Technology at Berkeley Site Navigation:
Breadcrumb Trail:
Home > Campuswide IT Policy and Privacy > Responding to Possible Data Breaches > Protection of Computerized Personal Information

Local Navigation:

Berkeley Campus Plan Implementing the UC Requirements for Protection of Computerized Personal Information

Background

Senate Bill 1386 and Assembly Bill 700, effective July 1, 2003, added a new provision to the California Information Practices Act - Civil Code 1798.29, 1798.82 (Attachment A). This new provision requires any state agency (including the University of California) with computerized data containing personal information to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.

The Civil Code defines "personal information" to be an individual's first and last name in combination with any of: social security number, driver's license number, or financial account or credit card number in combination with any password that would permit access to the individual's account. It requires that owners of computerized data must give notice of any security breach to affected persons in the most expedient time possible and without unreasonable delay. The provision also allows for substitute notice (e.g., via posting on the agency's website and notification to major statewide media) in certain circumstances. The bill specifies that an agency that maintains its own notification procedures as part of an information security policy shall be deemed to be in compliance with the bill's notification requirements, as long as the agency notifies people in accordance with its policies in case of a security breach and as long as the agency is otherwise consistent with the bill's timing requirements for notification.

On April 29, 2003 the University of California Office of the President issued an amendment to Business and Finance Bulletin IS-3 - "Electronic Information Security" (http://www.ucop.edu/ucophome/policies/bfb/is3toc.html) to address these new legal requirements (Attachment B). Consistent with Berkeley policy that all campus departments comply with University of California directives, the following UC Berkeley guidelines are provided to campus departments for their assistance in implementing the UCOP requirements.

Purpose and Best Practices

The purpose of this new provision and University implementing requirements is to enhance the management of personal information that could be used, possibly in conjunction with other information, to impersonate an individual in ways that might cause serious loss of privacy and/or financial damage. In addition to these guidelines, departments are urged to establish best practices to reduce to the least amount necessary the collection, distribution, and retention of personally identifying electronic data if this data is not critical to their business needs. Such practices should embrace the following concepts:

collect and retain only that data which is essential to the performance of assigned tasks,
delete personal information when there is no longer a business need for its retention on computing systems,
provide staff access to sensitive data only as needed to perform assigned duties,
design database systems so that personal information can be identified,
when personally identifying information is included in the distribution of data to any downstream users, include notification of that fact, including reference to these guidelines,
redact personal information not critical to the task when distributing full data sets to downstream users,
whenever possible, configure electronic applications that check authorizing or authenticating databases to return confirming responses rather than personal information,
review and update agreements with external service providers to ensure vendor compliance with these requirements,
be prepared in advance in the event of the need for any immediate notification to individuals whose personal data is retained on computing systems,
never leave sensitive data exposed on computer screens when not in use or leave computer screens unattended without appropriate screen access controls.

In addition to these practices, see the System and Network Security Office website (http://security.berkeley.edu/) for links to resources providing best practice recommendations for securing computing and communications resources. The Data Stewardship Council (http://dataintegration.vcbf.berkeley.edu/), a subcommittee of the E-Berkeley Steering Committee, is charged to develop a framework for an integrated data environment and culture. The Data Stewardship Council serves as a resource to the campus in the area of data management. Control units may develop further guidelines to supplement this implementation plan.

Related campus policies and guidelines

Existing campus policies and guidelines identify the obligations of campus officials regarding the security controls of computing systems and data contained on the computing systems under their jurisdiction.

Guide to Administrative Responsibilities The Guide to Administrative Responsibilities describes principles and delegation of accountability for administrative officials.
Campus Information Technology Security Policy (CITSP) The CITSP establishes the requirement that all campus individuals are responsible for the logical and physical security of electronic information resources within their jurisdiction. The CITSP also extends this policy to outsourced activities.
The Data Management, Use and Protection Policy

The Data Management, Use and Protection Policy defines responsibilities and obligations of data proprietors and data custodians. (This policy is currently being developed by the Data Stewardship Council.)

