Indiana Data Protection Laws FAQ

The SSN disclosure law, found at Indiana Code (IC) 4-1-10, makes it a crime to disclose a person's Social Security Number (SSN) except under certain circumstances spelled out in the law.

The data disposal law, which will appears at IC 24-4-14, makes it a crime to dispose of certain sensitive personal information in areas accessible to the public, without taking certain steps to render it unusable by third parties.

The breach notification law, found at IC 4-1-11, requires the university to notify individuals whose personal information is reasonably believed to have been exposed to unauthorized access as a result of an electronic system security breach.

The consumer report security freeze law, found at IC 24-5-24, allows any Indiana resident to place a credit freeze on his or her credit report free of charge.

These laws affect personnel in all units that collect, maintain, share, and dispose of the types of sensitive personal information that are covered by the laws.

These laws make no distinction in their treatment of faculty and staff. If, for example, a faculty member maintains old student records that contain SSNs (which used to serve as the default student ID number), and the faculty member discloses an SSN in those records to someone outside of IU, that disclosure would be subject to the SSN disclosure law. If SSNs in a faculty member's electronic files were inadvertently exposed to the Internet, that would trigger the breach notification law the same as if SSNs in an administrator's electronic files were exposed

The SSN disclosure law applies only to SSNs. The data disposal law and breach notification law also apply to SSNs, as well as any of the following data when combined with first initial or name PLUS last name:

• • • credit card numbers
    • financial account numbers
    • debit card numbers
    • access codes, security codes, or passwords
    • driver's license numbers
    • state identification card numbers

The data disposal and breach notification laws differ somewhat in how they discuss access codes, security codes and passwords. The data disposal law covers the disposal of records that contain the following: first initial/name PLUS last name PLUS "a financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account." In other words, the record must contain both the financial account or debit card number AND a code or password that permits access to the account.

The breach notification law, in contrast, appears to cover disclosures of any individual piece of data within the following list, when combined with first initial/name and last name: "account number, credit card number, debit card number, security code, access code, or password of an individual's financial account." In other words, this doesn't appear to require that financial account or card numbers be combined with any security code or password, in order to trigger the notification requirement.

Any data that could cause harm to a person if an unauthorized person obtained it should be considered sensitive.

Student records are protected under the Family Educational Rights and Privacy Act (FERPA). More information about FERPA is available: registrar.iupui.edu/confiden.html and at http://registrar.indiana.edu/policies/ferpa/student-privacy-faculty.shtml .

Protected Health Information (PHI) is also protected by law under the Health Insurance Portability and Accountability Act (HIPAA).

See Compliance at Indiana University for more information.

SSNs are classified as critical information and must not be collected from individuals nor extracted from central systems and stored on departmental servers unless doing so is absolutely required to maintain the business functions of the office involved.

Source: Standards for Management of Institutional Data, 9g

The SSN law and data disposal law cover both paper and electronic data. The breach notification law only applies to electronic data. However, this does not prevent the University from notifying individuals in the event of an unauthorized disclosure of personal information in paper records, if a determination is made that it is appropriate to do so.

A knowing, intentional, or reckless disclosure of an SSN in violation of the new law is a felony, which carries up to 3 years' jail time and up to $10,000 in fines. A negligent disclosure is an "infraction," which carries up to 1 year jail time and up to $5,000 in fines.

Similarly, any violation of the data disposal law is a misdemeanor carrying up to 60 days' jail time and up to $500 in fines; if the violation involves the data of more than 100 persons or is a second violation, then the penalties increase to up to 1 year jail time and up to $5,000 in fines.

Finally, there is the possibility that violations of these laws may result in lawsuits filed against IU and/or individual personnel involved in the violations, see below.

The Attorney General for the State of Indiana is charged with interpreting and enforcing these laws. If the Attorney General concludes that a violation has occurred, the matter may be referred to local police and prosecutors.

Although these laws do not create a specific right for individuals whose data is affected to sue for violations of these laws, it is possible that such individuals may attempt to sue the university and/or individual employees for violations of these laws, for example under state "common law" theories like negligence.

