Breach of Data Security: What to Do

Under Massachusetts law, Harvard must notify affected residents and state officials if there is a breach in the security of Massachusetts residents' "personal information." The law defines "personal information" as a Massachusetts resident's first name or first initial and last name in combination with any of the following - social security number, driver's license number, state issued identification card number, or financial account or credit or debit card number with or without any required security or access code. At Harvard, this may include not only data on present and former employees and students, but also such data on job applicants, parents who apply for financial aid, buyers of tickets to Harvard events, and participants in certain research studies.

Personal information does not include information that is lawfully available to the general public. The law covers records in any form, including electronic and paper records, and it covers unencrypted data and also encrypted data if accessed or lost along with the decryption key.

If you discover or are dealing with a data security breach, contact the Office of the General Counsel by calling 617-495-1280 or by emailing Ranna Farzan or Peter Katz. The OGC will help coordinate the response to the breach.

Please also review Harvard's information security policy at http://security.harvard.edu which discusses the protection of high risk confidential information and additional procedures for data security breaches.