Berkeley Campus Guidelines

  1. Definitions

    1.1.
    protected data:
    The data comprising personal information governed by these guidelines is defined as protected data. This protected data includes an individual's first and last name in combination with any of
    social security number,
    driver's license number or California identification card number,
    financial account or credit card number in combination with any password that would permit access to the individual's financial account,
    medical information or health insurance information.
    1.2.
    computing system:
    any server, desktop, laptop computer, or PDA that contains or provides network access to protected data.
    1.3.
    administrative official:
    the UC Berkeley individual who has been delegated responsibility for oversight of data or computing systems with access to data.
    1.4.
    data proprietor:
    the individual or department that has primary responsibility for determining the purpose and function of an essential data resource. The data proprietor is often the chief administrative official of the Office of Record for the data resource.
    1.5.
    data custodian:
    an individual or department that functions as the technical partner of the data proprietor. The data custodian, as directed by the data proprietor, is responsible for the implementation of data systems and the technical management of data resources.
    1.6.
    control records:
    a database, spreadsheet, or any other electronic file that contains a list of computing systems that contain protected data. Control records must contain the following:
    name of computing system data custodian,
    physical location of computing system,
    description of logical access and security controls,

  2. Responsibilities

    2.1.
    lead campus authority: The Berkeley Campus Chief Information Officer is designated as the lead campus authority who is responsible for:
    ensuring that the campus incident response process is followed,
    ensuring that systemwide and, if applicable, campus notification procedures are followed,
    coordinating campus procedures with campus counsel as appropriate.
    2.2.
    administrative officials have oversight responsibility to:
    ensure that data proprietors develop adequate security plans for computing systems within their jurisdiction,
    ensure that data proprietors develop adequate procedures for access to protected data,
    ensure that data custodians conduct an inventory of computing systems under their jurisdiction,
    determine which computing systems contain protected data or have access to protected data that are subject to these requirements,
    ensure the collection of email or postal address information for any individuals for whom protected data is retained,
    ensure the collection of control records and the retention of control records in a secure environment for those systems determined to be subject to these requirements,
    conduct an annual review of control records and update as necessary,
    establish an immediate notification plan, including boiler plate text, which could be implemented in the event of a breach that would have immediate deleterious impact on individuals whose personal information may have been obtained by a non-authorized source.
    2.3.
    data proprietors must:
    create and maintain control records identifying computing systems containing unencrypted protected data as defined in section 1.6.
    ensure the development of adequate security measures consistent with CITSP and IS-3, i.e., commensurate with risks associated with the sensitivity or confidentiality of data, to reduce risk of threats to protected data in computing systems within their jurisdiction,
    inform any data custodians and users of protected data of their responsibilities regarding any use they may make of the data,
    establish procedures to ensure that all staff within their jurisdiction who have access to or make use of protected data abide by University and campus policy regarding protected data,
    ensure notification to downstream users when protected data is redistributed,
    submit a report of control records by a secure transmission to the delegated administrative official, as determined by the control unit,
    maintain control records in a secure environment.
    2.4.
    data custodians must:
    implement adequate security measures for computing systems containing protected data within their jurisdiction,
    implement appropriate encryption strategies for both the transmission and storage of protected data,
    establish adequate procedures to indicate if unauthorized access to or anomalous activity occurs on computing systems. Data custodians may consult System and Network Security for assistance in determining strategies appropriate to their technological environment.
    establish procedures to monitor access to computing systems housing protected data,
    notify any downstream users with reference to these guidelines when protected data is redistributed.
    2.5.
    data users must:
    abide by established procedures on access to and use of protected data,
    protect the resources under their control, such as access passwords, computers, and data they download.

