Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Data Breach Response Policy

Scope

This policy covers all computer systems, network devices, and any additional systems and outputs containing or transmitting Loyola Protected data or Loyola Sensitive data.

Purpose

The purpose of this policy is to provide a process to report suspected thefts involving data, data breaches or exposures (including unauthorized access, use, or disclosure) to appropriate individuals; and to outline the response to a confirmed theft, data breach or exposure based on the type of data involved.

Policy

Reporting of suspected thefts, data breaches or exposures

Any individual who suspects that a theft, breach, exposure of Loyola Protected data, or Loyola Sensitive data has occurred must immediately provide a description of what occurred via email to DataSecurity@luc.edu, or by calling 773-508-6086. This email address and phone number are monitored by Loyola’s Information Security team. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security team will follow the appropriate procedure depending on the class of data involved.

If the incident is a suspected theft, Loyola’s Department of Campus Safety shall also be contacted at 773-508-6039. They will determine whether or not a local law enforcement agency should be contacted based on the location and details of the incident. If a local law enforcement agency is contacted, the name of the agency and the report number should be provided to Loyola via the methods of contact outlined above.

Confirmed theft, data breach or exposure of Loyola Protected data or Loyola Sensitive data

As soon as a theft, data breach, or exposure containing Loyola Protected data or Loyola Sensitive data is identified, the process of removing all access to that resource will begin as soon as possible. If the information is available on a site outside of Loyola, that site will be contacted to have the information removed as soon as possible.

The CIO will chair a response team to handle the breach or exposure. The team will include members from:

If a theft of physical property occurred, the Department of Campus Safety will be notified by ITS. This team will provide information to UMC regarding how the breach or exposure occurred, the types of data involved, the Loyola classifications of those data types, any protective measures around the involved data (such as encryption), and the number of internal/external individuals and/or organizations impacted. UMC will handle all communications about the breach or exposure. ITS will work with the appropriate parties to remediate the root cause of the breach or exposure.

Confirmed theft, breach or exposure of Loyola Public data

The CIO will be notified of the theft, breach or exposure, and will inform UMC as soon as possible. ITS will analyze the breach or exposure to determine the root cause. ITS will work with the appropriate parties to remediate the root cause of the breach or exposure. ITS will also examine any involved systems to ensure that they did not also house any Loyola Protected data or Loyola Sensitive data. If the systems are found to also contain Loyola Protected data or Loyola Sensitive data, the CIO will be notified and the “Confirmed data breach or exposure of Loyola Protected data or Loyola Sensitive data” section of this policy will be invoked. If a theft of physical property occurred, the Department of Campus Safety will be notified by ITS. The Department of Campus Safety will determine if it is also appropriate to necessary other law enforcement agencies based on where the theft occurred.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu .

Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Appendix

For any data breaches, exposures, or thefts involving information listed below, a representative from the listed areas will be included on the response team:

Data TypeArea(s) or Individuals to be additionally included on Response Team
Financial information, including but not limited to credit card numbers, bank account numbers, investment information, grant information, and budget information Finance, Director of Cash Management and/or Assistant Treasurer
Information about individual employees, including but not limited to social security numbers Human Resources
Student financial information Office of Student Financial Assistance, Bursar, Marketing Communication Services
Student information protected by FERPA Student Affairs, Registrar, Provost, Marketing Communication Services
Student health information Student Affairs, Marketing Communication Services
Student information not listed above Student Affairs, Marketing Communication Services
Research data Research Services, Provost
PII concerning faculty Faculty Administration, Provost
PII concerning donors or unreleased information about gifts received Advancement
Payroll Information Comptroller and/or Payroll

Policies Referenced

PIP policy – Data Classification policy Checklist This checklist covers items that the response team should consider while responding to a security incident.

Updates and History

March 4, 2008: Initial Policy
October 23, 2012: Annual Review
July 12, 2013: Annual Review for PCI Compliance
Author: Information Security Advisory Council (ISAC)
Version: 1.0
 
 
PDF FILE DOWNLOAD

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy