Policy 2.036

Breach of Personal Identification Information

1. Purpose. The School Board regards security and confidentiality of personal data and information to be of utmost importance. Palm Beach County School District (District) increasingly provides for the maintenance of personal information of students, parents/guardians, employees or retirees, job applicants, vendors and volunteers in an electronic format, as well as other formats. Thus, the School Board desires to provide for any potential risk of a breach in the District's electronic system security and the possible disclosure of personal information regardless of its format. This policy addresses the manner in which the District will respond to an unauthorized access and acquisition of computerized data that compromises the security and confidentiality of unencrypted personal information. This policy is consistent with Fla. Stat. § 817.5681 and federal laws.

2. Definitions. For the purposes of this policy, the following definitions shall apply:

   1. Breach of the system's security means unauthorized or unlawful acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the District as part of the database of personal information. Good faith acquisition of personal information by an employee or agent of the District for a legitimate business purpose or the purpose of the District is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the District and is not subject to further unauthorized disclosure.

   2. Person/Individual means a student or former student, a parent or guardian, job applicant, employee or retiree, vendor or volunteer of the District, firms, associations, joint ventures, partnerships, estates, trusts, business trusts, syndicates, fiduciaries, corporations, and all other groups or combinations, on which the District maintains personal information.

   3. Personal identifiable information includes an individual's first name, first initial and last name, or any middle and last name, in combination with and linked to any one or more of the following, when not encrypted or redacted:

      1. Social security number.

      2. Driver's license number or Florida Identification Card Number.

      3. Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.

      4. A record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. For purposes of this policy, biometrics (unless prohibited by federal or Florida law) is limited to only fingerprints or a technology that utilizes an automated touchpad to recognize a person based on finger image or template. With the latter technology, biometrics will use a point on the finger for the image and will not utilize actual fingerprints.

      Personal identifiable information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

   4. Records means any material, regardless of its physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed or electromagnetically transmitted. This term does not include publicly available directories containing information that an individual has voluntarily consented to have publicly disseminated or listed, such as name, address or telephone number.

   5. Unauthorized user/person means any person who does not have permission from, or a password issued by, the person who stores the computerized data to acquire such data, but does not include any individual to whom the personal information pertains.

3. Policy Statement. It is the policy of the School Board to ensure the District's treatment, custodial practices, and uses of personally identifiable information are in compliance with all relevant state and federal laws. The District shall provide notice of any system security breach, following discovery, to any student or former student, parent/guardian, job applicant, employee or retiree, vendor or volunteer whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.

   1. Time of Notice. The District shall provide notification, as provided in section 5 herein, not more than forty-five (45) days after a determination of any computerized system security breach to any party whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed or acquired by unauthorized persons, in compliance with Fla. Stat. § 817.5681, as now or hereafter amended. This policy also applies to information maintained on behalf of the District by a third party or vendor.

   2. Law Enforcement Measure. Regardless of the above notice time period, such notice shall be made without a reasonable delay, except when a law enforcement agency determines and advises the District in writing that the notification would impede a criminal or civil investigation, or the District must take necessary measures to determine the scope of the breach and to restore the reasonable integrity of the data system.

   3. Encryption Breach. The District will also provide notice of the breach if the encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of security of the encryption, or if the security breach involves a person with access to the encryption key.

   4. Reporting of Breach. An employee shall immediately report a breach of personal information as provided in this policy to the responsible person(s), as privacy officers, identified in section 4 for the personal identifiable information and a breach of personal identifiable information. The responsible person, as privacy officers, shall immediately inform the Chief Information Officer, as Security Officer for the District of the breach. In such reporting, the employee and privacy officer shall complete the Personal Identification Security Breach Reporting Form, PBSD Form 2344, attached and incorporated hereto.

   5. Security Officer. The Security Officer shall review, and implement if necessary, administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of the personal identifiable information that is maintained in electronic form by the District, and implement any necessary steps or security measures to protect the electronic personal identifiable information against any reasonably anticipated threats or hazards, unauthorized uses or disclosures, during storage, processing or transmission. The Security Officer may designate local security officers to work with the necessary privacy officials and work units as necessary to facilitate the implementation of procedures and security measures.

   6. Employee Confidentiality Agreement. All current and future employees must preserve the security and confidentiality of the personal identification information he or she has access to and uses in the performance of District duties and job responsibilities. Future and current District employees shall sign and be bound by the Employee Confidentiality Agreement for Handling of Personal Identification Information, PBSD Form 2345, attached and incorporated hereto.

   7. Failure to Report Breach. An employee who fails to report a breach or to comply with this Board policy will be subject to disciplinary action, up to and including dismissal, and may also be subject to criminal prosecution. A consultant or another person who fails to report a breach related to the performance of his/her duties with the School District may be barred from work for the District and may also be subject to criminal prosecution.