  3. Incident Response Process

    3.1.
    If a breach is suspected on a computing system that contains or has network access to unencrypted protected data, the data custodian must immediately:
    remove the computing system from the campus network,
    conduct a local analysis of the breach,
    notify the data proprietor if there is a reasonable belief protected data may have been acquired,
    send email to System and Network Security (SNS),
     
    The normal address for reporting IT security incidents is security@berkeley.edu. However, if you are certain this incident requires immediate attention, escalate your report by sending email to urgent- security@uclink.berkeley.edu.
    Prepare an incident "Intake Report" as soon as possible and send it to SNS. (See Questions that should be answered in the event of an SB 1386 breech.)
    3.2.
    SNS will examine the evidence of a breach with the data custodian to assess the possibility that protected data has been obtained. (SNS will work with the data custodian to determine when the computing system can be restored to the campus network.)
    3.3.
    SNS will notify the Campus Computer Incident Response Team* (CCIRT) if SNS believes there could be a possibility that unencrypted protected data has been acquired by an unauthorized source.
    3.4.
    The data custodian must file a police report with UCPD if the department suspects criminal activity is responsible for the breach,
    3.5.
    The data custodian must report to the data proprietor the number of individuals whose protected data may have been acquired.
    3.6.
    If, after continued analysis, SNS and the data custodian have sufficient reason to believe that protected data may have been acquired, the data proprietor will submit a report to the cognizant vice chancellor, the campus Chief Information Officer, Vice Chancellor-Legal Affairs, and Assistant Vice Chancellor-Public Affairs
    describing the nature of the security breach and
    reporting the number of individuals affected, including address information.
    (See suggested questions for preparing a "Final Report" to assist campus authorities with their decision as to whether subjects of the data should be notified.)
    3.7.
    The Chief Information Officer will immediately report the breach to the Associate Vice President for Information Resources and Communications at UCOP.
    3.8.
    The cognizant vice chancellor, the campus Chief Information Officer, Vice Chancellor- Legal Affairs, and Assistant Vice Chancellor-Public Affairs will meet to make a determination whether criteria for notification under California Civil Code 1798.29, 1798.82 have been met and to determine the means of notification if required, e. g., email, postal mail, or website notice, consistent with Systemwide Notification Procedures (Attachment B).

  4. Notification Procedures

    4.1.
    Notification shall include all of the following information:
    The date(s) on which the personal information was (or could have been) acquired.
    A description of the personal information which was (or could have been) acquired.
    The name of the department or unit responsible for the information and the relationship that the affected individual has (had) to the department (in such a way that the person receiving the notification will understand why that department or unit had their information).
    An indication of the likelihood that the personal information was acquired or used.
    A list of resources that affected individuals could use to check for potential misuse of their information. This list should include the flyer, "What to Do If Your Personal Information is Compromised" (http://www.privacy.ca.gov/financial/sbfs021205.pdf), produced by the California Office of Privacy Protection (either as a link or a hardcopy attachment).
    An email address and phone number of a suitable departmental representative with sufficient knowledge of the incident to be able to handle questions from affected individuals.
    4.2.
    The cognizant vice chancellor and the data proprietor will determine whatever additional advice or assistance will be given to the affected individuals.
    4.3.
    Sample notification language is provided in Attachment C.

  5. Reporting Requirements

    When the incident is closed, the Chief Information Officer will report to the Associate Vice President for Information Resources and Communications at UCOP:

    a description of the incident,
    the response process,
    the notification process,
    the actions taken to prevent further breaches of security.


Attachment A

Information Practices Act of 1977- California Civil Code

    (http://www.privacy.ca.gov/code/ipa.htm)

Sections 1798.29, .82, .84

The Information Practices Act of 1977 expands upon the constitutional guarantee of privacy by providing limits on the collection, management and dissemination of personal information by state agencies.

Sections 1798.29, .82, .84 were added or amended subsequent to the passage of SB 1386 and AB 700. 


Senate Bill No. 1386
CHAPTER 915
An act to amend, renumber, and add Section 1798.82 of, and to add
Section 1798.29 to, the Civil Code, relating to personal information.
[Approved by Governor September 25, 2002. Filed
with Secretary of State September 26, 2002.]
LEGISLATIVE COUNSEL'S DIGEST

SB 1386, Peace. Personal information: privacy.

