Athletic Department Security: Sports Program Data Protection

Student-Athlete Educational Records

Academic transcripts, tutoring records, eligibility documentation, admissions files

FERPA (Family Educational Rights and Privacy Act)

Rival programs, media organizations, betting syndicates

Competitive intelligence, recruiting advantage, scandal exposure

Medical Records

Injury reports, surgery records, mental health counseling, medication lists, concussion protocols

HIPAA (Health Insurance Portability and Accountability Act)

Rival programs, media, sports betting operations

Injury intelligence for competitive/betting advantage

Recruiting Databases

Prospect evaluations, contact logs, family financial information, academic records, visit schedules

FERPA, state privacy laws, NCAA rules

Rival programs, recruiting services, media

Recruiting intelligence, competitive advantage

NIL Contracts and Negotiations

Deal terms, payment structures, brand partnerships, athlete earnings, negotiation communications

State NIL laws, contract law, tax regulations

Rival programs, media, agents, competitors

Competitive intelligence, poaching opportunities

Financial Records

Athlete stipends, scholarship details, travel expenses, budget allocations, donor information

GLBA (Gramm-Leach-Bliley Act), state laws

Media, investigative journalists, rival programs

NCAA violation evidence, scandal exposure

Performance Analytics

Training data, biomechanical analysis, performance metrics, recovery data, nutrition plans

Varies by context (HIPAA if medical, FERPA if educational)

Rival programs, sports analytics companies

Competitive intelligence, recruiting validation

Game Strategy and Playbooks

Play diagrams, opponent scouting, game plans, tendency analysis, strategic communications

Trade secret law, copyright

Rival programs, betting syndicates

Direct competitive advantage, betting intelligence

Compliance Documentation

NCAA violation reports, self-reported infractions, investigation files, eligibility waivers

NCAA rules, FERPA

Media, investigative journalists, rival programs

Scandal exposure, competitive disadvantage

Internal Communications

Coach emails, staff messaging, administrative discussions, personnel evaluations

Various based on content

Media, rival programs, disgruntled employees

Scandal exposure, recruiting intelligence, personnel poaching

Video Content

Practice footage, game film, training sessions, recruit evaluations on video

Copyright, FERPA (if educational)

Rival programs, media, betting operations

Competitive intelligence, scandal material

Donor and Booster Information

Contact details, donation history, wealth indicators, relationship notes, NIL collective data

Privacy laws, nonprofit regulations

Rival programs, competing nonprofits

Donor poaching, fundraising intelligence

Facility Access Systems

Credentials, access logs, security camera footage, building schedules

Physical security, privacy laws

Criminals, stalkers, unauthorized media

Physical security compromise, athlete safety

Travel Itineraries

Team travel schedules, hotel locations, transportation details, personal travel

Privacy laws, athlete safety concerns

Criminals, stalkers, overzealous fans

Athlete safety threats, unauthorized contact

Social Media Monitoring Data

Athlete social media activity, sentiment analysis, compliance monitoring, brand mentions

Privacy laws, NCAA rules

Media, compliance investigators

Violation evidence, recruiting violations

Ticket and Merchandise Sales

Customer payment data, season ticket holder information, transaction history

PCI DSS, state privacy laws

Cybercriminals, fraudsters

Financial fraud, identity theft

Rival Athletic Programs

Low to Medium

Insider recruitment, social engineering, phishing coaches/staff

Recruiting databases, injury reports, game strategy, NIL deal structures

Unusual login locations, bulk data downloads, after-hours access

Sports Betting Syndicates

Medium to High

Network intrusion, insider recruitment, phishing, supply chain attacks

Injury reports, performance data, game strategy, lineup decisions

Repeated access to injury/roster systems, pre-game data exfiltration patterns

Media Organizations

Low to Medium

Social engineering, phishing, FOIA requests, insider sources

Compliance violations, financial records, internal communications, scandal evidence

Targeted phishing of communications systems, access timing aligned with publication schedules

Cybercriminal Groups

High

Ransomware, network intrusion, credential stuffing, phishing

Payment card data, donor information, personal identity data, any data for ransom

Encryption activity, lateral movement, off-hours large data transfers

Nation-State Actors

Very High

Advanced persistent threats, supply chain compromise, zero-day exploits

Research data (sports science), recruiting of international athletes, institutional research

Sophisticated persistence mechanisms, living-off-the-land techniques, long dwell times

Disgruntled Employees/Athletes

Low to Medium

Authorized access abuse, credential sharing, data exfiltration

Internal communications, compliance violations, financial records, personnel files

