Sample Security Breach Notification Text

October 2005

Universitywide requirements for notification of individuals when their personal data has been acquired by an unauthorized person through a security breach are found in Business and Finance Bulletin, IS-3, Section IV.E, “Electronic Information Security (http://www.ucop.edu/ucophome/policies/bfb/bfbis.html).” Information about UC’s policy for security breach notification is available online.

The following text provides guidance in developing a notice to subjects of a database compromise. The final text used in an actual notification of a security breach should be reviewed by the UCOP Office of Strategic Communications and the Office of the General Counsel.

To [name]:

In [date], campus officials were notified of the [description of breach]. This [computer/server/laptop] contained a list of [department] [ student] [employees]. The list included the names and [Social Security/bank account/credit card numbers] of the [students/employees]. We are notifying you of this security breach because you are one of the [students/employees] whose personal information was present on the [computer/server/laptop]. Although we have no evidence that an unauthorized individual has actually retrieved and is using your personal data, we are bringing this incident to your attention, in accordance with California law, so that you can be extra alert to signs of any possible misuse of your personal identity. We regret that your information may have been subject to unauthorized access and have taken remedial measures to ensure that this situation is not repeated.

Although there is no evidence that an unauthorized person has obtained your personal information and is using it, there are some steps you can take, exercising abundant caution, to protect yourself.

First, you may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call any one of the three credit reporting agencies at the phone numbers listed below: You should (1) request that a fraud alert be placed on your account and (2) order a free credit report from the agency.

  • Equifax 1-888-766-0008
  • Experian 1-888-397-3742
  • Trans Union 1-800-680-7289

Second, when you receive your credit reports, look them over carefully for accounts you did not open or for inquiries from creditors that you did not initiate. Review your personal information, such as home address and Social Security number for accuracy. If you see anything you do not understand, call the credit agency at the telephone number on the report. Please note that the University will not contact you again to confirm any of your personal information, so if an unknown person should contact you, do not give out any additional information.

Third, if you find any suspicious activity on your credit reports, call your local police or sheriff’s office.

Additional information about identify theft can be obtained from the Web site listed below.

The University of California is committed to maintaining the privacy of [student/employee] information and takes many precautions for the security of personal information. In response to incidents of theft like this one and the increasing number of Internet-enabled computer attacks, the University is continually modifying its systems and practices to enhance the security of sensitive information. We sincerely regret any inconvenience this incident presents to you.

Should you have further questions about this matter, please contact [name of contact], [title of contact], at [e-mail address of contact] or [phone number].

 

  Sincerely,