Existing law regulates the maintenance and dissemination of personal
information by state agencies, as defined, and requires each agency to
keep an accurate account of disclosures made pursuant to specified
provisions. Existing law also requires a business, as defined, to take all
reasonable steps to destroy a customer's records that contain personal
information when the business will no longer retain those records.
Existing law provides civil remedies for violations of these provisions.
This bill, operative July 1, 2003, would require a state agency, or a
person or business that conducts business in California, that owns or
licenses computerized data that includes personal information, as
defined, to disclose in specified ways, any breach of the security of the
data, as defined, to any resident of California whose unencrypted
personal information was, or is reasonably believed to have been,
acquired by an unauthorized person. The bill would permit the
notifications required by its provisions to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation. The bill would require an agency, person, or business that
maintains computerized data that includes personal information owned
by another to notify the owner or licensee of the information of any
breach of security of the data, as specified. The bill would state the intent
of the Legislature to preempt all local regulation of the subject matter of
the bill. This bill would also make a statement of legislative findings and
declarations regarding privacy and financial security.
The people of the State of California do enact as follows:
SECTION 1. (a) The privacy and financial security of individuals
is increasingly at risk due to the ever more widespread collection of
personal information by both the private and public sector.
(b) Credit card transactions, magazine subscriptions, telephone
numbers, real estate records, automobile registrations, consumer
surveys, warranty registrations, credit reports, and Internet Web sites are
all sources of personal information and form the source material for
identity thieves.
(c) Identity theft is one of the fastest growing crimes committed in
California. Criminals who steal personal information such as social
security numbers use the information to open credit card accounts, write
bad checks, buy cars, and commit other financial crimes with other
people's identities. The Los Angeles County Sheriff's Department
reports that the 1,932 identity theft cases it received in the year 2000
represented a 108 percent increase over the previous year's caseload.
(d) Identity theft is costly to the marketplace and to consumers.
(e) According to the Attorney General, victims of identity theft must
act quickly to minimize the damage; therefore expeditious notification
of possible misuse of a person's personal information is imperative.
SEC. 2. Section 1798.29 is added to the Civil Code, to read:
1798.29. (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the breach
in the security of the data to any resident of California whose
unencrypted personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. The disclosure shall be made
in the most expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as provided in
subdivision (c), or any measures necessary to determine the scope of the
breach and restore the reasonable integrity of the data system.
(b) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the owner
or licensee of the information of any breach of the security of the data
immediately following discovery, if the personal information was, or is
reasonably believed to have been, acquired by an unauthorized person.
(c) The notification required by this section may be delayed if a law
enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section shall be
made after the law enforcement agency determines that it will not
compromise the investigation.
(d) For purposes of this section, ''breach of the security of the
system'' means unauthorized aquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to further
unauthorized disclosure.
(e) For purposes of this section, ''personal information'' means an
individual's first name or first initial and last name in combination with
any one or more of the following data elements, when either the name
or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with
any required security code, access code, or password that would permit
access to an individual's financial account.
(f) For purposes of this section, ''personal information'' does not
include publicly available information that is lawfully made available to
the general public from federal, state, or local government records.
(g) For purposes of this section, ''notice'' may be provided by one of
the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with the
provisions regarding electronic records and signatures set forth in
Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be notified
exceeds 500,000, or the agency does not have sufficient contact
information. Substitute notice shall consist of all of the following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site page,
if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy for
the treatment of personal information and is otherwise consistent with
the timing requirements of this part shall be deemed to be in compliance
with the notification requirements of this section if it notifies subject
persons in accordance with its policies in the event of a breach of security
of the system.
SEC. 3. Section 1798.82 of the Civil Code is amended and
renumbered to read:
1798.84. (a) Any customer injured by a violation of this title may
institute a civil action to recover damages.
(b) Any business that violates, proposes to violate, or has violated this
title may be enjoined.
(c) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies available
under law.
SEC. 4. Section 1798.82 is added to the Civil Code, to read:
1798.82. (a) Any person or business that conducts business in
California, and that owns or licenses computerized data that includes
personal information, shall disclose any breach of the security of the
system following discovery or notification of the breach in the security
of the data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure shall be made in the most expedient
time possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as provided in subdivision (c), or
any measures necessary to determine the scope of the breach and restore
the reasonable integrity of the data system.
(b) Any person or business that maintains computerized data that
includes personal information that the person or business does not own
shall notify the owner or licensee of the information of any breach of the
security of the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person.
(c) The notification required by this section may be delayed if a law
enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section shall be
made after the law enforcement agency determines that it will not
compromise the investigation.
(d) For purposes of this section, ''breach of the security of the
system'' means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of the
person or business for the purposes of the person or business is not a
breach of the security of the system, provided that the personal
information is not used or subject to further unauthorized disclosure.
(e) For purposes of this section, ''personal information'' means an
individual's first name or first initial and last name in combination with
any one or more of the following data elements, when either the name
or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with
any required security code, access code, or password that would permit
access to an individual's financial account.
(f) For purposes of this section, ''personal information'' does not
include publicly available information that is lawfully made available to
the general public from federal, state, or local government records.
(g) For purposes of this section, ''notice'' may be provided by one of
the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with the
provisions regarding electronic records and signatures set forth in
Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the person or business demonstrates that the
cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the person or business has an e-mail address
for the subject persons.
(B) Conspicuous posting of the notice on the Web site page of the
person or business, if the person or business maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), a person or business that
maintains its own notification procedures as part of an information
security policy for the treatment of personal information and is otherwise
consistent with the timing requirements of this part, shall be deemed to
be in compliance with the notification requirements of this section if the
person or business notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
SEC. 5. This act shall become operative on July 1, 2003.
SEC. 6. This act deals with subject matter that is of statewide
concern, and it is the intent of the Legislature that this act supersede and
preempt all rules, regulations, codes, statutes, or ordinances or all cities,
counties, cities and counties, municipalities, and other local agencies
regarding the matters expressly set forth in this act.

