will always be an evolving document and is for guidance only.


Campus Data Security Breach Response Team

The following personnel compose the Campus Data Security Breach Response Team and are responsible for coordinating response to any incident.

  • Dr. Brad McGonagle, Assistant Vice President for Administration
  • Mr. Grant Shallenberger, Assistant Vice President for Student Affairs and Auxiliary Services and Interim Chief of Staff
  • Mr. Steve Conway, Director, Computing Information Services
  • Ms. Susan Lee, Associate Vice President for Finance

PROCEDURES

Reporting - Anyone who suspects that there has been a loss of a device containing confidential information or that a device containing confidential information has been accessed by a person without proper authority SHALL immediately notify the Director of Computing and Information Services, Steven Conway or his designated CIS backup.

Assessment - The Director of Computing and Information Services will investigate the situation and determine the likelihood that confidential and/or personal information has been released or accessed by unauthorized individuals.

Response - In the event that there is an actual release or a significant likelihood that confidential and/or personal information has been released or accessed the Director of CIS will notify the President and CEO and activate the Campus Data Security Breach Response Team. After assessing the nature and scope of the situation, the Executive Team member in charge will call together all available members of the Executive Team to execute the following plan:

  • Designate a spokesperson: In cases of a significant crisis, the President and CEO or administrator in charge will take the lead in conveying the administration's response to the crisis, showing that the campus has control of the situation, calming public concern and providing leadership for the entire campus.
  • Draft a fact sheet: The fact sheet will contain a summary statement of the situation including all known details to be released to the media. This information will be made available to (and approved by) the President and CEO in addition to notifying and providing copies to the following individuals –
    • TAMU – President, Provost, Chief of Staff, VP Marketing & Communications
    • TAMUS –
      • Chancellor
      • General Counsel
      • Executive Secretary of the Board of Regents
      • Chief of Staff
      • Chief of Communications
  • Notify individuals that may be impacted: Determine which personnel might have had their personal data released and who should be informed of the crisis. It is important to keep administration, faculty, staff, students and parents informed as appropriate of appropriate details and actions taken by the university during an emergency.
  • The Campus Emergency Communications Protocols will be followed (See Appendix A)
  • Update and activate the web site: Update and activate the website dedicated to communicating during a data security breach. Review current TAMU System guidelines for the web site -- https://apps.system.tamus.edu/datasecurity/web.html
  • Alert the media: Determine whether a news conference and or news release is an appropriate means of conveying information beyond the protocols used to notify faculty, staff, students, the news media and the public. The President and CEO or administrator in charge in consultation with the Director of Media Relations and Communications will determine logistics of the news conference including when, where and how the media will be contacted, which media will be contacted, who will supervise the news conference, who will appear, etc. The Campus Emergency Communications Protocols for Media Management will be followed.
  • Other spokespersons: Identify any other individuals besides those on the Executive Team who may serve as spokespersons or who might be made available to the news media; assign a public information staff person to provide counsel to those individuals.

Aftermath Component

Following any crisis, appropriate action must take place to ensure that members of the campus community, and others as necessary, receive needed information and assistance to help bring closure to the crisis as well as relief from the effects of the event. Attention also should be placed on identifying and implementing measures to improve the Emergency Preparedness plan used during the crisis.

  • Communications: If needed, a public forum should be scheduled and coordinated by the Director of Media Relations and Communications to communicate details of the incident and events to all interested members of the campus. The timeliness of this meeting is critical and every effort should be made to see that it occurs within three work days from the close of the crisis. Representatives from the Executive Team, Campus Police, Student Affairs, Human Resources, Employee Assistance Program, as well as the Counseling Office should attend and be prepared to answer questions and share pertinent information. Specific departments and/or individuals also may be requested to attend and participate depending upon the nature of the crisis.
  • Immediately following a crisis: It is imperative that the campus be sensitive to the needs of faculty, staff and students who may have been personally affected by the crisis. There may be a need to assist a victim or victims with obtaining information and/or a referral to available resources. Human Resources will be the contact for employee assistance and Student Affairs for student assistance.
  • Rumor control: It is not unreasonable to expect that rumors would follow a crisis, further creating an atmosphere of anxiety. As a preventative measure, the campus Website will continuously be updated following the crisis to address rumors and provide additional information as it becomes available. All inquiries to the crisis will be directed to the Director of Media Relations and Communications.
  • Ten day follow up: The Executive Team shall meet within 10 days following a crisis and review all actions taken as a result of the crisis to determine effectiveness and efficiency of operations and make any needed changes to the Emergency Preparedness Plan and Emergency Communications Plan and Protocols.

Careful application of the Campus Data Security Breach Plan will assist the Texas A&M University at Galveston campus community in responding appropriately and effectively manage the media. Continued evaluation and refinement of this plan is necessary and will be initiated on an annual basis.

Revised June 2010