Information Incident and Data Breach Policy
Revisions: 7/25/2014 (Division title change); May 5, 2014; April 15, 2014
The purpose of this policy is to describe Northern Illinois University’s (NIU) responsibilities, mitigation, and remediation practices as they relate to information incidents and data breaches.
This policy pertains and applies to all NIU entities,
Information and data types under the scope of this policy include but are not limited to the categories as described in the NIU Information Security Procedure.
It shall be the policy of NIU that all potential information incidents or data breaches are fully investigated. As required by law, in the event of a data breach NIU shall notify all identifiable individuals whose personal information is affected by a breach whether the source is an NIU computer system data or written material. NIU shall use an investigative process to help mitigate and remediate any on-going or future information security or data breach vulnerabilities. All NIU employees, regardless of status, NIU Affiliates and Third-Party contractors are required to report any potential information incident or data breach by methods outlined in the NIU Information Security Procedure.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
As designated by the President of the University, the Chief Information Officer (CIO) has primary executive oversight of Information Incidents and Data Breaches. The CIO shall name a responsible party to manage the response to
The President of the University, or designee, shall be empowered to declare a data breach.
The CIO, or designee, shall provide timely briefings and a final after-action report to the President regarding any information incident or data breach. The central IT unit shall maintain cybersecurity insurance on behalf of the institution, develop and maintain a group of security points of contact (SPOC) for each identified IT support team at NIU, provide professional development opportunities for SPOCs, and develop a regular campaign of security awareness messaging for all NIU faculty, students, and staff. The central IT unit will, on request, facilitate an after action review to look for continuous improvement activities.
The Division leader within whose area of responsibility (AOR) the breach occurs is accountable for ensuring that recommended actions are implemented, notifications to end users are performed as required by law, and that suitable continuous improvement activities are performed as indicated by an after action review of the breach. In the event email or
- Information Incident Definitions
- Illinois Personal Information Protection Act 815 ILCS 530/1 et seq., as amended by P.A. 94-947
- Identity Protection Act 5 ILCS 179
- NIU Information Incident Response Protocol (Not available for public release. Contact the Division of Information Technology for a review copy)
- NIU Information Security Procedure