CSU Personal Information Protection Procedure

PURPOSE: The purpose of the CSU Personal Information Protection Procedure is to implement all processes and notification procedures in compliance with and pursuant to the Personal Information Protection Act, 815 ILCS 530. The act is designed to ensure uniform notification to all persons whose personal information may have been compromised and released to an unauthorized entity.

The procedure is applicable to all persons who provide, receive or has access to personal information in the course of their duties and responsibilities at Chicago State University.

Definition:

Data Collector Chicago State University, a public university, is considered a "data collector".

Breach means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. "Breach of the security of the system data" does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

1. Social Security Number.
2. Driver's license number or State identification card number.
3. Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.

A breach may include any or all of the following:

1. An active malware infection where the malware allows unauthorized remote access into the system or allows the unauthorized retrieval of data from the machine that are known to contain personal information. This does not include the quarantine of incoming malware that does not actually execute on the system in question.
2. The loss or theft of any computing equipment (such as a laptop, PC, or backup media) containing unencrypted personal information.
3. The loss of theft of any printout containing personal information.

Information Technology Department (ITD) Responsibility

1. (1) When an active compromise can be determined, the ITD will take timely action to contain the incident by taking actions such as disconnecting the affected system(s) from the campus network, performing network blocking, or other actions as deemed necessary.
2. University Officials, Departmental heads and departmental computer technical staff shall be notified as soon as possible through email and telephone when ITD employee is made aware of a likely security compromise. ITD will document the incident and provide logs of the systems as evidence of the breach.

Departmental Responsibility:

1. Systems maintained by the Department will fall under this category.
2. Departments must maintain an inventory of the systems that contain personal information. The inventory should only be accessible to authorized parties.
3. The department will certify if any incident meets the criteria to be classified as a security compromise and inform ITD immediately. ITD will then follow the course of action stated as a follow-up to this logged incident.
4. If an incident merits law enforcement intervention, the appropriate law enforcement agency must be contacted immediately and will guide the process of preservation of evidence. If law enforcement is to be involved then the chain of custody of information related to the security compromise must be preserved through special procedures that are above and beyond the offerings of the ITD. ITD and the Department will follow the procedures set by the law enforcement agency under their guidance.
5. If the incident does not merit law enforcement intervention, then local computer administrators or other skilled parties may be utilized to determine the depth of the security incident and recover from it.
6. Department will develop and implement a plan to prevent future incidents.

The procedure is implemented pursuant to Illinois State's Personal Information Protection Act, 815 ILCS 530

Notification Process:

1. Notification will be given whenever there is an unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by CSU.
2. Notification will be expedient and without unreasonable delay (unless notification will interfere with a criminal investigation).
3. The Notification shall include:  the toll-free numbers and addresses for consumer reporting agencies; the toll-free number, address and website address for the Federal Trade Commission; and a statement that the individual can obtain information from these sources about fraud alerts and security freezes.  Notifications shall not include information concerning the number of Illinois residents or the CSU community affected by the breach.
4. Appropriate notice can be in either a written or electronic form that is consistent with USC Title 155, Section 7001.
5. Notice can also be given via Substitute notice provided that the notice consists of all of the following:
   1. Email notice if we have an email for the persons;
   2. Conspicuous posting of the Notice on the data collector's web site; and
   3. Notification to major statewide media.
   If the cost of providing notice would exceed $250,000 or the affected class of subject persons to be notified exceeds 500,000, or CSU does not have sufficient contact information, the university has the option of using substitute service.
6. Once a breach has occurred, a report must be submitted within 5 business days to the General Assembly listing the breach and outlining corrective measures to prevent future breaches. 
7. An annual report must then be filed every year listing all breaches of security of the system or written materials and the corrective measure that have been taken to prevent future breaches. 
8. Disposal of materials must render the information unreadable, unusable and undecipherable.
   1. Electronic materials may be destroyed or erased so that personal information cannot be read or reconstructed.
   2. Paper documents may be redacted, burned, pulverized or shredded so that personal information cannot be read or reconstructed.
9. If the breach affects more than 1,000 persons, CSU shall also notify as soon as practicable all National Consumer Reporting Agencies of the timing, the distribution and content of the notices.  CSU shall not be required to identity the number or names of the affected parties.