Attachment B

Revision to IS-3 to Cover SB 1386 Requirements

IV. Risk, Sensitivity and Criticality

[new section:]
D. Notification in Instances of Security Breaches Involving Personal Information Data

In the event of a breach to the security of unencrypted computerized personal information, campuses must notify the state residents whose information is affected if an unauthorized person is reasonably believed to have acquired the information.[1]

The definition of "personal information" for this policy is an individual's first name or first initial, and last name, in combination with any one or more of the following (unless the information is encrypted):

  • social security number
  • driver's license number or California identification card number
  • account number,[2] credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account

Campuses may choose to expand the list of data elements considered personal information.

The definition of a "security breach" for this policy is when a state resident's unencrypted personal information, as defined above, is reasonably believed to have been acquired by an unauthorized person. Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.

Systemwide Notification Procedures

In the case of a security breach as defined in this policy, all campuses must follow the systemwide procedures presented here to provide notification of the breach to those state residents whose personal information is reasonably believed to have been acquired by an unauthorized person. In addition, campuses may develop detailed local guidelines based upon the steps in the systemwide procedures.

Notification must occur without unreasonable delay, except

  • When a law enforcement agency has determined that notification will impede a criminal investigation (in this case, notification must occur as soon as the law enforcement agency determines that it will not compromise the investigation) or
  • In order to discover the scope of the breach and restore the integrity of the system.

In coordination with campus counsel, campuses may determine the language to be used in the notification, which may be distributed by one of the following methods:

  • Written, hard copy notice or
  • E-mail notice

If sufficient contact information is not available for direct hard copy or e-mail notice, a substitute method of notice may be used. Substitute notice should include prominent display on the campus's Web site or other commonly used Web site for at least forty-five days. Both campus counsel and the campus community relations or public information office should be consulted to develop the substitute notice.

Campuses may decide, in coordination with campus counsel, to provide notification to affected individuals if personal information beyond the data elements defined here is accessed by an unauthorized person.

