The Personal Information Protection Act (PIPA) specifically requires public universities, such as Southern Illinois University Edwardsville (SIUE), and other data collectors to notify affected individuals whenever a breach of the security of the data collector's system data occurs. PIPA is the enactment of House Bill 1633, which was signed into law in June, 2005, and went into effect on January 1, 2006. With PIPA, Illinois became only the second state in the country to respond to major security breach cases (e.g., ChoicePoint).
The PIPA creates several stipulations for notifying affected persons of a data breach.
What is a breach of security systems?
The definition of a breach under the Act is: "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector." If an institution "handles, collects, disseminates, or otherwise deals with nonpublic personal information" it is considered a data collector. Accessing the data is not a breach, so notification does not have to occur every time the data is collected. But if the data is accessed and used for a purpose unrelated to the University's business or if it is made available to further unauthorized disclosure, this would be considered a breach.
What data is protected?
"Personal data" is the term for protected information that is used in PIPA and it is defined as:
An individual's first name or first initial and last name, in combination with any one or more of the following:
It is important to note, as the University is a public institution, "personal information" does not include publicly available information or public records.
Who do I contact if I have questions or suspect I have had a security breach?
If you have a security breach, contact the Office of the Chief Information Officer (CIO) at 650-5400, Lovejoy Library room 0005.
The University has a formal procedure for handling security-related incidents; units must not attempt to respond to incidents involving confidential information on their own. The responses will be coordinated by the CIO within Information Technology Services (ITS) in partnership with University Legal Counsel.
What will happen if a breach occurs?
In the event of a breach of a security system, the University will notify the affected person(s) by taking one or more of the following courses of action:
Notification of individuals
Notification must be made in the most expedient time possible without unreasonable delay. However, time may be taken to determine the scope of the breach, as well as to restore the integrity and security of the system.
There are three acceptable means of notification:
- the cost of the notice would exceed $250,000 or;
- there are over 500,000 people to notify or;
- the data collector doesn't have sufficient contact info.
If substitute notice was the only option available, then there are three steps that must be taken for substitute notice:
What should I do to help avoid a security breach?
Some examples: Keep personal contact information up-to-date; don't share personally identifiable information with anyone; encrypt personal records and passwords; do not leave your computer with an active session - log off; use updated anti-virus and anti-malware programs; do not leave your laptop sitting alone - even for a few seconds.
The act specifically forbids a waiver of the notification requirement. Therefore, even if someone agreed to exempt SIUE from the notification requirement, the exemption would be void.
Prompt notification to an affected person is key to preventing further security breaches and/or loss in regard to security information. Therefore, the University reminds all account holders to regularly update their contact information and provide accurate notification information to University officials.
Adapted with permission from the University of Illinois' "Guide to the Personal Information Protection Act", March 2009.
Approved by Chancellor effective 9/30/09
This policy was issued on December 8, 2009
Document Reference: 2D1
Origin: OC 9/30/09