Anomalous data access patterns, downloads preceding termination, access outside role

Stalkers and Safety Threats

Low

Social engineering, physical intrusion, public records exploitation, social media reconnaissance

Athlete schedules, travel itineraries, residence addresses, personal contact information

Social media monitoring, facility loitering, unauthorized photography attempts

Unethical Recruiters/Agents

Low to Medium

Social engineering, bribery of insiders, phishing

Recruit contact information, family financial data, scholarship details, eligibility status

Unusual contact with staff, phishing attempts targeting recruiting coordinators

Academic Integrity Investigators

Medium

Formal requests, subpoenas, forensic analysis, insider cooperation

Academic support documentation, tutor communications, coursework, grade records

Legal requests, formal investigation notices, academic system access requests

Competing NIL Collectives

Low to Medium

Insider recruitment, social engineering, public records requests

NIL deal structures, athlete earnings, brand partnership terms, negotiation strategies

Unusual interest in NIL documentation, targeted recruitment of NIL staff

Sports Analytics Companies

Low to Medium

Partnership exploitation, data sharing abuse, vendor access abuse

Performance data, training metrics, biomechanical analysis, injury data

Excessive data extraction beyond contractual scope, unauthorized data retention

Overzealous Fans

Low

Social engineering, physical intrusion, social media exploitation

Player contact information, team schedules, facility access

Social media stalking patterns, unauthorized facility presence, harassment

FERPA (Family Educational Rights and Privacy Act)

All student-athlete educational records at institutions receiving federal funding

Academic records, tutoring documentation, eligibility files, admissions records, disciplinary records

Consent before disclosure, access controls, directory information limitations, annual notification

Loss of federal funding (entire institution), civil litigation

HIPAA (Health Insurance Portability and Accountability Act)

Athletic training facilities providing healthcare, team physicians, sports medicine clinics

Medical diagnoses, treatment records, mental health counseling, injury reports, prescriptions

Privacy rule compliance, security rule technical safeguards, breach notification, business associate agreements

$100-$50,000 per violation (up to $1.5M annual), criminal penalties

NCAA Bylaws and Regulations

All NCAA member institutions and affiliated athletic programs

Recruiting communications, financial aid documentation, eligibility records, compliance reports

Recruiting restrictions, financial aid limitations, eligibility documentation, compliance monitoring

Sanctions, scholarship reductions, postseason bans, show-cause orders

State Data Breach Notification Laws

All athletic departments (50 state variations)

Any personal information (name + SSN/financial account/driver's license)

Breach notification within statutory timeframes (varies by state), notification content requirements

$2,500-$7,500 per violation (varies by state), AG enforcement

PCI DSS (Payment Card Industry Data Security Standard)

Ticket sales, merchandise operations, donor processing, camp registrations

Credit card numbers, cardholder names, expiration dates, CVV codes

Network segmentation, encryption, access controls, vulnerability management, annual assessments

$5,000-$100,000 monthly penalties from card brands, card processing termination

State NIL Laws

Athletic departments in states with NIL legislation (30+ states)

NIL contracts, athlete earnings, brand partnerships, collective arrangements

Disclosure requirements (varies by state), institutional support limitations, competitive balance provisions

Varies by state; institutional sanctions, athlete eligibility impacts

GLBA (Gramm-Leach-Bliley Act)

Financial aid processing, scholarship administration, stipend management

Financial information of athletes and families, account numbers, income data

Safeguards rule compliance, privacy notices, information sharing disclosures

$100,000 per violation (institution), $10,000 per violation (individual), criminal penalties

COPPA (Children's Online Privacy Protection Act)

Youth camps, recruiting of minors, junior programs

Personal information of children under 13, parental contact information

Verifiable parental consent, privacy policy disclosure, data minimization, deletion upon request

$50,120 per violation (adjusted annually), FTC enforcement

Title IX

All educational institutions receiving federal funding

Sexual harassment reports, investigation files, disciplinary records, accommodation requests

Investigation requirements, confidentiality obligations, records retention, reporting obligations

Loss of federal funding, OCR enforcement, civil litigation

ADA (Americans with Disabilities Act)

Athletic facilities, programs, and services

Disability status, accommodation requests, medical documentation supporting accommodations

Reasonable accommodations, confidentiality of disability information, accessible facilities

Compensatory damages, civil litigation, DOJ enforcement

State Privacy Laws (CCPA, VCDPA, etc.)

