The Personal Information Protection Act (PIPA) specifically requires public universities, such as the University of Illinois, and other data collectors to notify affected individuals whenever a breach of the security of the data collector's system data occurs. PIPA is the enactment of House Bill 1633, which was signed into law in June, 2005, and went into effect on January 1, 2006. With PIPA, Illinois became only the second state in the country to respond to major security breach cases.
The Personal Information Protection Act creates several stipulations for notifying affected persons of a data breach.
What is a breach of security systems?
The definition of a breach under the Act is: "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector." As long as an institution "handles, collects, disseminates, or otherwise deals with nonpublic personal information" it is considered a data collector. Accessing the data is not a breach, so notification does not have to occur every time the data is collected. But if the data is accessed and used for a purpose unrelated to the University's business or if it is made available to further unauthorized disclosure, this would also be considered a breach.
What data is protected?
"Personal data" is the term for protected information that is used in PIPA and it is defined as:
An individual's first name or first initial and last name, in combination with any one or more of the following:
Social security number
Driver's license number or State identification card number
Account number or credit or debit card number, or an account number or credit card number in combination with any security code, access code or password that would permit access to an individual's financial account.
Medical or Health Insurance Information.
Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual
-retina or iris image
-other unique physical representation or digital representation of biometric data
It is important to note, as the University is a public institution, "personal information" does not include publicly available information or public records.
Who do I contact if I have questions or suspect I have had a security breach?
For additional information about the Personal Information Protection Act please consult directly with the Governance Risk and Compliance Team by emailing firstname.lastname@example.org.
To report a potential security breach related to the Personal Information Protection Act, please contact the security team at 265-0000 or email email@example.com.
The University has a formal procedure for handling security-related incidents and units must not attempt to respond to incidents involving confidential information on their own. The responses will be coordinated by the security team within the Office of the CIO in partnership with Campus Legal Counsel.
What types of notification required?
Notification to individuals
Notification must be made in the most expedient time possible without unreasonable delay. However, time may be taken to determine the scope or the breach as well as to restore the integrity and security of the system.
There are three acceptable means of notification:
- Written notice
- Electronic notice
- "Substitute notice" - This is when it is not feasible to provide written or electronic notice because
- the cost of the notice would exceed $250,000 or
- there are over 500,000 people to notify or
- the data collector doesn't have sufficient contact info
If substitute notice was the only option available, then there are three steps that must be taken for substitute notice:
- email notice if the data collector has an email address for the subject persons
- conspicuous posting of the notice on the data collector's web site
- notification to major statewide media.
- Review all current administrative processes for confidential information
- Inventory computer systems and databases for confidential information
- Evaluate cloud solution purchases for use with confidential information. Complete the lightweight risk assessment at go.illinois.edu/vendorrisk.
- Delete confidential data where not absolutely necessary
- Encrypt confidential data, such as SSNs, if they must be used
- Do not permit the storage of confidential data on home computers or laptops
- Do not send confidential data through email unless it is encrypted
- Do not use the web as a file transfer mechanism without adequate protections
- Do not allow commercial search engines to index confidential web sites
- Review the University's SSN policy
- Review the University's Information Security Policy
The act specifically forbids a waiver of the notification requirement. Therefore, even if someone agreed to exempt the University of Illinois from the notification requirement, the exemption would be void.