Information Incident and Data Breach Policy - NIU - Division of Information Technology



Technology Policies & Standards

Information Incident and Data Breach Policy

printable version (pdf)

1.0 Purpose

The purpose of this policy is to describe Northern Illinois University’s (NIU) responsibilities, mitigation, and remediation practices as they relate to information incidents and data breaches.

2.0 Scope

This policy pertains and applies to all NIU entities, affiliate entities, and third-party contractors with whom a data exchange or information stewardship relationship exists.

Information and data types under the scope of this policy include but are not limited to the categories as described in the NIU Information Security Procedure.

3.0 Policy

It shall be the policy of Northern Illinois University that all potential information incidents or data breaches are fully investigated. As required by law, in the event of a data breach NIU shall notify all identifiable individuals whose personal information is affected by a breach whether the source is an NIU computer system data or written material. NIU shall use an investigative process to help mitigate and remediate any on-going or future information security or data breach vulnerabilities. All NIU employees, regardless of status, NIU Affiliates and Third-Party contractors are required to report any potential information incident or data breach by methods outlined in the NIU Information Security Procedure.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

As designated by the President of the University, the Vice President and Chief Information Officer (CIO) has primary executive oversight of Information Incidents and Data Breaches. The CIO shall name a responsible party to manage the response to any incident and provide full details regarding the investigative process including all actions leading to the detection, mitigation, and remediation of information and data incidents.

5.0 Accountability

The President of the University, or designee, shall be empowered to declare a data breach.

The CIO, or designee, shall provide timely briefings and a final after-action report to the President regarding any information incident or data breach. The central IT unit shall maintain cybersecurity insurance on behalf of the institution, develop and maintain a group of security points of contact (SPOC) for each identified IT support team at NIU, provide professional development opportunities for SPOCs, and develop a regular campaign of security awareness messaging for all NIU faculty, students, and staff. The central IT unit will, on request, facilitate an after action review to look for continuous improvement activities.

The Division leader within whose area of responsibility (AOR) the breach occurs is accountable for ensuring that recommended actions are implemented, notifications to end users are performed as required by law, and that suitable continuous improvement activities are performed as indicated by an after action review of the breach. In the event email or paper based notifications are required, the Division lead will be a signatory on the notices. The AOR Division leader is responsible for covering all costs related to the breach that are not covered by cyberinsurance.

6.0 Definitions

Information Incident

  • Attempts (either failed or successful) to gain unauthorized access to a system or its data
  • Unwanted disruption or denial of service
  • The unauthorized use of a system for the processing or storage of data
  • Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

Data Breach

A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so

Identifiable Individuals

Individuals for whom enough information is available, either directly or through means of reasonable investigative effort, to provide a source of contact information

Personal Information

An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  • Social Security number.
  • Driver's license number or State identification card number.
  • Account number or credit or debit card number, or
    an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.

"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records.

Area of Responsibility

The divisional area within which computer systems, documents, personnel administering computer systems or other data media, or inventory assets are allocated are in scope for an information incident or data breach

7.0 References

Illinois Personal Information Protection Act (“Act’), 815 ILCS 530/1 et seq., as amended by P.A. 94-947

Identity Protection Act (5 ILCS 179/)

Northern Illinois Information Incident Response Protocol (This is a controlled document and not available for public release. Contact the Division of Information Technology for a review copy)

Northern Illinois Information Security Procedure

8.0 Revision History

Initial date: May 5, 2014
Draft Update: April 15, 2014