Athletic departments in states with comprehensive privacy laws (15+ states)

Personal information of residents, sensitive data categories, sale/sharing activities

Consumer rights (access, deletion, opt-out), privacy notices, data protection assessments

$2,500-$7,500 per violation (varies by state), AG enforcement

TCPA (Telephone Consumer Protection Act)

Recruiting communications, donor outreach, fan engagement, ticket sales

Cell phone numbers, consent records, communication preferences

Prior express written consent for autodialed/prerecorded calls, Do Not Call compliance, opt-out mechanisms

$500-$1,500 per violation, class action litigation risk

CAN-SPAM Act

Email communications with recruits, donors, fans, ticket buyers

Email addresses, email content, unsubscribe requests

Opt-out mechanisms, accurate header information, identification as advertisement

$51,744 per violation (adjusted annually), FTC enforcement

GDPR (General Data Protection Regulation)

International recruiting, European competitions, study abroad athletes

Personal data of EU residents (international recruits, athletes, staff)

Lawful basis, data subject rights, cross-border transfer mechanisms, GDPR-compliant contracts

€20M or 4% global revenue (whichever higher), supervisory authority enforcement

Genetic Information Nondiscrimination Act (GINA)

Athletic department health programs, performance optimization, research

Genetic testing data, family medical history, genetic predisposition information

Prohibition on genetic information discrimination, confidentiality requirements, limited exceptions

Varies; EEOC enforcement for employment, HHS for health plans

Education Records Definition

Academic records, tutoring logs, eligibility documentation, admissions files, disciplinary records

Publishing roster information beyond directory data, sharing academic status with media/boosters

Classify all student-athlete academic data as education records requiring protection

Directory Information

Name, address, phone, email, photo, dates of attendance, enrollment status, major, participation in activities, weight/height for athletics

Disclosing GPA, courses, academic progress, tutor usage, learning disabilities

Limit public disclosure to directory information with annual opt-out opportunity

Consent Requirement

Written consent required before disclosing non-directory education records

Sharing eligibility documentation with media, discussing academic status publicly, providing records to professional scouts

Implement consent workflow for all non-directory disclosure requests

Legitimate Educational Interest

School officials with legitimate need may access education records without consent

Coaches accessing academic records without educational justification, sharing beyond need-to-know

Define legitimate educational interest policy, enforce role-based access

Annual Notification

Notify student-athletes annually of FERPA rights

No notification provided, notification buried in 47-page athletic department handbook

Provide standalone FERPA notice at enrollment with acknowledgment signature

Access Rights

Student-athletes have right to inspect and review their education records

Denying athlete access to recruiting evaluation files, eligibility documentation, academic support records

Implement records access request procedure with 45-day response requirement

Amendment Rights

Student-athletes may request amendment of inaccurate records

No amendment procedure exists, denying legitimate accuracy concerns

Establish amendment request procedure with appeal mechanism

Disclosure Tracking

Maintain records of non-routine disclosures

No disclosure logs maintained, unable to identify who received records

Implement disclosure log system tracking recipient, date, purpose, records disclosed

Health and Safety Exception

May disclose without consent in health/safety emergency

Over-interpreting exception to justify routine injury report publication

Limit exception to genuine emergencies, document emergency determination

Media and Public Disclosure

Media requests for academic information require consent unless directory information

Coaches discussing academic struggles publicly, confirming eligibility issues to media

Train all personnel on FERPA restrictions, media policy prohibiting academic disclosure

Professional Scouts

Scouts have no special FERPA status—consent required for education record disclosure

Providing academic transcripts, eligibility files, or admissions data to professional teams without consent

Require written athlete consent for any professional team disclosure

Recruiting Disclosure

High school records received during recruiting become education records once athlete enrolls

Sharing recruit's high school academic records with media, boosters, or unauthorized staff

Protect recruit academic data from enrollment forward, destroy if athlete doesn't enroll

Tutor and Academic Support

Academic support communications are education records

Sharing tutor reports with coaches beyond eligibility status, discussing learning disabilities

Limit coach access to pass/fail eligibility status, protect detailed academic support information

Study Abroad and International

FERPA applies to U.S. institution records regardless of location

Assuming international competition exempts FERPA, sharing academic status abroad

Extend FERPA protections to all contexts including international programs

Social Media and Public Comment

Staff cannot disclose education records via social media or public forums

Coaches tweeting about academic progress, staff posting about Dean's List achievements without consent

Social media policy prohibiting education record disclosure, approval workflow

Covered Entity Determination

Athletic training rooms may be covered entities if they bill insurance for services

Assuming university-operated facilities are automatically exempt, failing to determine covered entity status

