Minutes
Audio Player
Policies
<p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><u><strong>Purpose</strong></u></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;">With the increased reliance upon electronic data, and the maintenance of personal information of students and employees in electronic format, the Board is concerned about the risk of a breach in the district’s electronic system security and the possible disclosure of personal information. This policy addresses the manner in which the district will respond to unauthorized access and acquisition of computerized data that compromises the security and confidentiality of personal information.</span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><u><strong>Authority</strong></u></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;">The Board directs that district administrators shall provide appropriate notification of any computerized system security breach to any state resident whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed or acquired by unauthorized persons.<span><a href="http://www.legis.state.pa.us/cfdocs/Legis/LI/uconsCheck.cfm?txtType=HTM&amp;yr=2005&amp;sessInd=0&amp;smthLwInd=0&amp;act=0094." title="73 P.S. 2301 et seq">[1]</a></span></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><u><strong>Definitions</strong></u></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><b>Breach of the system’s security</b>&nbsp;- unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the district as part of the database of personal information regarding multiple individuals and that the district reasonably believes has caused or will cause loss or injury to any state resident. Good faith acquisition of personal information by an employee or agent of the school district for the purpose of the district is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the district and is not subject to further unauthorized disclosure.<span><a href="http://www.legis.state.pa.us/cfdocs/Legis/LI/uconsCheck.cfm?txtType=HTM&amp;yr=2005&amp;sessInd=0&amp;smthLwInd=0&amp;act=0094." title="73 P.S. 2302">[2]</a></span></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><b>Individual</b>&nbsp;- means any natural person, not an entity or company.</span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><b>Personal information</b>&nbsp;- includes an individual’s first initial and last name in combination with and linked to any one or more of the following, when not encrypted or redacted:<span><a href="http://www.legis.state.pa.us/cfdocs/Legis/LI/uconsCheck.cfm?txtType=HTM&amp;yr=2005&amp;sessInd=0&amp;smthLwInd=0&amp;act=0094." title="73 P.S. 2302">[2]</a></span></span></span><br>&nbsp;</p><ol><li style="font-size: 14px; font-family: Verdana;">Social security number.<br>&nbsp;</li><li style="font-size: 14px; font-family: Verdana;">Driver’s license number or state identification card number issued instead of a driver’s license.<br>&nbsp;</li><li style="font-size: 14px; font-family: Verdana;">Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.<br>&nbsp;</li></ol><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;">Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.<span><span class="footnotelink" title="Pol. 801">[3]</span></span></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><b>Records</b>&nbsp;- means any material, regardless of its physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed or electromagnetically transmitted. This term does not include publicly available directories containing information that an individual has voluntarily consented to have publicly disseminated or listed, such as name, address or telephone number.<span><a href="http://www.legis.state.pa.us/cfdocs/Legis/LI/uconsCheck.cfm?txtType=HTM&amp;yr=2005&amp;sessInd=0&amp;smthLwInd=0&amp;act=0094." title="73 P.S. 2302">[2]</a></span></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;"><u><strong>Delegation of Responsibility</strong></u></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;">The Superintendent or designee shall ensure that the district provides notice of any system security breach, following discovery, to any state resident whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Such notice shall be made without a reasonable delay, except when a law enforcement agency determines and advises the district in writing that the notification would impede a criminal or civil investigation, or the district must take necessary measures to determine the scope of the breach and to restore the reasonable integrity of the data system. The district will also provide notice of the breach if the encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of security of the encryption, or if the security breach involves a person with access to the encryption key.<span><a href="http://www.legis.state.pa.us/cfdocs/Legis/LI/uconsCheck.cfm?txtType=HTM&amp;yr=2005&amp;sessInd=0&amp;smthLwInd=0&amp;act=0094." title="73 P.S. 2303">[4]</a></span></span></span></p><p>&nbsp;</p><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;">The district shall provide notice by at least one (1) of the following methods:</span></span></p><ol><li style="font-size: 14px; font-family: Verdana;">Written notice to last known home address for the individual.<br>&nbsp;</li><li style="font-size: 14px; font-family: Verdana;">Telephone notice if the individual can be reasonably expected to receive the notice and the notice is given in a clear and conspicuous manner; describes the incident in general terms; verifies the personal information but does not require the individual to provide personal information; and provides a telephone number to call or Internet web site to visit for further information or assistance.<br>&nbsp;</li><li style="font-size: 14px; font-family: Verdana;">Email notice, if a prior business relationship exists and the district has a valid email address for the individual.<br>&nbsp;</li><li style="font-size: 14px; font-family: Verdana;">Substitute notice if the district determines that the cost of notice exceeds $100,000, the affected individuals exceed 175,000 people, or the district does not have sufficient contact information. Substitute notice shall consist of an email notice, conspicuous posting of the notice on the district's website, and notification to major statewide media.</li></ol><p><span style="font-size:14px;"><span style="font-family:Verdana,Geneva,sans-serif;">If the district provides notification to more than 1,000 persons at one (1) time, the district shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and number of notices, without unreasonable delay.</span></span></p>