Southern Illinois University Edwardsville Logo
Apply to SIUE
Policies
Policies
Institutional Header

Information Technology

Guide to the Personal Information Protection Act (PIPA) - 2D1

The Personal Information Protection Act (PIPA) specifically requires public universities, such as Southern Illinois University Edwardsville (SIUE), and other data collectors to notify affected individuals whenever a breach of the security of the data collector's system data occurs. PIPA is the enactment of House Bill 1633, which was signed into law in June, 2005, and went into effect on January 1, 2006. With PIPA, Illinois became only the second state in the country to respond to major security breach cases (e.g., ChoicePoint).

The PIPA creates several stipulations for notifying affected persons of a data breach.

What is a breach of security systems?

The definition of a breach under the Act is: "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector." If an institution "handles, collects, disseminates, or otherwise deals with nonpublic personal information" it is considered a data collector. Accessing the data is not a breach, so notification does not have to occur every time the data is collected. But if the data is accessed and used for a purpose unrelated to the University's business or if it is made available to further unauthorized disclosure, this would be considered a breach.

What data is protected?

"Personal data" is the term for protected information that is used in PIPA and it is defined as:

An individual's first name or first initial and last name, in combination with any one or more of the following:

  1. Social security number
  2. Driver's license number or State identification card number
  3. Account number or credit or debit card number, or an account number or credit card number in combination with any security code, access code or password that would permit access to an individual's financial account.

It is important to note, as the University is a public institution, "personal information" does not include publicly available information or public records.

Who do I contact if I have questions or suspect I have had a security breach?

If you have a security breach, contact the Office of the Chief Information Officer (CIO) at 650-5400, Lovejoy Library room 0005.

The University has a formal procedure for handling security-related incidents; units must not attempt to respond to incidents involving confidential information on their own. The responses will be coordinated by the CIO within Information Technology Services (ITS) in partnership with University Legal Counsel.

What will happen if a breach occurs?

In the event of a breach of a security system, the University will notify the affected person(s) by taking one or more of the following courses of action:

Notification of individuals

Notification must be made in the most expedient time possible without unreasonable delay. However, time may be taken to determine the scope of the breach, as well as to restore the integrity and security of the system.

There are three acceptable means of notification:

  • Written notice
  • Electronic notice
  • "Substitute notice" - This is when it is not feasible to provide written or electronic notice because
  • the cost of the notice would exceed $250,000 or;
  • there are over 500,000 people to notify or;
  • the data collector doesn't have sufficient contact info.

If substitute notice was the only option available, then there are three steps that must be taken for substitute notice:

  1. Email notice if the data collector has an email address for the subject persons
  2. Conspicuous posting of the notice on the data collector's web site
  3. Notification to major statewide media

Recommended actions

  • Review all current administrative processes for confidential information
  • Inventory computer systems and databases for confidential information
  • Delete confidential data where not absolutely necessary
  • Encrypt confidential data, such as SSNs, if they must be used
  • Do not permit the storage of confidential data on home computers or laptops or portable storage devices
  • Do not transmit confidential data unless it is encrypted
  • Do not use the web as a file transfer mechanism without adequate protections
  • Do not allow commercial search engines to index confidential web sites

What should I do to help avoid a security breach?

Some examples: Keep personal contact information up-to-date; don't share personally identifiable information with anyone; encrypt personal records and passwords; do not leave your computer with an active session - log off; use updated anti-virus and anti-malware programs; do not leave your laptop sitting alone - even for a few seconds.

Additional notes

The act specifically forbids a waiver of the notification requirement. Therefore, even if someone agreed to exempt SIUE from the notification requirement, the exemption would be void.

Prompt notification to an affected person is key to preventing further security breaches and/or loss in regard to security information. Therefore, the University reminds all account holders to regularly update their contact information and provide accurate notification information to University officials.

Adapted with permission from the University of Illinois' "Guide to the Personal Information Protection Act", March 2009.

Approved by Chancellor effective 9/30/09
This policy was issued on December 8, 2009
Document Reference: 2D1
Origin: OC 9/30/09

facebookoff twitteroff vineoff linkedinoff flickeroff instagramoff googleplusoff tumblroff foursquareoff socialoff