Dear Colleagues:
As you may be aware, the Indiana Legislature recently enacted several statutes that will affect the way IU faculty and staff handle certain types of personally identifiable information. Particular emphasis in the law is given to social security numbers.
The details of these statutes are outlined in the memo below that was prepared by the Information Technology Policy Officer and the Office of University Counsel.
This information is being provided to all members of the university community who may deal with or dispose of personally identifiable information. Your failure to comply with certain sections of these statutes can expose you to criminal penalties. Because of the potentially serious consequences of these laws, I am sending you a copy of this memo and asking that you read it and keep a copy for your files. I also request that chairs and directors of our academic programs forward it to their adjunct faculty and graduate teaching assistants.
Thank you for your attention to and full compliance with this new legislation.
Sincerely,
Adam W. Herbert
IMPORTANT NOTICE
TO: All Personnel
FROM: Beth Cate, Associate University Counsel, Merri Beth Lavagnino, Chief Information Policy Officer
DATE: June 16, 2006
SUBJECT: New Indiana laws affecting information security
We are writing to alert you to three new laws passed by the Indiana legislature that take effect on July 1, 2006, and affect our institutional operations. These laws provide criminal penalties and impose certain obligations to protect the following types of personal information:
- Social Security Numbers
- Credit card numbers
- Financial account numbers
- Debit card numbers
- Security codes, access codes and passwords
- Drivers license numbers
- State identification card numbers
The three laws differ in certain ways, but basically require that the University :
- NOT disclose outside of IU more than the last four digits of an individuals Social Security Number unless we have the individuals express written permission or the disclosure is:
- required by law or
- falls within one of several relatively narrow exceptions;
- Dispose of the personal information described above in a secure manner, so that third parties cannot obtain and use (or misuse) that information; and
- Notify individuals whose personal information reasonably appears to have been exposed to unauthorized access as a result of a system security breach.
Further details concerning our obligations under these new laws and how they relate to existing data privacy and security measures and requirements may be found on the UIPO data protection pages.
Everyone who obtains, uses, maintains, and shares the types of personal information described above in the course of their University responsibilities should be aware of the obligations these laws impose, especially because the laws impose criminal penalties fines and/or jail time on individuals who violate them. It is important to note that these laws affect faculty as well as staff for example, because SSNs were used for many years at IU as the default student identification number, faculty may have old paper and electronic course records containing SSNs. It is important that these records, like administrative records containing sensitive personal information, are maintained and disposed of with sufficient security.
The Counsels Office and the Information Security and Policy Offices have been working extensively in recent weeks with units and organizations throughout the IU system concerning the application of these laws. We will continue these efforts in order to encourage compliance while minimizing any disruption to business operations. Our offices are available at all times to assist with questions about our obligations under these new laws.
If at any time you become aware of an unauthorized disclosure or exposure of any of the above types of personal data, follow the proper incident response procedures immediately. The Information Security and Policy Offices will coordinate incident response and take the appropriate steps.
Thank you very much.