Conduct formal covered entity determination analysis with legal counsel

Business Associate Agreements

Required with vendors accessing PHI (Electronic medical records, billing companies, cloud storage)

Using cloud-based injury tracking without BAA, sharing data with team physicians without BAA

Implement BAA requirement for all vendors with PHI access

Privacy Rule - Minimum Necessary

Disclose only minimum PHI necessary for purpose

Coaches receiving full medical records when only clearance status needed, publishing detailed injury reports

Implement role-based access limiting coaches to participation status only

Privacy Rule - Authorization

Written authorization required for most disclosures beyond treatment/payment/operations

Sharing injury information with media without authorization, scouts receiving medical records without authorization

Implement HIPAA-compliant authorization form with required elements

Privacy Rule - Marketing

Authorization required for marketing communications using PHI

Using athlete injury recovery in fundraising appeals without authorization, vendor partnerships leveraging PHI

Separate marketing communications from treatment communications, obtain authorization

Security Rule - Administrative Safeguards

Security management process, workforce training, contingency planning, BAA management

No risk analysis conducted, staff untrained on HIPAA, no incident response plan

Implement annual risk analysis, mandatory HIPAA training, written security policies

Security Rule - Physical Safeguards

Facility access controls, workstation security, device/media controls

Medical records accessible in unlocked offices, unencrypted mobile devices with PHI

Implement facility access badges, workstation timeout, full disk encryption

Security Rule - Technical Safeguards

Access controls, audit controls, integrity controls, transmission security

Shared passwords for EMR systems, no audit logging, unencrypted email transmission of PHI

Implement unique user IDs, comprehensive audit logs, encrypted email for PHI

Breach Notification Rule

Notify individuals, HHS, and media (if 500+ affected) within 60 days

Treating data exposures as "incidents" rather than "breaches," delaying notification

Implement breach determination process, notification templates, reporting procedures

Injury Reports to Media

Public injury reports require authorization or de-identification

Weekly injury reports listing athlete names with specific diagnoses (HIPAA violation if covered entity)

Publish participation status only ("out," "questionable") without diagnostic information, obtain authorization

Coach Access to Medical Information

Coaches are not treatment providers—authorization required for diagnostic disclosure

Giving coaches access to full medical records, discussing diagnoses with coaching staff

Limit coach access to participation clearance status, withhold diagnostic information

Mental Health Information

Psychotherapy notes have enhanced protections beyond standard PHI

Treating mental health records like physical injury records, inadequate access restrictions

Segregate psychotherapy notes, require specific authorization, enhanced access controls

Drug Testing and Substance Abuse

Substance abuse treatment records protected under 42 CFR Part 2 in addition to HIPAA

Sharing drug test results beyond compliance requirements, inadequate consent for disclosure

Implement 42 CFR Part 2 compliant consent, limit disclosure to compliance minimum

Research Involving PHI

IRB approval and authorization or waiver required for research using PHI

Using injury data for sports science research without IRB approval, publishing case studies with insufficient de-identification

Require IRB review for all research, implement de-identification procedures, obtain authorization

PHI Retention and Disposal

Implement retention schedule and secure disposal procedures

Retaining medical records indefinitely, disposing in regular trash, no destruction documentation

Implement HIPAA-compliant retention schedule, shredding/destruction procedures, disposal logs

Athletic Administration Network

Email, calendars, administrative systems, financial management, donor databases

Athletic department staff, coaches, administrators

VPN for remote access, MFA, endpoint protection, web filtering

Medical/Training Network

Electronic medical records, injury tracking, HIPAA-protected health information, drug testing

Athletic trainers, team physicians, authorized medical staff only

Network isolation from athletic admin, HIPAA-compliant access controls, encryption, audit logging

Academic Support Network

Tutoring records, academic progress tracking, FERPA-protected education records, learning support

Academic advisors, compliance staff, authorized tutors

FERPA-compliant access controls, network separation, audit logging, data loss prevention

Recruiting Network

Recruiting databases, prospect evaluations, communications, family information

Recruiting coordinators, coaches with recruiting responsibilities

Role-based access, geographic access restrictions, data loss prevention, exfiltration monitoring

NIL Management Network

NIL contracts, athlete earnings, brand partnerships, collective information, tax data

NIL staff, compliance, authorized financial personnel

Encryption at rest and transit, access logging, contract management system, financial controls

Video and Analytics Network

Game film, practice footage, opponent scouting, performance analytics, biomechanical data

Coaches, video staff, analytics staff, authorized athletes

Storage encryption, access controls, watermarking for leak detection, download restrictions

