Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Data Breach Response Policy

Scope:

This policy covers all computer systems, network devices, and any additional systems and outputs containing or transmitting LoyolaProtected data orLoyola Sensitive data.

 Purpose:

The purpose of thispolicyis toprovide a process to report suspected thefts involvingdata,databreachesorexposures (includingunauthorized access, use, or disclosure)to appropriate individuals; and to outline the response to a confirmed theft, databreach orexposure based on thetypeofdatainvolved.

Policy

Reporting of suspected thefts,data breaches or exposures

Any individual who suspects that a theft, breach or exposure ofLoyola Protected data or Loyola Sensitive data has occurred must immediately provide a description of what occurred via email toDataSecurity@luc.edu, by calling 773-508-7373, or through the use ofthe anonymous reporting web page at http://www.luc.edu/uiso/contactus/report_anon.shtml.This email address, phonenumber, and web pagearemonitoredbyLoyola’sInformation Security team.  This teamwill investigate all reported thefts,databreachesand exposures to confirm if a theft, breach or exposure has occurred.If atheft, breach or exposure has occurred, the Information Security teamwill follow the appropriateprocedure dependingon the class of datainvolved.

If the incident is a suspectedtheft,Loyola’sDepartment of Campus Safety shall also becontacted at 773-508-6039.  Theywill determine whether alocal law enforcement agency should be contacted based onthe location and details of the incident.  If a locallaw enforcement agency is contacted, the name of the agency and the report numbershould be provided toLoyolaviathemethods of contact outlined above.

Confirmed theft,data breach or exposure of Loyola Protected data or Loyola Sensitive data

As soon as a theft, data breach or exposure containingLoyola Protected dataor LoyolaSensitive data is identified, theprocess of removing allaccess to that resource will begin as soon as possible.  If the information is available on a site outside of Loyola, that site will be contacted to have the information removed as soon as possible.

The CIOwillchair a response team tohandle the breach or exposure.The team will include members from:

  • ITS
  • University Marketing and Communications(UMC)
  • The Office of the General Counsel, Risk Management
  • The affected unit or department that uses the involved system oroutputor whose datamay havebeen breached or exposed
  • Additional departments based on the datatype involved,aslistedinthe appendix
  • Additionalindividualsasdeemed necessary by the CIO

If atheft ofphysical propertyoccurred,theDepartment ofCampus Safety willbe notified by ITS.This team will provide information to UMC regarding how the breach or exposure occurred, thetypes ofdata involved,the Loyola classifications of those data types, any protective measures around the involved data (such as encryption),andthenumberof internal/external individuals and/ororganizations impacted.UMC will handle all communications aboutthe breach orexposure.  ITS will work with the appropriate parties to remediate the rootcause of the breach or exposure.

Confirmed theft, breach or exposure ofLoyola Public data

The CIO will be notified of the theft, breach or exposure, and willinformUMC as soon as possible.ITSwill analyze the breach orexposure to determine the root cause.  ITS will work with the appropriate parties to remediate the rootcause of the breach or exposure.ITS will also examine any involved systems to ensure that they did not also house anyLoyolaProtected data or Loyola Sensitive data. If the systems are found to also contain Loyola Protected dataorLoyolaSensitive data, the CIO will be notified and the “Confirmed data breachor exposure of LoyolaProtected data or Loyola Sensitive data section of this policy will be invoked.Ifa theft ofphysicalpropertyoccurred,theDepartment of Campus

Safety will be notified byITS.  The Department of Campus Safety will determine if it is also appropriate to necessary other lawenforcement agencies based on where the theft occurred.

Questionsabout this Policy:

If you havequestions about this policy, please contact the Information Security team atDataSecurity@luc.edu.

Policy Adherence:

Failure to follow thispolicy can result in disciplinary action asprovided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for notfollowing thispolicy may include termination, as provided in the applicable handbook or employmentguide.

Appendix:

For any data breaches, exposures, or thefts involving information listed below, a representative from the listed areas willbeincluded on the response team:

Data Type

Areas or individuals to be additionally included on response team

Financial information, including but not limited to credit card

numbers, bank account numbers, investment

information, grant information, and budget information

Finance, Director of Cash Management and/or Assistant Treasurer

Information about individual employees, including but not

limited to social security numbers

Human Resources

Student financial information

Office of Student Financial Assistance, Bursar, Marketing Communication Services

Student information protected by FERPA

Student Affairs, Registrar, Provost, Marketing Communication Services

Student health information

Student Affairs, Marketing Communication Services

Student information not listed above

Student Affairs, Marketing Communication Services

Research data

Research Services, Provost

PII concerning faculty

Faculty Administration, Provost

PII concerning donors or unreleased information about

gifts received

Advancement

Payroll information

Controller and/or Payroll

 

Policies referenced

Data Classification policy

Checklist

This checklist covers items that theresponse team should consider while responding to a security incident.

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy