TO:       Provosts, Vice Presidents, Deans, Directors, and Department Heads:

A university committee led by Michael McKay, the vice president for information technology, is in the process of developing a new universitywide policy that complies with "The New Jersey Identity Theft Prevention Act,” a law signed by Acting Governor Richard J. Codey on September 23.  This Act, which becomes effective on January 1, 2006, will help protect New Jersey residents against identity theft. 

A copy of the Act is available at http://www.njleg.state.nj.us/2004/Bills/PL05/226_.HTM .

The law was primarily enacted to assist in both the prevention and detection of identity theft by requiring that personal information be maintained in a secure manner and by restricting the use of a Social Security number as an identifier.  The law applies to Rutgers , as well as to private businesses. 

If there is a security breach affecting personal information maintained electronically by Rutgers or by an outside entity on behalf of Rutgers , and it is reasonably possible for the personal information to be misused as a result of the data being compromised, then the affected individuals must be notified.  In the event of a security breach, there are certain notification requirements that must take place in a timely manner. 

Rutgers has compiled the following guidelines to ensure full compliance with the law until a university policy has been finalized:

•  Anyone with knowledge of a security breach of electronic records at Rutgers shall

immediately notify the appropriate Data Authority , which is the individual or unit with disposition control over either electronic records or systems containing electronic records.  

2.      The Data Authority is then responsible for immediately notifying the university's Information Protection and Security ( IPS ) office at abuse@rutgers.edu or by calling 732/445-8011 for assistance.

3.      If a breach has occurred, the Data Authority, in consultation with IPS , members of the Computer Incident Response Team, and other appropriate administrators, is responsible for notifying the affected individual(s) without undue delay.  Furthermore, the Data Authority shall comply with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

4.      Records of any security breaches and the university's response will be retained in writing for an appropriate period of time.

More information will be distributed in the spring when the new policy has been completed.  Questions about how the “The New Jersey Identity Theft Prevention Act” will affect your unit may be emailed to rusecure@rutgers.edu .  Additional information about data protection and security is available at http://oit.rutgers.edu/unitguide.pdf .

Thank you for your cooperation in ensuring compliance with the new law.

Sincerely,

Karen Kavanagh
Executive Vice President for Administrative Affairs