Compliance Network

NCAA violation reports, investigation files, eligibility documentation, self-reported infractions

Compliance staff, athletic director, general counsel, authorized NCAA access

Enhanced access controls, immutable logging, legal hold capabilities, privileged access management

Public/Fan Network

Ticket sales, merchandise, public website, fan engagement, marketing

Public access, ticketing staff, marketing staff

PCI DSS compliance for payment systems, DDoS protection, web application firewall, CDN

Facility Access Network

Badge systems, security cameras, access logs, visitor management, athlete tracking

Security personnel, facility managers, authorized staff

Physical security system isolation, video retention policies, privacy controls, access monitoring

Guest WiFi Network

Athlete, visitor, and guest internet access

Athletes, recruits, visitors, contractors

Isolated from all internal networks, content filtering, bandwidth management, captive portal

IoT and Building Systems

HVAC, lighting, energy management, occupancy sensors, environmental monitoring

Facility management, authorized vendors

Isolated IoT network, vendor access controls, change management, security monitoring

Performance Technology Network

Wearable devices, GPS tracking, heart rate monitoring, sleep tracking, biometric sensors

Athletes, sports science staff, medical staff, authorized coaches

Data privacy controls, athlete consent management, vendor BAAs if applicable, access restrictions

Communication Systems

Phone systems, video conferencing, team messaging, recruiting communications

Varies by system and user role

Separate voice/data networks, encrypted messaging, recording policies, retention management

Research Network

Sports science research, academic research involving athletes, biomechanics labs

Research staff, faculty, graduate students, authorized collaborators

IRB-compliant data controls, consent management, de-identification procedures, research data security

Vendor and Partner Access

Third-party vendor systems, apparel partners, media partners, analytics vendors

Authorized vendors and partners only

VPN with MFA, time-limited access, vendor access logging, contractual security requirements

Head Coach

Team communications, recruiting database (limited), video systems, schedule/calendar

MFA required, elevated privileges

Role-based access, need-to-know for medical (participation status only), recruiting access logged

Assistant Coaches

Team communications, recruiting database (assigned sports/regions), video systems, practice schedules

MFA required

Recruiting access limited to assignment, no medical diagnostic access, video access logged

Athletic Trainers

Full medical records, injury tracking, treatment documentation, drug testing results, mental health records

MFA required, HIPAA audit logging

Medical network only, minimum necessary for coaches (participation status), comprehensive audit trail

Team Physicians

Full medical records, diagnostic information, prescription data, specialist referrals

MFA required, HIPAA compliance

PHI access with business associate agreement if external provider, encrypted communications

Academic Advisors

Academic records, tutoring documentation, progress tracking, eligibility files

MFA required, FERPA compliance

Academic network only, need-to-know restrictions, no sharing with coaches beyond eligibility

Compliance Staff

NCAA reports, violation investigations, eligibility documentation, financial aid records, recruiting logs

MFA required, privileged access

Cross-functional access for compliance monitoring, comprehensive audit logging, legal privilege protection

Recruiting Coordinators

Full recruiting database, prospect communications, evaluation notes, family information, visit schedules

MFA required, DLP monitoring

Recruiting network access, geographic restrictions for remote access, exfiltration alerts, departure access revocation

NIL Staff

NIL contracts, athlete earnings, brand partnerships, collective agreements, tax documentation

MFA required, financial controls

NIL network access, contract management system, approval workflows, audit logging

Video Staff

Game film, practice footage, opponent scouting, video editing systems, distribution platforms

MFA required, watermarking

Video network access, watermarking for leak detection, download logging, external sharing controls

Sports Information Directors

Public statistics, media credentials, press releases, schedule information, limited roster data

MFA required

No medical/academic/recruiting access, FERPA-compliant public information only, media policy compliance

Athletic Director

Executive oversight access, sensitive compliance files, financial records, investigation reports

MFA required, elevated privileges

Broad access with comprehensive audit logging, privileged access management, legal privilege where applicable

Development/Fundraising

Donor information, contribution history, wealth indicators, relationship notes, campaign data

MFA required, GLBA compliance

Donor network access, no athlete medical/academic access, PCI compliance for payment processing

Ticket Office Staff

Ticket sales, season ticket holders, customer payment data, seating assignments, transaction history

MFA required, PCI DSS compliance

Public/commerce network, PCI-compliant payment systems, cardholder data encryption, transaction logging

Facility Management

Building access systems, security cameras, maintenance schedules, visitor logs, occupancy data

MFA for system access

Facility network access, camera retention policies, privacy controls for athlete areas, vendor management

