Data Protection at Indiana University requires that every member of our community take appropriate measures to safeguard the privacy, security, and integrity of important data through its entire lifecycle, from creation to destruction.
This web site compiles information about appropriate data protection practices and tools in one place. It is the result of a collaboration between University Counsel, the Information Policy and Security Office, and Internal Audit.
- Why are University Counsel, the University Information Policy and Security Office, and Internal Audit highlighting data protection issues now?
Protecting institutional data is always a top priority and concern for the university, but we wanted to highlight some recent changes to Indiana state laws concerning data protection that affect how we maintain, share and destroy certain sensitive personal data. These three Indiana laws are the latest in a series of federal and state laws that have been enacted in the past few years to grant special protection to certain categories of information that lawmakers feel are most susceptible to use in identity theft or otherwise extremely harmful if disclosed without proper authorization. Therefore, we are undertaking a communications campaign to inform personnel throughout the University of the new state laws and to raise awareness of data protection issues more broadly. As part of this campaign, we are encouraging the review and update of local data protection policies and procedures as necessary.
- What do the three new Indiana laws cover?
The first law, found at Indiana Code (IC) 4-1-10, basically makes it a crime to disclose a person's Social Security Number except under certain circumstances that are spelled out in the law.
The second law, which will appear at IC 24-4-14, basically makes it a crime to dispose of certain sensitive personal information in areas accessible to the public, without taking certain steps to render it unusable by third parties.
The third law, found at IC 4-1-11, basically requires the University to notify individuals whose personal information is reasonably exposed to unauthorized access as a result of an electronic systems security breach.
For ease of reference, we refer to these three laws as the "SSN disclosure law," the "data disposal law," and the "breach notification law." Details concerning each of these laws are provided below.
- Which personnel and units do these laws affect?
These laws affect personnel in all units that collect, maintain, share, and dispose of the types of sensitive personal information that are covered by the laws.
- Do these laws affect faculty as well as staff?
These laws make no distinction in their treatment of faculty and staff. If, for example, a faculty member maintains old student records that contain SSNs (which used to serve as the default student ID number), and the faculty member discloses an SSN in those records to someone outside of IU, that disclosure would be subject to the new SSN disclosure law. If SSNs in a faculty member's electronic files were inadvertently exposed to the internet, that would trigger the breach notification law the same as if SSNs in an administrator's electronic files were exposed.
- What kinds of data are covered under these new laws?
The SSN disclosure law applies only to SSNs. The data disposal law and breach notification law also apply to SSNs, as well as any of the following data when combined with first initial or name PLUS last name:
- Credit card numbers
- Financial account numbers
- Debit card numbers
- Access codes, security codes, or passwords
- Driver's license numbers
- State identification card numbers
The data disposal and breach notification laws differ somewhat in how they discuss access codes, security codes and passwords. The data disposal law covers the disposal of records that contain the following: first initial/name PLUS last name PLUS "a financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account." In other words, the record must contain both the financial account or debit card number AND a code or password that permits access to the account.
The breach notification law, in contrast, appears to cover disclosures of any individual piece of data within the following list, when combined with first initial/name and last name: "account number, credit card number, debit card number, security code, access code, or password of an individual's financial account." In other words, this doesn't appear to require that financial account or card numbers be combined with any security code or password, in order to trigger the notification requirement.
- Are there other types of data that also are considered sensitive or covered by other laws?
- What is IU's policy regarding the use of SSNs?
SSN must not be collected from individuals nor extracted from central systems and stored on departmental servers unless doing so is absolutely required to maintain the business functions of the office involved.
Source: The Committee of Data Stewards, Data Administration Issues Notice, 2001.
- Do these laws apply only to electronic data?
The SSN law and data disposal law cover both paper and electronic data. The breach notification law only applies to electronic data. However, this does not prevent the University from notifying individuals in the event of an unauthorized disclosure of personal information in paper records, if a determination is made that it is appropriate to do so.
- What are the penalties for violating these new data laws?
A knowing, intentional, or reckless disclosure of an SSN in violation of the new law is a felony, which carries up to 3 years' jail time and up to $10,000 in fines. A negligent disclosure is an "infraction," which carries up to 1 year jail time and up to $5,000 in fines.
Similarly, any violation of the data disposal law is a misdemeanor carrying up to 60 days' jail time and up to $500 in fines; if the violation involves the data of more than 100 persons or is a second violation, then the penalties increase to up to 1 year jail time and up to $5,000 in fines.
Finally, there is the possibility that violations of these laws may result in lawsuits filed against IU and/or individual personnel involved in the violations, see below.
- Who enforces these new data security laws?
The Attorney General for the State of Indiana is charged with interpreting and enforcing these laws. If the Attorney General concludes that a violation has occurred, it may refer the matter to local police and prosecutors.
- Can someone whose data has been exposed sue the University or individual employees for violations of the law?
