The purpose of this policy is to describe Northern Illinois University’s (NIU) responsibilities, mitigation, and remediation practices as they relate to information incidents and data breaches.
This policy pertains and applies to all NIU entities, affiliate entities, and third-party contractors with whom a data exchange or information stewardship relationship exists.
Information and data types under the scope of this policy include but are not limited to the categories as described in the NIU Information Security Procedure.
It shall be the policy of Northern Illinois University that all potential information incidents or data breaches are fully investigated. As required by law, in the event of a data breach NIU shall notify all identifiable individuals whose personal information is affected by a breach whether the source is an NIU computer system data or written material. NIU shall use an investigative process to help mitigate and remediate any on-going or future information security or data breach vulnerabilities. All NIU employees, regardless of status, NIU Affiliates and Third-Party contractors are required to report any potential information incident or data breach by methods outlined in the NIU Information Security Procedure.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
As designated by the President of the University, the Vice President and Chief Information Officer (CIO) has primary executive oversight of Information Incidents and Data Breaches. The CIO shall name a responsible party to manage the response to any incident and provide full details regarding the investigative process including all actions leading to the detection, mitigation, and remediation of information and data incidents.
The President of the University, or designee, shall be empowered to declare a data breach.
The CIO, or designee, shall provide timely briefings and a final after-action report to the President regarding any information incident or data breach. The central IT unit shall maintain cybersecurity insurance on behalf of the institution, develop and maintain a group of security points of contact (SPOC) for each identified IT support team at NIU, provide professional development opportunities for SPOCs, and develop a regular campaign of security awareness messaging for all NIU faculty, students, and staff. The central IT unit will, on request, facilitate an after action review to look for continuous improvement activities.
The Division leader within whose area of responsibility (AOR) the breach occurs is accountable for ensuring that recommended actions are implemented, notifications to end users are performed as required by law, and that suitable continuous improvement activities are performed as indicated by an after action review of the breach. In the event email or paper based notifications are required, the Division lead will be a signatory on the notices. The AOR Division leader is responsible for covering all costs related to the breach that are not covered by cyberinsurance.
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so
An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records.
The divisional area within which computer systems, documents, personnel administering computer systems or other data media, or inventory assets are allocated are in scope for an information incident or data breach
Illinois Personal Information Protection Act (“Act’), 815 ILCS 530/1 et seq., as amended by P.A. 94-947
Identity Protection Act (5 ILCS 179/)
Northern Illinois Information Incident Response Protocol (This is a controlled document and not available for public release. Contact the Division of Information Technology for a review copy)
Northern Illinois Information Security Procedure http://www.doit.niu.edu/its/Policies/information_security_policy.shtml
Initial date: May 5, 2014
Draft Update: April 15, 2014