A data compromise event is illegal, unauthorized access to and theft of electronic data. Credit card data is very susceptible to cybercrime perpetrators since this information is very easy to resell on the black market. Therefore, it is very important to be alert to possible breaches in your systems.
The university has completed a PCI Incident Response Plan (PDF, 642 KB).
Each unit is required to develop a plan that leads up to the point of contact with the two central offices. Everyone in the unit should be familiar with this plan, so that in the event of a potential compromise, important forensic data is not lost or tainted.
Alert all necessary parties immediately!
The IT Security Office (ITSO) will coordinate the investigation of the incident. The university is required to provide all potentially compromised accounts and related information to the processing bank within 10 days of the discovery of the breach. The ITSO will also collect the information necessary to create a formal incident report. Based on the findings of this report, there may be follow-up investigations by either the ITSO or by an independent forensic investigation team.
Be prepared to provide all potentially compromised accounts and related information, as requested by the processing bank, within 10 days of the breach.
Be prepared to provide an incident report (which will be forwarded to your unit by the University Treasurer’s office, as provided by the merchant bank) within three business days of the reported compromise.
The merchant bank and the credit card agencies will consult to determine whether an independent forensic investigation will be initiated on the compromised entity.
When the IT Security Office becomes aware of a compromised system that was holding sensitive information, including PCI data, CIT analyzes the incident in depth and writes up a formal report. They then submit the report to the Data Incident Response Team (DIRT).
DIRT is a group of people representing a range of campus offices who review incidents with potential data loss, and make a determination about what action, if any, the university needs to take.
For data such as social security numbers and certain other personal identifiers, DIRT may be compelled by NYS regulation to notify the potentially impacted parties and report the incident to the state attorney general and other offices. The university can also elect to notify the people whose information is at risk, even if not legally bound to do so.
If there is significant likelihood of data loss, or if the group feels it would be productive to discuss the incident in depth, DIRT will convene, inviting individuals from the following:
In this meeting, DIRT reviews the course and causes of the compromise, what was learned from the group's analysis, and what data was placed at risk. The group has always been able to reach a consensus on whether or not the university should notify the impacted individuals.