Student Workers

Limited administrative tasks, event support, ticket scanning, customer service

Standard authentication

Minimal access principle, time-limited credentials, supervised access to sensitive areas, training requirements

Athletes

Personal data access (medical records, academic records, recruiting files per FERPA), team communications

Standard authentication initially, MFA for sensitive access

Self-service access to own records, no access to other athletes' data, privacy controls, consent management

HIPAA Protected Health Information

Pattern matching: Medical record numbers, diagnosis codes, prescription data, health plan IDs

Block email/upload, encrypt if approved, alert security team

Medical staff approval required, encrypted transmission mandatory, recipient verification, audit logging

FERPA Education Records

Pattern matching: Student IDs, transcripts, GPA, course grades, tutor reports, eligibility documentation

Block unauthorized disclosure, require consent workflow, alert compliance

Student consent documentation, legitimate educational interest verification, disclosure logging

Recruiting Database Records

Structured data: Prospect names + contact information + evaluations, family financial data, visit schedules

Block bulk export, alert on departing employee access, geographic access restrictions

Authorized recruiting coordinator role, business justification, manager approval, access logging

NIL Contracts and Financial Data

Pattern matching: Contract templates, dollar amounts with athlete names, payment schedules, tax IDs

Block external email, encrypt internal sharing, require approval workflow

NIL staff approval, contract management system only, need-to-know verification, comprehensive audit trail

Game Strategy and Playbooks

File metadata: Playbook templates, scouting reports, game plan documents, strategic presentations

Watermark all documents, block external sharing, geographic restrictions

Coach/coordinator approval, encrypted transmission, recipient restrictions, expiration controls

Performance Analytics and Biometric Data

Structured data: Training metrics, GPS tracking, heart rate, sleep data, biomechanical measurements

Block external sharing, athlete consent verification, research data governance

Sports science approval, de-identification for research, consent documentation, vendor BAA if applicable

Payment Card Information

Pattern matching: 16-digit PANs, CVV codes, track data, cardholder names with expiration dates

Block storage outside PCI environment, encrypt transmission, immediate alert on violation

PCI-compliant system storage only, tokenization preferred, payment processor transmission only, incident response

Donor Financial Information

Pattern matching: Bank accounts, investment details, wealth indicators, estate planning documents

Block unauthorized access, encrypt transmission, require development staff authorization

Development director approval, encrypted email mandatory, GLBA compliance verification, access logging

Social Security Numbers

Pattern matching: 9-digit SSN pattern, variations with dashes/spaces

Block email transmission, encrypt storage, alert on bulk extraction

Encrypted transmission mandatory, business justification required, compliance approval, breach notification trigger

Internal Investigation Files

Metadata: Title IX investigation files, NCAA violation reports, compliance investigation documents

Block external sharing, privileged access only, legal hold capabilities

General counsel approval, privilege assertion, encrypted communication, retention enforcement

Athlete Personal Contact Information

Structured data: Personal phone numbers, home addresses, family contact information beyond directory data

Block bulk export, athlete consent for sharing, stalking/safety risk assessment

Legitimate athletic purpose, athlete consent documentation, safety review, access logging

Drug Testing Results

Pattern matching: Drug test identifiers, substance names, test dates, athlete identifiers

Block all external sharing, 42 CFR Part 2 compliance, highly restricted access

Compliance staff only, consent for disclosure beyond compliance requirements, enhanced audit logging

Video Content

File metadata: Practice footage, training videos, game film, recruit evaluation videos

Watermark all content, block upload to public platforms, distribution tracking

Coaching staff approval, athlete consent if identifiable, watermark for leak detection, download logging

Facility Access Credentials

Pattern matching: Badge numbers, access codes, biometric templates, security PIN codes

Block email transmission, alert on bulk export, credential lifecycle management

Security personnel authorization, time-limited distribution, revocation workflow, access audit trail

Research Data Subject to IRB

Metadata: IRB protocol numbers, research consent forms, identifiable research data

IRB-approved personnel only, de-identification requirements, consent verification

Principal investigator approval, IRB compliance verification, data use agreement, restricted access

Employment Termination Announced

HR system integration, termination notice workflow

Immediate access review, elevated monitoring, download restrictions

Security team notification, access audit, credential lifecycle

Accepting Position at Rival Program

Self-reported or media announcement of new employment

Immediate access revocation to competitive intelligence (recruiting, strategy), monitoring of remaining access

Legal review, competitive intelligence protection, exit interview requirements

Bulk Data Downloads

DLP monitoring, database query logging, file access patterns

Alert security team, block downloads exceeding threshold, require manager approval