Whether or not such lawsuits would be successful, having to respond to such claims often involves significant time and resources. The possibility of such lawsuits, together with the criminal penalties discussed above, reinforces the importance of our compliance with these laws and responsible handling of sensitive personal information.

Yes. In June, 2001, then Vice President Michael McRobbie asked the deans and the regional campus chancellors to take all steps necessary as soon as possible to eliminate the use of SSNs in stand-alone school and departmental information systems. He asked that they follow that with the complete deletion of all files containing SSNs related to these stand-alone information systems on all computers under their control. Where schools and departments needed to keep files of SSNs or other confidential information, he asked that all possible steps be taken to secure these computers and the data on them from inappropriate access and disclosure.

At that time, the university still used the SSN as the official Student ID and the official Employee ID. However, the university stopped using SSN as the official ID for employees in December 2002, and for students in Fall 2004. Thus, many more of these stores of data can now be deleted.

For explanation of the laws or review of your practices for compliance with the law: University Counsel's Office IUB 812-855-9739 or IUPUI 317-274-7460

For technical measures to protect data: Email uiso@iu.edu with questions or to request a security review.

For speakers to come address your unit: Contact the University Information Policy Office.

The SSN law prohibits IU or its employees from disclosing "orally, on paper, or electronically" an individual's SSN, except under the following circumstances:

• • • disclosures of only the last four (4) digits of the SSN (i.e. the rest of the number is masked or the number is transmitted as xxx-xx-1234)
    • disclosures for which we have the individual's express written consent to the disclosure of his/her SSN (for example, a student signs a release of records that expressly covers SSNs)
    • disclosures that are expressly required (not just permitted) by state or federal law or a court order (for example, a valid subpoena for employee records that include payroll records with the employee's SSN on them)
    • disclosures to a local, state, or federal agency, unless such disclosure is specifically prohibited by another federal or state law or court order (for example, disclosure of student records containing SSNs to state or federal educational agencies in a manner that also complies/is not prohibited by the Family Educational Rights and Privacy Act (FERPA), the main federal law governing the privacy of student education records)
    • disclosures for the purpose of administering health benefits of an employee or the employee's dependent(s) (For example, disclosures by the University Benefits Office of records containing SSNs to vendors providing coverage for employee health benefits)
    • disclosures to commercial entities for permissible uses authorized under any of the following federal laws: the Drivers Privacy Protection Act, the Fair Credit Reporting Act, and the Financial Modernization Act (also known as "Gramm Leach Bliley" after the authors of the legislation). (for example, disclosures to Sallie Mae for the purpose of administering student financial aid)
    • D
    • disclosures by IUPD to an individual, entity, or local, state or federal agency, for the purpose of furthering an investigation, unless such disclosure is specifically prohibited by another federal or state law or court order
    • disclosures made in the context of certain counterterrorism investigations***

***Please forward ANY requests or demands from law enforcement officials for SSNs or other documentation to the Office of the VP and General Counsel.

It is fine to use one written release or consent document for all of the data that is being disclosed, but that document should expressly indicate that the SSN is being disclosed, for example: "I consent to the release to [recipient] of all of my student education records maintained by Indiana University, including but not limited to my Social Security Number."

Yes, under rules issued by the Attorney General's Office, if IU learns of a disclosure of an SSN, we must notify the state Attorney General's Office within two business days of learning of the disclosure. The Office of the VP and General Counsel will notify the Attorney General's office if such a disclosure occurs.

If you need to provide SSNs or other institutional information to external organizations or vendors, follow the procedure in Disclosing Institutional Information to Third Parties Policy DM-02.

The SSN disclosure law can be found at Indiana Code (IC) 4-1-10.

The data disposal law requires that we "dispose" of the "personal information" of a "customer" in a secure manner. To "dispose" of data under this law means discarding or abandoning it in an area accessible to the public. A "customer" is (a) anyone whose personal information we maintain and who has received or contracted for goods or services from IU, directly or indirectly; and more broadly, (b) anyone who has provided IU with their personal information in connection with a transaction with the University.

