On or about September 20, PSU-AAUP received formal notice of administration’s intention to promulgate the new information security policy. On October 8 PSU-AAUP submitted our statement of Issues and Demand to Bargain.
Our prime concern with the policy, from a bargaining standpoint, is it does not establish any notification requirements to employees should their personal information be compromised, and it provides no mitigation, as a matter of policy, when a data security breach at the University causes harm to an employee.
Such a breach occurred in January 2016 when a University employee responded to a phishing email that resulted in the disclosure of personal information about all University employees. That breach subsequently required many AAUP members to present themselves in person, with their government IDs to the Internal Revenue Service office to file their 2015 federal tax returns. We now know what data breaches demand of us, and we should adopt policies that address not just the security of the data, but how to deal with the impacts of the breach.
Also noteworthy is the fact that the new information security policy does not reference the information security policy that was adopted in 2009 and revised in 2011, so we do not know if this is an addendum to the policy, or a complete replacement. This is important because there are significant inconsistencies between the two policies and those inconsistencies need to be resolved from a policy standpoint prior to the adoption of the new policy document.