Investigation of download justification, data classification review, exfiltration assessment

After-Hours Access

Login time analysis, facility access logs, VPN connection monitoring

Alert on unusual time patterns, require re-authentication, flag for review

Correlation with job search indicators, business justification review, access appropriateness

Geographic Anomalies

VPN/login location tracking, facility badge use location

Alert on access from new locations, challenge unusual geography, flag for review

Correlation with rival program geography, travel justification review, compromised credential assessment

External Device Connection

Endpoint security, USB device logging, external storage detection

Block unauthorized devices, alert security team, require approval workflow

Investigation of device purpose, data transfer assessment, policy violation review

Cloud Service Uploads

DLP monitoring, web proxy logs, cloud access security broker (CASB)

Block uploads to personal cloud accounts, allow approved business services only, alert on violations

Investigation of uploaded content, data classification review, policy enforcement

Email to Personal Accounts

Email DLP, pattern analysis of personal email domains, attachment monitoring

Block sensitive data transmission, require encryption, alert on policy violations

Content review, business justification assessment, data exfiltration investigation

Printer/Fax Activity Spike

Print job logging, document tracking, usage pattern analysis

Alert on unusual print volume, flag for review, watermark printed documents

Investigation of printed content, business need assessment, physical security review

Database Query Patterns

Database activity monitoring, query logging, data access analytics

Alert on broad queries, unusual data access, elevated privilege use

Query justification review, data access appropriateness, exfiltration assessment

Credential Sharing

Login pattern analysis, concurrent sessions, impossible travel detection

Force password reset, revoke shared credentials, alert security team

Account compromise investigation, policy violation enforcement, user training

File Sharing Platform Activity

File sharing logs, recipient analysis, external sharing monitoring

Block external sharing of sensitive data, require approval workflow, alert on violations

Recipient verification, business justification, data classification review

Application Access Pattern Changes

User behavior analytics, baseline deviation detection, anomaly scoring

Alert on unusual application access, challenge authentication, flag for review

Behavioral pattern investigation, business justification, compromised account assessment

Version Control Repository Cloning

Git/SVN logging, repository access monitoring, clone activity tracking

Alert on full repository downloads, require approval for off-system cloning

Code/content review, intellectual property assessment, departure correlation

Documentation Downloads

File access logging, document management system monitoring, download pattern analysis

Alert on bulk documentation downloads, require business justification

Content sensitivity review, legitimate business need assessment, policy enforcement

HIPAA Breach

PHI exposure affecting 1+ individuals

HHS OCR (60 days), affected individuals (60 days), media if 500+

Contain breach, preserve evidence, conduct breach analysis, determine notification obligations

500+ individuals, intentional disclosure, media attention, OCR inquiry

FERPA Violation

Unauthorized education record disclosure

Affected students, Department of Education if systemic, potential self-report

Contain disclosure, identify disclosed records, assess consent status, implement remediation

Systemic violations, media exposure, student complaints, ED inquiry

PCI DSS Breach

Payment card data compromise

Card brands (immediately), acquiring bank, law enforcement, affected cardholders

Forensic investigation, preserve evidence, contain compromise, notification, compliance assessment

Any cardholder data compromise triggers mandatory forensics, notification, compliance review

Recruiting Data Exfiltration

Recruiting intelligence theft by insider or external attacker

Law enforcement if criminal, legal counsel for civil action, affected families if personal data

Contain exfiltration, assess stolen data, legal review for civil action, victim notification if PII

Rival program involvement, large-scale theft, minor data included, media attention

Ransomware Attack

System encryption, data exfiltration, ransom demand

Law enforcement (FBI, Secret Service), insurance carrier, legal counsel, university leadership

Contain malware, preserve evidence, assess data exposure, recovery operations, do not pay ransom

Any ransomware triggers FBI notification, insurance claim, leadership escalation

NCAA Compliance Violation

Improper recruiting contact, financial aid violations, eligibility issues from security failure

NCAA (self-report if serious), conference office, university compliance

Assess violation type/severity, determine self-report obligations, implement corrective action

Potential competitive advantage gained, media exposure, major violation threshold

Athlete Safety Threat

Stalking, harassment, physical security compromise, unauthorized tracking

Law enforcement, affected athlete(s), campus security, Title IX if relevant

Immediate safety measures, threat assessment, law enforcement coordination, facility security

Credible threat of harm, imminent danger, pattern of harassment, weapon involvement

