Approved: February 2018
According to NIU’s Data Classification Guidelines, one important property of Data is that the “unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates.” Everyone in the NIU community has a responsibility to protect the Restricted Data under their control irrespective of whether the data is digitally or physically stored. Moreover, NIU’s Information Incident and Data Breach Policy places the responsibility and the cost of data breaches within the NIU Division within whose area of responsibility the breach occurs. As of 2016, the cost of data breaches in the U.S. was estimated at $221/record with an average of 30,000 records breached per incident.
Note: This document describes the practices for protecting Restricted Data in general and does not address the additional and specific requirements for protected health information under HIPAA or payment card information under PCI/DSS.
1. Do not collect or store Restricted Data unless absolutely necessary.
The Illinois Personal Information Protection Act (815 ILCS 530) defines personal information and the required notifications for any breach of that personal information. The best way to protect against a breach of personal information is not to have it in the first place.
2. Do not print Restricted Data unless absolutely necessary.
3. Properly protect digitally-processed Restricted Data.
4. Beware of social engineering scams.