Reporting a Security Incident
Stolen Laptop, Computer, Phone?
Missing or stolen laptop, computer, phone, tablet, hard drive, or other computing device that contains Stanford information? This qualifies as a security incident. Whether your device was outright stolen or merely lost, your first job, in order to be compliant with the law yourself and to help Stanford be compliant as well, is to report it as soon as possible, aka immediately (don't wait for business hours to resume):
Immediately notify the Stanford University Privacy Office
Once you realize your device has been lost or stolen, immediately contact the Stanford University Privacy Office. There is a red link, "Report a Privacy Incident," at the top-right side of their page directly to report a loss or theft.
Report the loss or theft to the police
Notify local law enforcement in the jurisdiction where the device was stolen (Stanford Police on campus, or the local police in other locations). Be sure you collect the case number and primary police contact for the case.
Notify your manager of the theft or lost device
You will also want to include your local IT support personnel for assistance with restoring your backed-up data to a replacement device.
For more information and next steps, including how to wipe and track a lost phone or tablet, see Reporting an Incident.
What qualifies as a "Security Incident?"
As stated in the Administrative Guide Memo on Incident Response, a security incident is defined as:
- Theft or other loss of a laptop, desktop, PDA or other device that contains High Risk information, whether or not such device is owned by Stanford.
- Attempts (either failed or successful) to gain unauthorized access to a system or its data.
- Unwanted disruption or denial of service.
- The unauthorized use of a system to process or store data.
- Changes to system hardware, firmware or software without the owner's knowledge, instruction or consent.
- OR, a Non-electronic Information Security Incident: real or suspected theft, loss or other inappropriate access of physical content, such as printed documents and files.
What should I do?
Any member of the University community who becomes aware of an information security incident should immediately:
My phone or computer was lost/stolen
Any employee who has lost, or had stolen, a device used for Stanford business is responsible for following all school procedures. This includes reporting the situation immediately to the Stanford University Privacy Office. Click here for the procedure for reporting a missing device.
I think I’ve been hacked!
If you suspect that your computer or server has been hacked or compromised, call the University Information Security Office at (650) 723-2911 and submit a HelpSU ticket.
What is a DMCA notice?
You may receive a DMCA (Digital Millennium Copyright Act) notice if the University Information Security Office receives a complaint of alleged copyright infringement. You must work with the University Information Security Office to determine if the alleged infringement is valid, and if so, the appropriate steps and behavior that will be expected of you. Go to dmca.stanford.edu to log in with your SUNetID and resolve the complaint.
If you don't have a SUNetID or can't log in, call the Information Security Office at (650) 723-2911 to arrange for resolution of the DMCA complaint attributed to you. Please refer to the SU# incident number(s) from the Subject line of your notification emails when you call.
My computer is acting weird
If your computer is not acting as expected, contact your local support person to try to determine the problem. If the problem does not appear to be a technical problem and persists, contact IRT Information Security online (irthelp.stanford.edu) or by phone (650-725-8000, option 4), or visit the Tech Bar in Lane Library (8am - 6pm, M-F).
Compromised System Policy
Any computer or device on the School of Medicine network that is posing a threat to other computers or network resources may have its network access disabled until the problem is addressed. Threats include: signs of malware infection, system compromise, attempts to exploit vulnerabilities on other systems, excessive use of network bandwidth, or other malicious network activity. Compromised systems will generally need to be rebuilt with a new installation of the operating system and updated security patches before their network access can be re-enabled.