Campus Implementation Plan

Campuses must develop an Implementation Plan for Security Breach Notification. A copy of the plan must be sent to the Associate Vice President for Information Resources and Communications, who must subsequently be notified of any changes to the plan. The plan should contain, at a minimum, the following components.

Designation of Authority

Each chancellor shall designate an individual, or a functional position, that will act as the lead campus authority responsible for reporting to UCOP and that may delegate to other personnel, when appropriate, responsibilities for

  • Ensuring that the campus incident response process is followed,
  • Ensuring that systemwide and, if applicable, campus notification procedures are followed, and
  • Coordinating with campus counsel.

The functional position of the lead campus authority should be at a level high enough to allow that individual to speak with authority for the campus.

Data Inventory

Campuses must establish a process to identify

  • Where "personal information", as defined above, is used and stored,
  • The primary employee positions that have access to and use the data,
  • The proprietor and the custodian of the data, and
  • An acceptable level of security protection for the data.

Incident Response Process

Campuses must develop an incident response process to determine

  • Whether a security breach has occurred, as defined in this policy.

Local Notification Procedures

Campuses that develop detailed local notification procedures to supplement the systemwide procedures must include these in the implementation plan.

Reporting Requirements

Campuses must report immediately in writing to the Associate Vice President for Information Resources and Communications at UCOP

  • Any time there has been a security breach, as defined in this policy, and
  • When the incident is closed. The incident closure report should provide a description of the incident, the response process, the notification process, and the actions taken to prevent further breaches of security.


Attachment C


Sample notification text for a 1386 breach

On February 29, 2004, a computer in the Department of Exophrenology was accessed by an unidentified individual without proper authorization. The computer contained names, addresses and Social Security numbers of students, including yourself, who had applied for admission to our graduate program during the past five years. Between that date and March 10, 2004, an unauthorized individual could have accessed your personal information.

At this time, we have no evidence that an unauthorized person retrieved any personal information. (University information security personnel who investigated this incident consider this unlikely.) However, we take very seriously our obligation to safeguard personal information entrusted to us, and therefore, we deem it necessary to bring this situation to your attention. As a courtesy, we are enclosing a document produced by the California Department of Consumer Affairs Office of Privacy Protection entitled "What to Do If Your Personal Information is Compromised". (http://www.privacy.ca.gov/financial/sbfs021205.pdf). In addition, you may want to avail yourself of the following Web sites and telephone numbers that make available useful information on identity theft and consumer fraud:

California Department of Consumer Affairs Office of Privacy Protection

http://www.privacy.ca.gov/cover/identitytheft.htm

Federal Trade Commission's Web site on identity theft

http://www.ftc.gov/bcp/edu/microsites/idtheft/

Social Security Administration fraud line: 1-800-269-0271

Credit Bureau Numbers:

Equifax 1-800-525-6285
Experian 1-888-397-3742
Trans Union 1-800-680-7289

UC Berkeley deeply regrets this possible breach of confidentiality. Please be assured that we will take the steps necessary to safeguard the personal information we maintain on this campus. If you have any questions about this matter, please feel free to contact me at janekdoe@berkeley.edu or (510) 642-xxxx.

Sincerely,


Dr. Jane K. Doe, Chair
Department of Exophrenology
University of California
Berkeley, CA 94720-xxxx

    "Privacy Protection Recommendations:
    What to Do If Your Personal Information Is Compromised"
[ Download here in either Word format or PDF format. ]


* CCIRT is composed of staff from the following groups: System & Network Security (SNS), the CIO's office, Communication and Network Services (CNS), Office of Legal Affairs, UCPD, Internal Audit, Controller's Office, and IT Policy Services.

[1] The notification is a requirement of California Civil Code Section 1798.29, effective July 1, 2003.

[2] The "account number" corresponds to an individual's financial account.

For questions about this document or this website contact itpolicy@berkeley.edu

 

Site Map Contact Webmaster