(a) If a public institution of higher education collects personally identifiable information of an individual and discovers or is notified of a breach of the security of a system, the public institution of higher education shall conduct in good faith a reasonable and prompt investigation to determine whether the unauthorized acquisition of personally identifiable information of the individual has occurred.

(b) (1) If, after the investigation is concluded, the public institution of higher education determines that a breach of the security of the system has occurred, the public institution of higher education or a third party, if authorized under a written contract or agreement with the public institution of higher education, shall:

(i) notify the individual of the breach; and

(ii) notify the Chief Information Officer of the public institution of higher education of the breach.

(2) A notification required under paragraph (1) of this subsection shall include, to the extent possible, a description of the categories of personally identifiable information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personally identifiable information were, or are reasonably believed to have been, acquired.

(3) If the public institution of higher education determines that a breach of the security of the system has occurred involving the personally identifiable information of 1,000 or more individuals, the public institution of higher education shall post a notice on the same webpage as the privacy notice website of the public institution of higher education:

(i) describing the breach; and

(ii) that remains publicly available on the website for at least 1 year from the date on which notice was sent to individuals affected by the breach.