Discussion

Under Massachusetts law, Harvard must notify affected Massachusetts residents and state officials as soon as practicable if a resident’s “personal information” has been acquired or used by an unauthorized person or used for an unauthorized purpose. Reportable security breaches of this kind may include unauthorized access to a system that stores confidential information , or the loss or theft of a system or a physical record that contains confidential information, or cases where computers have been hacked, lost or stolen or passwords have been compromised.

“Personal Information” is included in the information that Harvard calls "High Risk Confidential Information." Breaches in the security of other types of High Risk Confidential Information may also require notice to be given.

Harvard has established a process for assessing and responding to possible security breaches. If you discover a possible security breach involving High Risk Confidential Information or other personal information, please immediately contact the Office of the General Counsel (OGC) by calling 617-495-1280 or by emailing Mary_Ann_Mendes@harvard.edu. The OGC will help coordinate the response to the breach.

Please report possible breaches as soon as possible after becoming aware of the possible breach. Reporting should not be delayed in order to collect more information, to determine if a breach has actually occurred, or to determine what specific personal information was actually involved.

Possible breaches that are known or suspected to involve credit or debit card information should be reported following the process described for credit or debit cards. (See Section 4.1: Accepting Payment Cards.)

If you have knowledge of a breach or possible breach and wish to report anonymously, please use the University Anonymous Reporting Hotline.