Cybersecurity – Incident Response Plan
Revised 7-22-2011; 3-18-2016; 5-14-2017; 3-16-2020; 11-15-2022
The Importance of Securing Electronic Data
Much of the data stored or transmitted via Reed's computing equipment is confidential. Unauthorized access to such data may constitute a violation of federal statutes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and other laws designed to protect privacy. A breach in data security that compromises personal information can lead to identity theft, putting members of the Reed community at risk and exposing the college to litigation. Unauthorized access to other confidential data, though not usable for identity theft, may nonetheless have serious legal, financial, or reputational implications for the college.
Preventing Electronic Data Incidents
The task of protecting confidential electronic data is shared by all members of the Reed community. In general, confidential data should not be accessed, copied, stored, downloaded, transmitted, or used unless it is essential to do so to conduct college business.
Confidential data should not be stored on laptops or other mobile devices for longer than necessary and should be encrypted at all times when not actually in use. Devices that contain confidential data, whether mobile or not, should be secured by strong authentication (e.g., multiple levels of passwords) and, wherever possible authentication should be handled by Reed’s password management tool (1Password). Mobile devices should also be physically protected by placing them in locked cabinets when not in use, by not putting them into checked luggage when traveling, and by any other available means.
The Chain of Responsibility
Under certain circumstances, confidential electronic data may need to be conveyed to individuals or groups who are not employees of the college. These may be vendors, contractors, professional organizations, or others. In these circumstances, the college must require the recipient of the data to abide by the same (or stricter) guidelines to protect the data from unauthorized access or abuse. This chain of responsibility must extend to any third parties (or beyond) to whom confidential data might be further conveyed.
Responding to Cybersecurity Incidents
Despite explicit guidelines for securing confidential electronic data, breaches and other types of cybersecurity incidents can still occur. At such times, it is important that the college respond as quickly and as professionally as possible. Computer thefts, should be reported immediately to IT by sending email to: tech-theft@reed.edu or by calling ext. 7254 (503-777-7254). Steps that IT will take in the event of a data security incident are as follows:
1. Determination of the incident nature and scope
- identification of the person reporting the incident (name, contact info, etc.)
- record of the location, timeframe, and apparent source of the incident
- preliminary identification of confidential data that may be at risk
- identify if ransomware, malware dropper, or other type of incident has occurred
2. Reporting of a suspected or confirmed incident
- chief information officer
- director of community safety (if physical security has been compromised)
- president and senior officers (depending on sensitivity and scope of data involved)
- legal counsel (depending on sensitivity and scope of data involved)
- law enforcement (depending on the nature/scope of incident)
- IDExperts (company retained by Reed to assist with breach notification)
- executive director of communications & public affairs (depending on sensitivity and scope of data involved)
- if credit card data is involved notify bankcard holder within 24 hours of confirmed incident discovery (and notify CampusGuard, Inc. for assistance)
3. Investigation
- identify potential ongoing exposure of data and take immediate steps to close holes
- conduct preliminary forensic analysis (retain outside assistance as needed)
- prepare inventory of data at risk
- determine if exposed data were encrypted
- identify security measures that were defeated (and by what means)
4. Incident Assessment
- identify affected individuals at risk of identity theft or other harm
- assess financial, legal, regulatory, operational, reputational and other potential institutional risks to the college
5. Incident Remediation
- implement password changes and other security measures to prevent further data exposure
- determine if exposed/corrupted data can be restored from backups; take appropriate steps
- determine if value of exposed data can be neutralized by changing account access, ID information, or other measures
6. Incident Notification
Based on regulatory requirements (e.g., Oregon Consumer Information Protection Act as amended January 1, 2020) and other factors, senior officers, CIO, and executive director of communications & public affairs (in consultation with legal counsel as appropriate) determine whether notifications are required for:
- government agencies
- affected individuals
- Reed community
- business partners
- public
- other
If senior officers, CIO, and executive director of communications & public affairs determine that notifications are needed:
- the CIO will notify IDExperts who will coordinate notifications to affected individuals; unless directed otherwise by law enforcement, such notifications will be made without delay.
- the vice president & treasurer and/or CIO will notify government agencies and business partners.
- the senior officers, CIO, and executive director of communications & public affairs will coordinate notifications to the Reed community, the public, and others as necessary.
Communications will address the following points:
- nature and scope of incident
- general circumstances of the incident (e.g., stolen laptop, hacked database etc.)
- approximate timeline (e.g., date of discovery)
- steps the college has taken to investigate and assess the incident
- involvement of law enforcement or other third parties
- information about any misuse of the missing data
- college-provided credit-watch service for affected individuals
- IDExperts steps on behalf of affected individuals
- steps that the college is taking to prevent future incidents of this nature
Post-Incident Follow-Up
In the wake of a cybersecurity incident, Reed will:
- take steps to ensure that missing data cannot be used to access further information or cause harm in other ways to Reed's electronic or other resources;
- pursue with law enforcement all reasonable means to recover lost data and equipment;
- review and modify as needed all procedures governing systems administration, software management, database protections, access to hardware, etc., to prevent future data breaches of a similar nature;
- take appropriate actions if staff negligence or other’s behavior contributed to the incident.
- modify procedures, software, equipment, etc., as needed to prevent future data incident’s of a similar nature;
- take appropriate actions if personnel negligence caused or contributed to the incident.