PURPOSE: The purpose of the CSU Personal Information Protection Procedure is to implement all
processes and notification procedures in compliance with and pursuant to the Personal
Information Protection Act, 815 ILCS 530. The act is designed to ensure uniform notification
to all persons whose personal information may have been compromised and released to
an unauthorized entity.
The procedure is applicable to all persons who provide, receive or has access to personal
information in the course of their duties and responsibilities at Chicago State University.
Data Collector Chicago State University, a public university, is considered a "data collector".
Breach means unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by the data collector.
"Breach of the security of the system data" does not include good faith acquisition
of personal information by an employee or agent of the data collector for a legitimate
purpose of the data collector, provided that the personal information is not used
for a purpose unrelated to the data collector's business or subject to further unauthorized
Personal information means an individual's first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data elements
are not encrypted or redacted:
- Social Security Number.
- Driver's license number or State identification card number.
- Account number or credit or debit card number, or an account number or credit card
number in combination with any required security code, access code, or password that
would permit access to an individual's financial account.
- An active malware infection where the malware allows unauthorized remote access into
the system or allows the unauthorized retrieval of data from the machine that are
known to contain personal information. This does not include the quarantine of incoming
malware that does not actually execute on the system in question.
- The loss or theft of any computing equipment (such as a laptop, PC, or backup media)
containing unencrypted personal information.
- The loss of theft of any printout containing personal information.
- (1) When an active compromise can be determined, the ITD will take timely action to
contain the incident by taking actions such as disconnecting the affected system(s)
from the campus network, performing network blocking, or other actions as deemed necessary.
- University Officials, Departmental heads and departmental computer technical staff
shall be notified as soon as possible through email and telephone when ITD employee
is made aware of a likely security compromise. ITD will document the incident and
provide logs of the systems as evidence of the breach.
- Systems maintained by the Department will fall under this category.
- Departments must maintain an inventory of the systems that contain personal information.
The inventory should only be accessible to authorized parties.
- The department will certify if any incident meets the criteria to be classified as
a security compromise and inform ITD immediately. ITD will then follow the course
of action stated as a follow-up to this logged incident.
- If an incident merits law enforcement intervention, the appropriate law enforcement
agency must be contacted immediately and will guide the process of preservation of
evidence. If law enforcement is to be involved then the chain of custody of information
related to the security compromise must be preserved through special procedures that
are above and beyond the offerings of the ITD. ITD and the Department will follow
the procedures set by the law enforcement agency under their guidance.
- If the incident does not merit law enforcement intervention, then local computer
administrators or other skilled parties may be utilized to determine the depth of
the security incident and recover from it.
- Department will develop and implement a plan to prevent future incidents.
The procedure is implemented pursuant to Illinois State's Personal Information Protection
Act, 815 ILCS 530
- Notification will be given whenever there is an unauthorized acquisition of computerized
data that compromises the security, confidentiality or integrity of personal information
maintained by CSU.
- Notification will be expedient and without unreasonable delay (unless notification
will interfere with a criminal investigation).
- The Notification shall include: the toll-free numbers and addresses for consumer
reporting agencies; the toll-free number, address and website address for the Federal
Trade Commission; and a statement that the individual can obtain information from
these sources about fraud alerts and security freezes. Notifications shall not include information concerning the number of Illinois residents or the CSU community
affected by the breach.
- Appropriate notice can be in either a written or electronic form that is consistent
with USC Title 155, Section 7001.
- Notice can also be given via Substitute notice provided that the notice consists
of all of the following:
If the cost of providing notice would exceed $250,000 or the affected class of subject
persons to be notified exceeds 500,000, or CSU does not have sufficient contact information,
the university has the option of using substitute service.
- Email notice if we have an email for the persons;
- Conspicuous posting of the Notice on the data collector's web site; and
- Notification to major statewide media.
- Once a breach has occurred, a report must be submitted within 5 business days to
the General Assembly listing the breach and outlining corrective measures to prevent
- An annual report must then be filed every year listing all breaches of security of
the system or written materials and the corrective measure that have been taken to
prevent future breaches.
- Disposal of materials must render the information unreadable, unusable and undecipherable.
- Electronic materials may be destroyed or erased so that personal information cannot
be read or reconstructed.
- Paper documents may be redacted, burned, pulverized or shredded so that personal
information cannot be read or reconstructed.
- If the breach affects more than 1,000 persons, CSU shall also notify as soon as
practicable all National Consumer Reporting Agencies of the timing, the distribution
and content of the notices. CSU shall not be required to identity the number or
names of the affected parties.