SB10: Server and application operators must promptly inform the appropriate escalation contacts of any possible breaches, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).