"Personal information" the law covers is the following:

• SSNs
• First initial or name AND last name AND any of the following:
  • credit card number o Financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account
  • Driver's License number
  • state identification card number

The law exempts any information that is lawfully obtained from information that is made publicly available. The law also exempts any personal information that is "encrypted" or "redacted" when disposed. "Encryption" means (a) transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or (b) secured by another method that renders the personal information unreadable or unusable. "Redaction" means that the personal information is truncated or blacked out so that only the last 5 digits of the SSN or the last 4 digits of the remaining types of personal information covered under this law are visible. It is not clear why the data disposal law refers to the last 5 digits of the SSN instead of the last 4 digits. In any event, employees are strongly advised against disposing of records in a manner that leaves the last 5 digits of the SSN visible or accessible, as this may violate the SSN disclosure law, since that law only exempts disclosures of the last 4 digits of the SSN.

The law refers to "shredding, incinerating, mutilating, erasing, or otherwise rendering information illegible or unusable." For paper records, it is important to make sure that the shredder you are using shreds in a manner that renders the paper illegible or unusable.

Please see our guidelines regarding Securely Removing Data.

It is OK to use a commercial vendor to shred your paper records if the contract with the vendor has been reviewed and approved by Purchasing and the Office of the VP and General Counsel, to ensure that the vendor is responsible and that appropriate contract terms are in place to protect the security of the data and to obligate the vendor to take responsibility for any problems with data security on its end. The University Purchasing Department can provide a list of commonly used vendors.

Yes, the records are ultimately being disposed of through shredding, which meets the requirements of the data disposal law, and the lockbox arrangements pending disposal are reasonably secure. If your office were to experience a break-in to the lockbox, however, it should revisit these arrangements.

The Indiana data disposal law states that if you are already maintaining and complying with a disposal program for personal information under HIPAA, Gramm Leach Bliley, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, or the USA PATRIOT Act and Executive Order 13224 (relating to counterterrorism investigations), your data disposal is exempt from the requirements of the new state law. Essentially, you are deemed to be disposing of the data securely enough to not raise concerns under the state law.

You should only keep data, both electronic and paper, as long as it is required for business needs. Data retention for each type of document is determined by federal and state law and university practice. Consult with the office responsible for the activity for current retention requirements.

You may also reference the retention and disposition schedules posted by the Office of University Archives.

See our page on data removal.

The data disposal law can be found at IC 24-4-14.

This law requires that IU give notice "without unreasonable delay" to persons whose unencrypted personal information "was or is reasonably believed to have been acquired by an unauthorized third person" due to an electronic systems security breach.

This law essentially codifies a practice that IU, and many other schools, have been engaging in for some time. If a breach involves the disclosure of personal information for more than 1,000 persons, IU is also obligated to let consumer reporting agencies know that we are notifying individuals about the breach and disclosure.

SSN (if more than the last 4 digits), Driver's License number, state identification card number, credit card number, debit card number, financial account number, and any security code, access code, or password of a financial account.

Although the breach notification law only covers disclosures of electronic data, the SSN disclosure law states that if there is a disclosure of a Social Security number, the agency is to provide notice to the person whose Social Security number was disclosed "in the manner set forth in" the breach notification law. Since the SSN disclosure law includes disclosures of paper records, this means that IU is also required to give notice about a disclosure or exposure involving paper records containing SSNs.

The breach notification law that applies to state agencies, including state universities like IU, states that it is not a security breach when there is unauthorized acquisition of a portable electronic device with personal information stored on it, as long as all the personal information is password protected and the password has not been disclosed. This means that IU is not required as a matter of law to give notice to individuals whose data is stored on such devices. Again, this would not prevent IU from giving notice to those individuals in such cases, as a matter of policy and best practice.