Although these laws do not create a specific right for individuals whose data is affected to sue for violations of these laws, it is possible that such individuals may attempt to sue the University and/or individual employees for violations of these laws, for example under state "common law" theories like negligence. Whether or not such lawsuits would be successful, having to respond to such claims often involves significant time and resources. The possibility of such lawsuits, together with the criminal penalties discussed above, reinforces the importance of our compliance with these laws and our responsible handling of sensitive personal information.
- Didn't the university already undertake a project to eliminate the unnecessary collection of SSNs a few years ago?
Yes. In June, 2001, Vice President Michael McRobbie asked the Deans and the Regional Campus Chancellors to take all steps necessary as soon as possible to eliminate the use of SSNs in stand-alone School and Departmental information systems. He asked that they follow that with the complete deletion of all files containing SSNs related to these stand-alone information systems on all computers under their control. Where Schools and Departments needed to keep files of SSNs or other confidential information, he asked that all possible steps be taken to secure these computers and the data on them from inappropriate access and disclosure.
- How is this effort different than that previous project?
At that time, the university still used the SSN as the official Student ID and the official Employee ID. However, the university stopped using SSN as the official ID for employees in December 2002, and for students in Fall 2004. Thus, many more of these stores of data can now be deleted.
- Who can I contact for more information?
For explanation of the laws or review of your practices for compliance with the law:
University Counsel's Office IUB 812-855-9739 or IUPUI 317-274-7460
For technical measures to protect data:
Email uiso@iu.edu with questions or to request a security review.
For speakers to come address your unit:
Schedule Beth Cate (University Counsel) and Merri Beth Lavagnino (Information Policy and Security Offices) through the UIPO by emailing uipo@iu.edu.
A copy of the notice sent to all personnel under a cover note from President Herbert is also available.
- What are the obligations imposed by the new data disposal law?
The data disposal law requires that we "dispose" of the "personal information" of a "customer" in a secure manner. To "dispose" of data under this law means discarding or abandoning it in an area accessible to the public. A "customer" is (a) anyone whose personal information we maintain and who has received or contracted for goods or services from IU, directly or indirectly; and more broadly, (b) anyone who has provided IU with their personal information in connection with a transaction with the University.
"Personal information" the law covers is the following:
- SSNs
- First initial or name AND last name AND any of the following:
- Credit card number
- Financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account
- Driver's license number
- State identification card number
The law exempts any information that is lawfully obtained from information that is made publicly available. The law also exempts any personal information that is "encrypted" or "redacted" when disposed. "Encryption" means (a) transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or (b) secured by another method that renders the personal information unreadable or unusable. "Redaction" means that the personal information is truncated or blacked out so that only the last 5 digits of the SSN or the last 4 digits of the remaining types of personal information covered under this law are visible. It is not clear why the data disposal law refers to the last 5 digits of the SSN instead of the last 4 digits. In any event, employees are strongly advised against disposing of records in a manner that leaves the last 5 digits of the SSN visible or accessible, as this may violate the SSN disclosure law, since that law only exempts disclosures of the last 4 digits of the SSN.
- What methods of disposal are sufficiently secure?
The law refers to "shredding, incinerating, mutilating, erasing, or otherwise rendering information illegible or unusable." For paper records, it is important to make sure that the shredder you are using shreds in a manner that renders the paper illegible or unusable.
- How do we dispose of electronic data with sufficient security?
- Our office uses a commercial vendor to shred our paper records. Is this OK?
It is OK to use a commercial vendor to shred your paper records if the contract with the vendor has been reviewed and approved by Purchasing and University Counsel, to ensure that the vendor is responsible and that appropriate contract terms are in place to protect the security of the data and to obligate the vendor to take responsibility for any problems with data security on its end. The University Purchasing Department can provide a list of commonly used vendors.
- Our office has a "lockbox" provided by the vendor, in which we put paper records prior to shredding. The box has an internal lock, and is too large and heavy for someone to walk away with. Although students and other members of the public may have access during the day to the area in which the lockbox is kept, there are always employees present and in view of the lockbox, and the office is locked at night. The only personnel inside the room at night are facilities maintenance personnel. Are these arrangements sufficiently secure?
Yes, the records are ultimately being disposed of through shredding, which meets the requirements of the new data disposal law, and the lockbox arrangements pending disposal are reasonably secure. If your office were to experience a break-in to the lockbox, however, it should revisit these arrangements.
- What if my office is already disposing of records with this type of personal information in them, under a security plan that meets the requirements of another law like HIPAA?
The new Indiana data disposal law states that if you are already maintaining and complying with a disposal program for personal information under HIPAA, Gramm Leach Bliley, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, or the USA PATRIOT Act and Executive Order 13224 (relating to counterterrorism investigations), your data disposal is exempt from the requirements of the new state law. Essentially, you are deemed to be disposing of the data securely enough to not raise concerns under the new state law.
- How long do I need to keep documents containing sensitive data?
You should only keep data, both electronic and paper, as long as it is required for business needs. Data retention for each type of document is determined by federal and state law and university practice. Consult with the office responsible for the activity for current retention requirements.
You may also reference the Record Retention and Destruction Policy of the Office of University Archives.