4. Designated Privacy Officials. The following employees shall be responsible for personal identifiable information, serving as privacy officers, for any related security breaches in their respective areas of responsibility. The work units shall be responsible for controlling access to, and security of, the personal identification information.

   1. Employee personnel information - Chief of Human Resources or designee.

   2. Information on students - Chief Academic Officer or designee.

   3. Free or reduced lunch program - Director of Food Services, or designee.

   4. Purchasing proposals and related contracts - Director of Purchasing.

   5. Computer system authentication, authorization, access, usage, profile, cookie, or other such files or in telecommunications or network records - Chief Information Officer or designee.

   6. For the administration of federal and state income taxes - Chief Financial Officer or designee.

   7. Information in grant proposals - Chief Academic Officer or designee.

   8. Financial account numbers, debit and credit cards - Treasurer.

   9. Retirees, health or workers' compensation information - Director of Risk and Benefits Management

   10. Volunteer information - Volunteer Coordinator.

   If a work unit does not have a privacy officer designated within this policy, the department head shall be responsible for ensuring the duties of the privacy officer are performed if there is a breach of personal identification information occurring within the department.

5. Notice and Notification Methods.

   1. The District, through the responsible person identified in section 4 herein as the privacy officer, shall provide notice to any affected student or former student, parent/guardian, job applicant, employee or retiree, vendor or volunteer by at least one (1) of the following methods:

      1. Written notice to last known home address for the individual.

      2. E-mail notice, if a prior business relationship exists and the District has a valid e-mail address for the individual and the individual has agreed to accept communications electronically.

      3. Substitute notice, if the District determines that the cost of notice exceeds $250,000, the affected individuals exceed 500,000 people, or the District does not have sufficient contact information. Substitute notice shall consist of a written notice as above; an electronic or e-mail notice when the District has an electronic mail or email for the subject persons; conspicuous posting of the notice on the District's web site; and notification to major statewide media.

      4. If the District provides notification to more than 1,000 persons at one (1) time, the District shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and number of notices, without unreasonable delay.

   2. The notice shall be clear and conspicuous and shall include the following information:

      1. A description of the incident in general terms;

      2. A description of the type of personal information that was the subject of the security breach;

      3. A description of what the District has done to protect the individuals' information from the security breach;

      4. A telephone number or other contact information so that recipients of the notice can call for further information and assistance; and

      5. A reminder to the recipient to review account statements or monitor credit reports and to immediately report any suspicious activity or incidents of suspected theft to law enforcement and consumer reporting bureaus.

6. District Vendors or Third Parties with Access to Personal Information. Any District vendor maintaining computerized data that includes personal information on behalf of the District shall disclose to the District any breach of security of its system as soon as practicable, but not later than three (3) days following the determination, if personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notice to the District shall be to the Superintendent and to the responsible work unit, and the notice shall include the information as provided in section 5b of this policy. The vendor shall be responsible for any costs associated with the providing of notice related to a breach of security of its system.

   1. When agreements are established with vendors or third parties, those agreements shall include satisfactory assurances that the contracting third party will appropriately safeguard personal identification information in accordance with state and federal laws and regulations and School Board policies. When providing access to or passing personal identification information to a vendor or third party agent of the District, the agreements shall include terms and conditions, at a minimal, that:

      1. Prevent disclosure of personal identification information by the vendor or third party to other third parties.

      2. Require vendors or third parties to observe federal and state laws and School Board policies for the breach of personal identification information.

      3. Require a specific plan by the third party for the implementation of administrative, technical or physical security strategies to protect personal identification data and information.

      4. Require a plan for the destruction or return of personal identification information upon completion of the third party's contractual obligations.

7. Storage and Disposal.

   1. All documents or files that contain personal identifiable information must be stored in a physically secure manner. Personal identifiable information shall not be stored on computers or other electronic devices that are not secured against unauthorized access.

   2. Documents or other materials that contain personal identifiable information shall not be thrown away through usual trash disposal. They shall be discarded or destroyed only in a manner that protects their confidentiality, such as shredding.

   3. Any disposal of documents will comply with state laws and Board policies.

8. Administrative Procedures. The Superintendent, or designee, shall be responsible for the coordination of any incident response and shall ensure administrative procedures are implemented to:

   1. Ensure prompt internal notification of appropriate persons when a breach is detected, including the use of an incident response team, management and the internal owner of the data;

   2. Assess the nature and scope of the incident, and to identify the systems and personal information that has been accessed or misused;

   3. Contain, control and correct any security incident;

   4. Appropriately notify law enforcement, and public relations personnel;

   5. Timely notify individuals affected by a breach of their data; and

   6. Address responses to likely inquiries; and

   7. Document all responsive actions taken;

   8. Regularly review and review the incident response plan; and

   9. Provide training to employees on the importance of information protection and immediate reporting of breaches.