Notably, a separate breach notification law that applies to private entities, which used to read exactly the same as the breach notification law applicable to IU, now states that it is not a security breach when there is unauthorized acquisition of a portable electronic device with personal information stored on it, as long as the information on the device is encrypted and the encryption key has not been disclosed. This means that, effective July 1, 2008, with respect to an incident involving a private entity, password protection for lost or stolen laptops and other portable electronic devices is no longer enough to prevent that incident from being considered a security breach that requires notification to the persons whose data is involved.

While it is unclear why the legislature did not make a similar change to the breach notification law involving state entities, this change in the private-entity breach notification law suggests -- consistent with the prevailing view of security professionals -- that password-protection of a portable device is usually not sufficient to protect the security of personal information stored on such a device.

Notice must be given "without unreasonable delay" and consistent with legitimate law enforcement needs and measures taken to determine the nature and scope of the breach, restore the integrity of our systems, and obtain the contact information needed to provide notice.

If law enforcement officials determine that notice would impede a criminal investigation, they may ask us to delay notice; once they conclude that notice will not compromise the investigation, we must go ahead and notify.

Notice must be given in writing to each individual affected, by letter or email, unless any of the following circumstances occur:

• • • We do not have sufficient contact information to provide individual notice;
    • The cost of providing individual notice would be $250,000 or more; or
    • The number of persons to be notified is at least 500,000

In such circumstances, IU can provide an alternative form of notice, by (a) notifying the major statewide media, and (b) conspicuously posting notice on our website

If at any time you become aware of an unauthorized disclosure or exposure of any of the above types of personal data, or a suspected disclosure or exposure, immediately call your local campus Support Center or Network Operations Center, and send details to it-incident@iu.edu. The Information Policy Office will coordinate incident response and ensure all appropriate steps are taken.

The Information Policy and Security Offices are charged with investigating incidents where sensitive institutional or personal data is suspected to have been exposed, and have experienced, certified forensic engineers on staff. The UIPO will coordinate the assembly of an Incident Team to advise and assist in containing and limiting the exposure, in investigating the incident, and in handling notification to the affected individuals and agencies as appropriate.

If at any time you have suspicion that an unauthorized disclosure or exposure of any of the above types of personal data may have occurred, immediately contact your local campus Support Center or Network Operations Center, and send details to it-incident@iu.edu. Do not access or alter the compromised system. Do not power it off. The Information Policy and Security Offices will assist in determining if an exposure occurred, and if so, will initiate appropriate response procedures.

Generally, the notice goes out from the unit associated with the breach. However, no action is to be taken until the University Information Policy Office directs it.

Yes, under rules issued by the Attorney General's Office [PDF], if IU learns of a disclosure of "personally identifying information," which we understand to mean "personal information" as defined under the breach notification law, we must notify the state Attorney General's Office within two business days of learning of the disclosure. The Office of the VP and General Counsel will notify the Attorney General's office if such a disclosure occurs.

The breach notification law can be found at IC 4-1-11.

Indiana law allows you, if your principal residence is within the state of Indiana, to place a "security freeze" on your consumer credit report, including your credit score free of charge.

A security freeze can help to prevent others from fraudulently opening new credit accounts in your name. Here's how:

• When someone tries to open an account in your name, the store, credit card issuer, or other business that is being asked to open the account (the "creditor") will contact a consumer reporting agency to check your credit report (in particular, your credit score).
• When the creditor contacts the consumer reporting agency, the creditor will learn of the security freeze and won't be able to get your credit report.
• When it cannot get your credit report, under the new law the creditor must consider the application for credit incomplete. Presumably at that point most if not all creditors will refuse to open the account.

The new law lets you do any or all of the following, for free:

• place a security freeze on your credit report
• release your credit report to one or more specified recipients
• lift a security freeze for a limited period of time
• remove a security freeze

A security freeze prevents consumer reporting agencies from releasing your credit report without your authorization, with some exceptions -- for example, law enforcement agencies, insurers, companies sending you prescreened credit offers, and your existing creditors seeking to collect on those debts, can all get copies of your credit report without your authorization, despite a security freeze.

The consumer report security freeze law can be found at IC 24-5-24.