Information Incident and Data Breach Policy

Policy Approval Authority President
Responsible Division Division of Information Technology
Responsible Officer(s) Associate Vice President and Chief Information Officer, Associate Vice President and University Privacy Officer
Contact Person Marisa Benson,
Primary Audience Faculty
Status Active
Effective Adoption Date 04-15-2014
Last Review Date 07-25-2014
Policy Category/Categories Ethics & Conduct
Finance / Risk Management
Information Technology
Revisions: 7/25/2014 (Division title change); May 5, 2014; April 15, 2014


The purpose of this policy is to describe Northern Illinois University’s (NIU) responsibilities, mitigation, and remediation practices as they relate to information incidents and data breaches.


This policy pertains and applies to all NIU entities, affiliate entities, and third-party contractors with whom a data exchange or information stewardship relationship exists.

Information and data types under the scope of this policy include but are not limited to the categories as described in the NIU Information Security Procedure.


It shall be the policy of NIU that all potential information incidents or data breaches are fully investigated. As required by law, in the event of a data breach NIU shall notify all identifiable individuals whose personal information is affected by a breach whether the source is an NIU computer system data or written material. NIU shall use an investigative process to help mitigate and remediate any on-going or future information security or data breach vulnerabilities. All NIU employees, regardless of status, NIU Affiliates and Third-Party contractors are required to report any potential information incident or data breach by methods outlined in the NIU Information Security Procedure.


Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

As designated by the President of the University, the Vice President and Chief Information Officer (CIO) has primary executive oversight of Information Incidents and Data Breaches. The CIO shall name a responsible party to manage the response to any incident and provide full details regarding the investigative process including all actions leading to the detection, mitigation, and remediation of information and data incidents.

The President of the University, or designee, shall be empowered to declare a data breach.

The CIO, or designee, shall provide timely briefings and a final after-action report to the President regarding any information incident or data breach. The central IT unit shall maintain cybersecurity insurance on behalf of the institution, develop and maintain a group of security points of contact (SPOC) for each identified IT support team at NIU, provide professional development opportunities for SPOCs, and develop a regular campaign of security awareness messaging for all NIU faculty, students, and staff. The central IT unit will, on request, facilitate an after action review to look for continuous improvement activities.

The Division leader within whose area of responsibility (AOR) the breach occurs is accountable for ensuring that recommended actions are implemented, notifications to end users are performed as required by law, and that suitable continuous improvement activities are performed as indicated by an after action review of the breach. In the event email or paper based notifications are required, the Division lead will be a signatory on the notices. The AOR Division leader is responsible for covering all costs related to the breach that are not covered by cyberinsurance.

Back to top of page