- Where can I find more information on secure data disposal?
- Where can I find this law?
- What obligations does the breach notification law impose?
This law requires that IU give notice "without unreasonable delay" to persons whose unencrypted personal information "was or is reasonably believed to have been acquired by an unauthorized third person" due to an electronic systems security breach. This law essentially codifies a practice that IU, and many other schools, have been engaging in for some time already. If a breach involves the disclosure of personal information for more than 1,000 persons, IU is also obligated to let consumer reporting agencies know that we are notifying individuals about the breach and disclosure.
- What types of "personal information" must we give notice about, if disclosed/exposed?
SSN (if more than the last 4 digits), driver's license #, state identification card #, credit card #, debit card #, financial account #, and any security code, access code, or password of a financial account.
- This law talks about breaches of security in electronic systems. So does that mean that IU doesn't have to give notice if there is a disclosure of paper records with unencrypted personal information in them?
Although the breach notification law only covers disclosures of electronic data, the SSN disclosure law states that if there is a disclosure of an Social Security number, the agency is to provide notice to the person whose Social Security number was disclosed "in the manner set forth in" the breach notification law. Since the SSN disclosure law includes disclosures of paper records, this means that IU is required to give notice about a disclosure or exposure of paper records containing SSNs.
- What if a laptop or other portable device that contains personal information is stolen or lost? Does that trigger notice obligations under this law?
The breach notification law that applies to state agencies, including state universities like IU, states that it is not a security breach when there is unauthorized acquisition of a portable electronic device with personal information stored on it, as long as all the personal information is password protected and the password has not been disclosed. This means that IU is not required as a matter of law to give notice to individuals whose data is stored on such devices. Again, this would not prevent IU from giving notice to those individuals in such cases, as a matter of policy and best practice.
Notably, a separate breach notification law that applies to private entities, which used to read exactly the same as the breach notification law applicable to IU, now states that it is not a security breach when there is unauthorized acquisition of a portable electronic device with personal information stored on it, as long as the information on the device is encrypted and the encryption key has not been disclosed. This means that, effective July 1, 2008, with respect to an incident involving a private entity, password protection for lost or stolen laptops and other portable electronic devices is no longer enough to prevent that incident from being considered a security breach that requires notification to the persons whose data is involved.
While it is unclear why the legislature did not make a similar change to the breach notification law involving state entities, this change in the private-entity breach notification law suggests -- consistent with the prevailing view of security professionals -- that password-protection of a portable device is usually not sufficient to protect the security of personal information stored on such a device.
- When must notice be given?
Notice must be given "without unreasonable delay" and consistent with legitimate law enforcement needs and measures taken to determine the nature and scope of the breach, restore the integrity of our systems, and obtain the contact information needed to provide notice. If law enforcement officials determine that notice would impede a criminal investigation, they may ask us to delay notice; once they conclude that notice will not compromise the investigation, we must go ahead and notify.
- How is notice given?
Notice must be given in writing to each individual affected, by letter or email, unless any of the following circumstances occur:
- We do not have sufficient contact information to provide individual notice;
- The cost of providing individual notice would be $250,000 or more; or
- The number of persons to be notified is at least 500,000
In such circumstances, IU can provide an alternative form of notice, by (a) notifying the major statewide media, and (b) conspicuously posting notice on our website.
- What do we do if we have a disclosure of any of these types of data?
If at any time you become aware of an unauthorized disclosure or exposure of any of the above types of personal data, please immediately call your local campus Support Center or Network Operations Center, and send details to it-incident@iu.edu. The IT Policy and Security Office will coordinate incident response and ensure that all appropriate steps are taken.
The Information Technology Policy and Security Office is charged with investigating incidents where sensitive institutional or personal data is suspected to have been exposed, and it has experienced and licensed forensic engineers on staff. This office will coordinate the immediate assembly of an Incident Team to advise and assist in containing and limiting the exposure, in investigating the attack, and in handling notification to the affected individuals and agencies.
- What if we're not sure if the computer that the data was on was compromised or not?
If at any time you have suspicion that an unauthorized disclosure or exposure of any of the above types of personal data may have occurred, please immediately call your local campus Support Center or Network Operations Center, and send details to it-incident@iu.edu. Do not access or alter the compromised system. Do not power it off. The IT Policy and Security Office will assist in determining if an exposure occurred, and if so, will initiate appropriate response procedures.
- Who sends the notification to the affected person(s) when data has been exposed or disclosed?
Generally, the notice goes out from the unit associated with the breach. However, no action is to be taken until the Information Technology Policy and Security Office directs it.
- Must IU also notify the state Attorney General's Office if any of the "personal information" covered by the breach notification law is disclosed?
Yes, under rules issued by the Attorney General's Office[PDF], if IU learns of a disclosure of "personally identifying information," which we understand to mean "personal information" as defined under the breach notification law, we must notify the state Attorney General's Office within two business days of learning of the disclosure. University Counsel will notify the Attorney General's office if such a disclosure occurs.
- Where can I find this law?
