Data Breach Response Policy

1. Mission

East Routt Library District dba Bud Werner Memorial Library (“Library”) offers lending services that require the use of Personally Identifiable Information (PII) to meet the Library’s mission: Promoting Enrichment, Education and Escape for Everyone.

2. Purpose

The Data Breach Response Policy, approved by the East Routt Library District Board of Trustees, is intended to focus attention on data security, data security breaches and how the Library’s established culture of openness, trust and integrity should respond to such activity. The Library is committed to protecting employees, partners and patrons from illegal data breaches or damaging actions by individuals, either knowingly or unknowingly.

3. Scope

This policy applies to all who collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle PII of Library employees, partners and patrons. Any agreements with vendors will contain similar language that protects Library users.

4. Suspected theft, data breach or exposure of Library protected data or Library sensitive data

Any individual who suspects that a theft, breach or exposure of Library protected data or Library sensitive data has occurred must immediately provide a description of the breach via email to nbigzad@steamboatlibrary.org or incident@steamboatlibrary.org, or by calling 970.367.4911.

This email address and phone number are monitored by the Library’s Information Security Team. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Library shall assess the risk, assemble a response team and provide notification of the breach as per C.R.S. 24-73-103.

4.1 Response Team

The Library Director will chair an incident response team to handle a breach or exposure.

The team will include:

  • Library’s Technology Specialist
  • Marmot IT Services representative
  • The supervisor of the affected unit or department that uses the involved system or output, or whose data may have been breached or exposed.
  • Additional department supervisors based on the data type involved.
  • Additional individuals as deemed necessary by the Library Director.