Rules and Procedures for Notification of Lost or Stolen Computing/Electronic Storage Devices

Purpose

The following outlines the rules that apply, steps that will be taken, and the procedures to follow when computing devices that can store the various forms of University information as outlined in the data classification policy are lost or stolen. This process is to be adhered to by all University offices, departments, and employees with the emphasis on quick response to the incident with the notification of the appropriate contacts as outlined below.

Scope and definitions

Devices covered under these rules and procedures include any device that is University or personally owned and contains University information. Information includes but is not limited to work, research, documents, or other information relating to work or services done at or for Western Michigan University; information relating to employees; information relating to any University grants or contracts; and University student information. (Such information is individually or collectively referred to as “data.”) Examples of devices could be laptops, USB storage devices, portable hard drives and smart phones. This process addresses a device that is lost or stolen from the campus premises, as well as from off-campus locations (e.g., homes, hotels, vehicles).

Special notice should be taken with student owned/controlled devices that are lost or stolen, especially if the student is a graduate assistant or teaching assistant. Departments need to review this process with all persons that might use University data on portable devices as a part of their day-to-day responsibilities.

One primary concern of these rules and procedures is the loss or theft of a device owned by the University, regardless of the data stored on the device, and the loss or theft of any device (University-owned or personally-owned) if it contains restricted/confidential information, which includes individually identifiable data about individual students, faculty, staff, alumni, donors, retirees, contractors, patients, or others with whom the University does business.

If device is lost or stolen on any campus of WMU:

The device owner will, as soon as possible:

  1. Contact WMU public safety (269-387-5555).
  2. Contact their departmental LAN administrator.
  3. Contact department chair or director or other office head.

Departmental LAN administrator will contact IT security officers via phone and email to oit-security@wmich.edu.

IT security officer will:

  1. Contact Director of IT Policy and Communication and the Chief Technology Officer
  2. Contact the device owner to determine the type of information stored – refer to data classification policy
  3. If confidential/restricted data (as defined in the data classification policy) were stored on the device, initiate the information security incident response plan.
  4. Follow the tracking stolen computers procedures (an IT internal use document) and if applicable, Computrace tracking procedures.
  5. Work with WMU public safety to assure police reports have been filed.

If device is lost or stolen off-campus:

The device owner will, as soon as possible:

  1. Contact local police jurisdiction, WMU public safety, and request local police to contact WMU public safety regarding theft/loss.
  2. Contact departmental LAN administrator
  3. Contact department chair or director or other office head

Local police and WMU public safety department will communicate about next steps

Departmental LAN administrator will contact IT security officers if it is a University owned device or advise the device owner to contact IT security officers if it is a personally owned device. An individual may notify IT by calling the front desk at (269) 387-5430 or by sending an email message to oit-security@wmich.edu

IT Security officer will:

  1. Contact Director of IT Policy and Communication and the Chief Technology Officer
  2. Contact the device owner to determine the type of information stored – refer to data classification policy
  3. If confidential/restricted data (as defined in the data classification policy) were stored on the device, initiate the information security incident response plan.
  4. Follow the tracking stolen computers procedures (an IT internal use document) and if applicable, Computrace tracking procedures.
  5. Work with WMU public safety to assure police reports have been filed.

For all instances when a device is lost or stolen:

  1. If Protected Health Information, as defined by the Health Insurance Portability and Accountability Act (HIPAA), is involved, the incident will be handled in accordance with the HIPAA policies and procedures adopted by the entity covered by HIPAA. The University HIPAA privacy and contact officer, located in the Office of the Vice President for Legal Affairs and General Counsel, will coordinate the necessary actions to be taken and meetings held.
  2. If deemed necessary, the director of IT policy and communication will coordinate a meeting with the CTO, security officer, department head, device owner, and/or general counsel representation and other compliance officers as dictated by data classification.

 Note: these rules and requirements may be amended at any time with or without notice by the Chief Technology Officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law.

Document action

Revised: January, 2014