Paper Data Breaches
On this page:
Basic Process for Reporting Paper-based Data Incidents
Incident Report: Basics
Incident Report: Data Details
If the incident involves electronic data, see Electronic Data Breach Reporting. Failure by MIT to report any data incident involving regulated data in a timely manner may be a violation of state or federal law. If in doubt, report the incident first.
Basic Process for Reporting Paper-based Data Incidents
If a security incident has occurred involving MIT business data of any kind, take the following steps immediately:
- SECURE the area in which the incident has occurred. If the paper records are still on hand - although their content may have been disclosed - move them to a secure location for use later in the incident response process.
- INFORM your supervisor and/or appropriate department, lab or center management
- DETERMINE who will communicate the incident.
- NOTIFY the MIT Data Incident Response Team by sending e-mail (if possible) to infoprotect@mit.edu providing the Incident Report Data shown below.
Incident Report: Basics
- Incident data: date and time of incident (and/or the discovery of the incident)
- Nature of incident: confirmed/suspected break-in by unauthorized parties, unauthorized disclosure by authorized individuals, accidental disclosure of paper records from offices, loss of paper records in transit within MIT or between MIT and third parties, etc.
- Physical location of incident
- Your contact info: email address, office, phone (MIT, cell and other)
Incident Report: Data Details
Note: Refer to DRAFT Data Classification Guidelines for complete information
Provide whatever is known, or suspected, or what data might be at risk as a result of the incident:
- SSN or other personally identifying information
- Credit card numbers or other financial information
- Current or past student information
- Medical or other protected health information
- Any other MIT confidential (non-public) information
