What Should Be Reported?

All cyber incidents at The University of Alabama should be reported and investigated to determine if the information data involved requires an official notification of exposure as determined by regulation (FERPA, HIPAA, PCI) or data management plan contract. Failure to report could result in individual disciplinary action, additional fines from regulatory entities, and/or loss of trust in the University by the community at large.

What Is Considered an Incident?

An incident can be any unauthorized access to confidential or sensitive data through:

  • Any potential or suspected loss of data through hacking, virus or malware.
  • A lost device, laptop, phone, tablet or external drive.
  • Any unauthorized access, or downloading of confidential or sensitive data.

Depending on the data involved, one or more regulatory entities and/or affected individuals will require prompt notification.

Incident Response Plan

UA students, faculty and staff can view the University’s Incident Response Plan. Note – users must be connected to the campus network to view the plan.

Report an Incident

To get started, contact our office so we can learn more about your incident.

Report a Privacy Breach

To protect the privacy of affected individuals and prevent further harm, all data privacy breaches, no matter what kind or how small, must quickly be reported using the appropriate measures. All breaches must be reported through the Privacy Breach Portal on UA’s Compliance, Ethics, and Regulatory Affairs website. This ensures that the proper authorities are notified and given the necessary information and support to mitigate any potential harm. It also ensures that the proper measures can be taken to prevent similar incidents from occurring in the future.