Notification Contacts for IT Security Incidents

Some data types have additional, immediate notification requirements in the event of a security incident. The following are contacts to notify in addition to IIA ([email protected]) and the CAEN Security Group ([email protected]). See also the Sensitive Data Guide to IT Services.

Export Control (ITAR, EAR)

Incidents regarding export controlled information require notification to the CoE Research Development Office, the Export Controls Office, and Security@umich. The email addresses for these are [email protected], [email protected], [email protected]. FYI: security@engin will automatically be included via the [email protected] email address. Please refer to this link for complete instructions for properly reporting and following through with Export Control violations.

PCI DSS (credit card)

Incidents regarding PCI data must be reported to the university Treasurer’s Office: [email protected]


Incidents regarding electronic Protected Health Information must be reported to the UMHS Compliance Office by calling the hotline or submitting an online report through the Compliance Hotline OR [email protected]

Sensitive Identifiable Human Subject Research

Incidents regarding HSR data must be reported to the U-M Office of Research (UMOR):