Electronic Data Security Breach Reporting and Response Policy
Published: March 2010
Revised: March 2018
OMG is committed to compliance with all applicable federal and state laws and regulations relating to the compromise of Sensitive Data (as such term is defined in the OMG Information Security Charter (the “Charter”) https://www.omahamediagroup.com/isc). This Policy establishes measures that must be taken to report and respond to a possible breach or compromise of Sensitive Data, including the determination of the Systems affected, whether any Sensitive Data have in fact been compromised, what specific Data were compromised and what actions are required for forensic investigation and legal compliance. Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
- The effective date of this Policy is March 30, 2010.
- Reviewed and/or revised March 14, 2018.
III. Policy Text
Any suspected or confirmed breach or compromise of Sensitive Data must be reported to the appropriate OMG office as set forth in Section D below in a timely manner in order to mitigate the risk to Information Resources and protect the OMG’s operations.
B. OMG Response Team
Upon receipt of such report, the Chief Information Security Officer, Information Security Officer, the HIPAA Privacy Officer, the General Counsel or his or her delegate will convene the OMG Response Team (ORT).
The ORT consists of representatives of the following units:
- Information Security Office (Omaha)
- Office of HIPAA Compliance (for PHI only)
- Office of the General Counsel
- Public Safety
- Public Affairs
- Human Resources
- Affected OMG Department
The following lists the general responsibilities of the members of the ORT:
- The applicable Information Security Office will be responsible for serving as Incident
- Lead for any actual or suspected compromise of Sensitive Data (other than PHI).
- The Office of HIPAA Compliance will be responsible for serving as Incident Lead for any actual or suspected compromise of PHI.
- The General Counsel is responsible for all legal issues associated with an actual or suspected compromise of Sensitive Data.
- The Office of Public Safety is responsible for all contacts with law enforcement and for non-technical aspects of any investigation.
- The Office of Public Affairs is responsible for all internal and external communications and media relations.
- Human Resources will advise on personnel issues and communications to OMG staff.
- The affected OMG department will provide the support required to investigate and respond to the actual or suspected compromise of Sensitive Data.
The OMG Information Security Office and the OMG Information Security Office will establish detailed internal procedures for compliance, external and internal communications, and oversight of the investigation and technical support associated with a suspected or actual breach of Sensitive Data. The specific incident response procedures are set forth in the Information Security and Privacy Incident Procedure + Checklist.
The general steps in a response include the following:
1. Incident Categorization
Incidents will be categorized based on the applicable Information Security Office’s internal procedures. Based on the severity of the incident, an appropriate response action will be taken.
2. Response and Recovery
The ORT may call upon any necessary additional offices and resources required to carry out the investigation and remediation of any breach. This expanded ORT will be responsible for the investigation of the incident and any technical support required. Incident team members will include representatives of affected Data Owners and any other units responsible for the Information Resources involved.
Any individual responsible for an Information Resource containing Sensitive Data that may have been compromised must take immediate steps to secure that system and preserve it without change.
3. Lessons Learned
After an incident has been resolved, an incident report will be created and distributed to the ORT. The ORT will then convene to discuss the security controls that failed and establish the steps necessary to prevent or limit the risk of the incident recurring.
D. Contact Information
To report a possible breach of PHI:
Office of HIPAA Compliance
Telephone: 800.601.6765 ext 803
To report a possible breach of Sensitive Data at OMGIT:
OMGIT Information Security Office
To report a possible breach of Sensitive Data at any OMG:
OMG Information Technology
Telephone: 800.601.6765 ext 804
IV. Cross References to Related Policies and Other Documentation
The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.
Information Security Charter