Internal Investigation Data Exposure

Title IX files, NCAA investigation documents, compliance reports exposed

General counsel (privilege assessment), Title IX coordinator, compliance director

Contain exposure, assess privilege implications, legal strategy review, notification to investigation subjects

Media attention, external party access, privilege waiver concerns

NIL Contract Leak

Confidential NIL deal terms, athlete earnings, contract negotiations exposed

Affected athletes, NIL collective, legal counsel, brand partners

Contain leak, assess competitive impact, legal review for contractual remedies, source identification

Media publication, rival program involvement, material financial impact

Video Content Leak

Game strategy, practice footage, opponent scouting exposed to unauthorized parties

Coaching staff, athletic director, conference office if competitive impact

Identify leak source, assess competitive impact, implement enhanced video security, league notification

Evidence of rival program access, betting syndicate involvement, competitive advantage impact

Social Media Account Compromise

Team/athlete account takeover, unauthorized posts, impersonation

Affected account owner, communications team, platform abuse reporting

Account recovery, unauthorized content removal, credential reset, audience notification

False information distributed, reputational harm, financial solicitation, impersonation

Cloud Service Compromise

Unauthorized access to cloud-stored athletic department data

Cloud service provider, affected data owners, legal counsel if sensitive data

Change credentials, assess data exposure, implement enhanced authentication, notification if required

Sensitive data exposure (HIPAA, FERPA, PCI), evidence of exfiltration, widespread access

Vendor Security Incident

Third-party vendor breach exposing athletic department data

Vendor incident response team, legal counsel, affected individuals if required

Vendor coordination, assess data exposure, notification obligations, contractual remedies

Large-scale vendor breach, sensitive data involved, vendor unresponsive

Physical Security Breach

Unauthorized facility access, theft of equipment/data, facility security compromise

Campus security, law enforcement, facility management, affected departments

Facility security assessment, access control review, stolen item recovery, enhanced security

Evidence of ongoing threat, high-value theft, athlete safety implications

Phishing Campaign Targeting Staff

Credential harvesting, malware distribution targeting athletic department personnel

Affected users, IT security, email security team, broader department if widespread

Credential resets, malware remediation, phishing awareness training, email security enhancement

Successful credential compromise, malware infection, widespread campaign, data access achieved

HIPAA PHI (500+ individuals)

Unauthorized acquisition, access, use, or disclosure of PHI that compromises security/privacy

60 days from discovery

HHS OCR, affected individuals, prominent media outlets

Nature of breach, PHI involved, investigation status, mitigation steps, victim protection resources

HIPAA PHI (<500 individuals)

Same threshold as above

60 days from discovery (individuals), annual to HHS (next year)

Affected individuals, HHS annual report

Same content as 500+ notification

FERPA Education Records

Unauthorized disclosure of education records

Reasonable timeframe (not statutorily defined)

Affected students, Department of Education if systemic

Records disclosed, circumstances, remediation, rights information

PCI DSS Cardholder Data

Actual or suspected compromise of cardholder data

Immediately (card brands), varies by state (individuals)

Card brands, acquiring bank, payment processor, law enforcement, affected cardholders

Forensic investigation required, PCI DSS compliance assessment, notification per state law requirements

State Breach Laws (varies)

Unauthorized acquisition of personal information (name + SSN/account/DL)

30-90 days typically (varies by state)

State AG (in most states), affected state residents

Breach date, data types, remediation, identity theft protection resources

GDPR Personal Data

Data breach likely to result in risk to rights and freedoms of individuals

72 hours to supervisory authority, without undue delay to individuals

Supervisory authority, affected data subjects

Nature/categories/records, DPO contact, likely consequences, mitigation measures

NIL Contract Information

Typically contractual obligation rather than statutory requirement

Per contract terms (varies)

Affected athletes, contractual counterparties, legal counsel

Breach circumstances, confidentiality impact, contractual remedies

Recruiting Database

No statutory notification requirement unless includes minor PII triggering state law

Assess competitive impact, potential harm to families, state law requirements

Affected families if PII exposed triggering state law, legal counsel

Data exposed, source of breach, protection measures, contact information

Athletic Strategy/Playbooks

No statutory notification requirement (trade secret law applies)

Assess competitive impact, league rules requirements

Conference/league office if competitive advantage implications, legal counsel

Nature of exposed strategy, competitive impact assessment, remediation

Compliance Investigation Files

Assess privilege implications, NCAA rules, Title IX requirements

Varies based on context and privilege analysis

Affected investigation parties, NCAA if self-report required, OCR if Title IX

Exposure circumstances, privilege assessment, remediation, investigation impact