The University of California, San Francisco's co-CIOs Wednesday issued the sort of letter every top IT official dreads: notification of a possible computer data breach.

UCSF co-CIOs Randy Lopez and Jonathan Showstack wrote that a breach was suspected in March involving a file server located at the University of California Office of the President in Oakland. Some 46,000 current and former students and employees were notified of the potential unauthorized electronic access.

The server, which has been taken offline, was used for payroll and other administrative departments, and housed Social Security numbers and other personal data, according to the memo.

The university is conducting an investigation into whether any data was stolen and is working with a third-party auditing firm. The school also has contacted the FBI.

The school has crafted an FAQ to answer questions about the incident.

California has a strict data breach notification law, and there's a push from some quarters to establish federal legislation of the same ilk.

Communicating data breach news to possible victims has become something of an art form, as we explored in this recent article that rated past notification letters.

Data breach announcements have come frequently in recent years, with news emerging just last week that the breach at retailer TJX was much worse than first thought, with some 45.7 million credit and debit card numbers exposed.

Universities have been common victims of such intrusions, with the University of California, Los Angeles being among those notifying its community of a major database breach late last year, and the University of California, Berkeley having several such security incidents in the past.

Recent research suggests that sloppy organizations are more to blame for such breaches than hackers.