Information Security Breach (Policy 75)

Purpose

The purpose of this policy is to describe Governors State University’s (GovState) responsibilities and remediation practices as they relate to incidences of information data breach.

Scope

This policy applies to information safeguarded both by Governors State University and/or by third party vendors and contractors working with Governors State University. A breach is defined as unauthorized access/disclosure of personal information. The Governors State University Information Technology Services (ITS) Department will investigate all reports of security breaches of personal and/or sensitive University information. Based on the results of the University's investigation, internal and/or external parties may be notified, as necessary.

Policy

It is the policy of GovState that unauthorized access and potential information incidents or data breaches be fully investigated and the following actions taken as appropriate. As required by the Illinois Personal Information Protection Act 815 ILCS 530/1 (PIPA), in the event of a data breach GovState shall notify all identifiable individuals whose personal information is affected by a breach whether the source is a GovState computer system data or written material. This notification shall be made in the most expedient time possible and without unreasonable delay. GovState shall use an investigative process to help mitigate and remediate any on-going or future information security or data breach vulnerabilities. All GovState employees, regardless of status, GovState affiliates, and third-party contractors are required to report any potential information incident or data breach to the Associate Vice President (AVP) of Information Technology Services, who will notify all appropriate University officials. 

Beyond notification and except where required by law, the University makes no promise of service to individuals affected by a Security Breach. The President of the University, however, may elect to provide additional services to affected individuals.

1. Internal Notification

   The Governors State University Information Technology Department will report all suspected cases of information security breaches to the University’s executive administration and will work with them to establish an appropriate response strategy. If the investigation determines criminal activity may have taken place, the Department of Public Safety and Legal Counsel will also be notified. The affected parties will be notified of the investigation outcome.

2. External Notification

   The AVP of Information Technology Services, in consultation with University Administration, will determine if external notification is required in the event of a personal information breach. Parties to be notified will include those affected by the breach.

3. Social Security Numbers

   GovState will collect, use, or disclose an individual’s social security number only in circumstances allowable under the Illinois Identity Protection Act (5 ILCS 179/1, et seq.) (IPA).

4. Personal Information

   Personal Information is defined by the Illinois Personal Information Protection Act 815 ILCS 530/1 (PIPA), the Family Education Rights Privacy Act 20 U.S.C. § 1232g; 34 CFR Part 99 (FERPA), and University Policy 12 (Access to Student Educational Records). 

   Examples: 

   1. Individual personal information such as driver’s license numbers and social security numbers; 
   2. Financial data such as bank account numbers, tax forms, and credit/debit card numbers; 
   3. Educational records such as transcripts, grades, test scores, and academic standing; and 
   4. Human resource records such as health and benefit information, and dependent information. 

   This includes but is not limited to physical and/or electronic media and paper records or files.

Enforcement

Any employee found to have been involved in a data breach may be subject to disciplinary action, up to and including termination of employment. Any student found to have been involved in a data breach will be subject to disciplinary action as outlined in the student code of conduct (University Policy 4). All entities found to have been involved in a data breach may be subject to legal and criminal investigation. 

The President of the University, or designee, shall be empowered to declare a data breach. 

The AVP of Information Technology Services has primary executive oversight of data breaches. 

Based on the findings of the data breach investigation, the unit leader within whose area of responsibility the breach has occurred is accountable for ensuring that recommended actions are implemented and that suitable continuous improvement activities are performed.

1. Data Breach: A security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), personal identifiable information (PII), and protected academic records (FERPA). 
2. Electronic Media: Any type of device that stores or allows the distribution or use of electronic information. 
3. Family Education Rights Privacy Act ( FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) 
4. Illinois Identity Protection Act (IPA) (5 ILCS 179/1, et seq.) 
5. Illinois Personal Information Protection Act (PIPA) (815 ILCS 530/1) 
6. Incident: An individual occurrence or event. 
7. Unauthorized Access: Any individuals without a legitimate need to use personal information as defined in HIPAA, FERPA, PIPA, and IPA. 
8. University Policy 4 Student Conduct Policy found on the GovState Policy Page 
9. University Policy 12 Access to Student Educational Records found on the GovState Policy Page