(The Center Square) – An Illinois lawmaker is raising serious concerns about cybersecurity and legal compliance at Illinois State University following a state audit that found long-standing material weaknesses and repeated violations of state law.
State Rep. Paul Jacobs, R-Pomona, who serves on the House Appropriations for Higher Education Committee and the Cybersecurity Committee, said the Illinois Auditor General’s findings for fiscal year 2024 point to systemic problems that have gone unresolved for years.
“These things are going back for years,” Jacobs told TCS. “You had three Category 1 weaknesses and 10 Category 2 significant deficiencies. That’s more of a systemic problem.”
The audit found ISU failed to meet key legal and accounting requirements, including deficiencies in cybersecurity controls, outside employment disclosures and student data protections. Several of the findings were repeat issues dating back more than a decade.
Jacobs said the findings raise questions about accountability, particularly as ISU continues to receive increased taxpayer funding.
“Why would they be getting more money instead of fixing the problems they already have,” Jacobs said. “If we’re giving you money, you need to be taking care of it.”
Jacobs said the university’s cybersecurity shortcomings are among the most troubling aspects of the audit, especially given the sensitive information universities handle.
“The biggest thing is it puts the students’ records at risk, like Social Security numbers, etc.” he said. “The institution is also at risk. And, of course, that could be an awful lot of lawsuits.”
Jacobs said the audit’s findings reveal faculty members engaging in outside work without proper disclosure, a requirement under Illinois law designed to prevent conflicts of interest and protect taxpayer-funded research.
“They have some of their professors working outside and they’re not reporting to the university,” said Jacobs.
He warned that undisclosed outside work could have serious consequences, particularly when faculty use research funded by taxpayers in private ventures.
“If you’re a research scientist and you take that work to an outside job, and that research was done with taxpayer money, there could be patents involved,” Jacobs said. “There’s a lot of millions of dollars in lawsuits. That’s why that law exists, to protect the interests of the state and the university.”
The audit also found ISU is not compliant with the federal Credit Card Marketing Act, which requires public universities to protect student information from being shared with businesses for marketing purposes.
“That’s a straightforward statutory requirement,” Jacobs said.
Jacobs said repeated audit findings indicate the university has failed to correct known problems, and lawmakers may need to intervene to ensure compliance.
He suggested assigning responsibility to specific administrators and requiring regular progress reports.
Jacobs also acknowledged lawmakers themselves may share some responsibility for failing to oversee public universities more closely.
“Apparently, the universities are not being looked over as well as they should be,” he said. “I think this spring, we will have to look at these reports maybe a lot more closely.”
The Center Square contacted ISU for comment on the audit, but the university had not responded by publication.
