Key provisions of the Indiana Code are related to data protection. This page is the result a collaborative effort between University Counsel, the Information Policy and Security Office, and Internal Audit to help explain common questions about these laws. For ease of reference, the relevant laws are referred to as the “SSN disclosure law,” the “data disposal law,” the “breach notification law,” and the “consumer report security freeze law.”
- What do these laws cover?
The SSN disclosure law, found at Indiana Code (IC) 4-1-10, makes it a crime to disclose a person's Social Security Number (SSN) except under certain circumstances spelled out in the law.
The data disposal law, which will appears at IC 24-4-14, makes it a crime to dispose of certain sensitive personal information in areas accessible to the public, without taking certain steps to render it unusable by third parties.
The breach notification law, found at IC 4-1-11, requires the university to notify individuals whose personal information is reasonably believed to have been exposed to unauthorized access as a result of an electronic system security breach.
The consumer report security freeze law, found at IC 24-5-24, allows any Indiana resident to place a credit freeze on his or her credit report free of charge.
- Which personnel and units do these laws affect?
These laws affect personnel in all units that collect, maintain, share, and dispose of the types of sensitive personal information that are covered by the laws.
- Which personnel and units do these laws affect?
These laws make no distinction in their treatment of faculty and staff. If, for example, a faculty member maintains old student records that contain SSNs (which used to serve as the default student ID number), and the faculty member discloses an SSN in those records to someone outside of IU, that disclosure would be subject to the SSN disclosure law. If SSNs in a faculty member's electronic files were inadvertently exposed to the Internet, that would trigger the breach notification law the same as if SSNs in an administrator's electronic files were exposed
- What kinds of data are covered under these laws?
The SSN disclosure law applies only to SSNs. The data disposal law and breach notification law also apply to SSNs, as well as any of the following data when combined with first initial or name PLUS last name:
- credit card numbers
- financial account numbers
- debit card numbers
- access codes, security codes, or passwords
- driver's license numbers
- state identification card numbers
The data disposal and breach notification laws differ somewhat in how they discuss access codes, security codes and passwords. The data disposal law covers the disposal of records that contain the following: first initial/name PLUS last name PLUS "a financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account." In other words, the record must contain both the financial account or debit card number AND a code or password that permits access to the account.
The breach notification law, in contrast, appears to cover disclosures of any individual piece of data within the following list, when combined with first initial/name and last name: "account number, credit card number, debit card number, security code, access code, or password of an individual's financial account." In other words, this doesn't appear to require that financial account or card numbers be combined with any security code or password, in order to trigger the notification requirement.
- Are there other types of data that are also considered sensitive or covered by other laws?
Any data that could cause harm to a person if an unauthorized person obtained it should be considered sensitive.
Student records are protected under the Family Educational Rights and Privacy Act (FERPA). More information about FERPA is available: registrar.iupui.edu/confiden.html and at http://registrar.indiana.edu/policies/ferpa/student-privacy-faculty.shtml .
Protected Health Information (PHI) is also protected by law under the Health Insurance Portability and Accountability Act (HIPAA).
See Compliance at Indiana University for more information.
- What is IU’s policy regarding the use of SSNs?
SSNs are classified as critical information and must not be collected from individuals nor extracted from central systems and stored on departmental servers unless doing so is absolutely required to maintain the business functions of the office involved.
Source: Standards for Management of Institutional Data, 9g
- Do these laws apply only to electronic data?
The SSN law and data disposal law cover both paper and electronic data. The breach notification law only applies to electronic data. However, this does not prevent the University from notifying individuals in the event of an unauthorized disclosure of personal information in paper records, if a determination is made that it is appropriate to do so.
- What are the penalties for violating these data laws?
A knowing, intentional, or reckless disclosure of an SSN in violation of the new law is a felony, which carries up to 3 years' jail time and up to $10,000 in fines. A negligent disclosure is an "infraction," which carries up to 1 year jail time and up to $5,000 in fines.
Similarly, any violation of the data disposal law is a misdemeanor carrying up to 60 days' jail time and up to $500 in fines; if the violation involves the data of more than 100 persons or is a second violation, then the penalties increase to up to 1 year jail time and up to $5,000 in fines.
Finally, there is the possibility that violations of these laws may result in lawsuits filed against IU and/or individual personnel involved in the violations, see below.
- Who enforces these laws?
The Attorney General for the State of Indiana is charged with interpreting and enforcing these laws. If the Attorney General concludes that a violation has occurred, the matter may be referred to local police and prosecutors.
- Can someone whose data has been exposed sue the university or individual employees for violations of the law?
Although these laws do not create a specific right for individuals whose data is affected to sue for violations of these laws, it is possible that such individuals may attempt to sue the university and/or individual employees for violations of these laws, for example under state "common law" theories like negligence.
Whether or not such lawsuits would be successful, having to respond to such claims often involves significant time and resources. The possibility of such lawsuits, together with the criminal penalties discussed above, reinforces the importance of our compliance with these laws and responsible handling of sensitive personal information.
- Didn’t the university already undertake a project to eliminate the unnecessary collection of SSNs a few years ago?
Yes. In June, 2001, then Vice President Michael McRobbie asked the deans and the regional campus chancellors to take all steps necessary as soon as possible to eliminate the use of SSNs in stand-alone school and departmental information systems. He asked that they follow that with the complete deletion of all files containing SSNs related to these stand-alone information systems on all computers under their control. Where schools and departments needed to keep files of SSNs or other confidential information, he asked that all possible steps be taken to secure these computers and the data on them from inappropriate access and disclosure.
At that time, the university still used the SSN as the official Student ID and the official Employee ID. However, the university stopped using SSN as the official ID for employees in December 2002, and for students in Fall 2004. Thus, many more of these stores of data can now be deleted.
- Who can I contact for more information?
For explanation of the laws or review of your practices for compliance with the law: University Counsel's Office IUB 812-855-9739 or IUPUI 317-274-7460
For technical measures to protect data: Email firstname.lastname@example.org with questions or to request a security review.
For speakers to come address your unit: Contact the University Information Policy Office.