Heightened alarm over identity theft and frequent high-profile media reports of data security breaches has prompted the Illinois General Assembly to enact legislation designed to protect persons whose personal information has been disclosed improperly. This legislation affects Illinois state and local government agencies, as well as commercial entities, that conduct business in the state. The Personal Information Protection Act (PIPA) (815 ILCS 530/1 et seq.) requires these agencies and businesses to disclose any breach of a computer system that contains the unencrypted personal information of Illinois residents. This article focuses on the statutory notification obligations PIPA imposes upon government agencies that utilize or participate in a state-administered integrated justice information system. It is important, however, to understand the structure and composition of an integrated justice information system before we discuss PIPA’s impact on its government agency participants.
Although there are several different types of integrated justice information systems, a common approach at both the federal and state levels is the development of a centralized data warehouse. These systems enhance the sharing of information by aggregating local agency information and making it accessible across jurisdictions. In the criminal justice context, an integrated information system will frequently contain police incident reports from participating agencies. Police incident reports may be created for criminal or non-criminal events and frequently contain information about suspected offenders as well as victims, witnesses, and other persons or entities associated with an event. The development of information systems that compile personally identifiable information from multiple sources has, in part, spurred a flurry of legislation in most states that is intended to protect persons who may be adversely affected by the unauthorized disclosure of their personal information. These statutes, like PIPA, focus on notifying individuals if potentially sensitive information about them is inappropriately disclosed.
PIPA is the state’s most far-reaching data protection legislation to date and outlines a data collector’s responsibilities in the event of a security breach. It compels data collectors to notify Illinois residents when there has been a breach of the security of system data.2 Notification must be made in the most expedient time possible and without unreasonable delay following discovery or notification of the breach.3 PIPA only requires notification, however, if unencrypted personal information is compromised.4 The statute provides for a variety of methods of notification.
The notification requirement is triggered if two pieces of unencrypted data are accessed, e.g., a resident’s name together with their social security number, driver’s license number, state identification card number, credit card number, or financial account number. These types of information are of significant importance to the criminal justice system and, as such, justice agencies should be especially aware of their requirements under PIPA.
PIPA has even broader implications for state agencies in that they are subject to stricter requirements than other data collectors. State agencies must make notification if there has been a breach of the security of system data or written material. Additionally, state agencies must file a report with the General Assembly within five business days listing the breach and outlining any corrective measures that have been taken to prevent future breaches. Furthermore, state agencies are required to dispose of personal data that is no longer needed in a manner that ensures its security and confidentiality.
One of the benefits of making personally identifying information readily available from multiple sources is a much more efficient justice system. However, this integrated information system also increases the risks, if that personal information is compromised. A breach may take the form of a brute force attack such as an intrusion at a weak link in the data warehouse itself or through a participating agency’s information technology network. A breach may also occur if a user misplaces or discloses his password or if a user prints personally identifying information from the system and then misplaces that printout. Because PIPA provides no exception to an agency’s duty to notify affected individuals when data within the possession of a third-party is compromised, agencies participating in an integrated justice information system must take steps to coordinate their response to a security breach. The data collector must provide notice if personally identifying information is accessed, regardless of the form of the breach.
This article recommends that participating agencies and system administrators preemptively address these issues by entering into memoranda of understanding (MOU) that clearly set forth each respective agency’s obligations in the event of a breach. There is no provision in PIPA that allows one agency to delegate its duty to notify to another; thus, in the event a breach of an integrated system’s security occurs, both the participating agency and the system administrator must coordinate their efforts and share responsibility for the notification.
MOUs set forth the basic principles and guidelines that agencies will abide by when working together to achieve a common goal. Such memoranda typically address, among other issues, costs associated with participation and how agencies will resolve unanticipated disputes. In order to ensure compliance with PIPA, the MOU should:
• Address interagency notification (e.g., local agencies need to notify the system administrator when they discover a breach; system administrators must notify the local agency whose data has been improperly disclosed);
• Require that the system administrating agency and each participating agency establish a core response group that can be convened in the event of a breach to help guide further response;
• Establish a formal process to evaluate whether breaches require notification;
• Establish criteria for determining whether notification is appropriate;
• Outline the shared responsibilities for costs associated with notice;
• Specify the manner and form of notice; and
• Identify the content of the notice.
Although PIPA does not set forth the types of information that should be included in a notice of breach, the Government Accountability Office and the International Association of Privacy Professionals offer some guidance.5 In addition to providing a general description of what occurred, these sources recommend that agencies provide affected individuals with information about:
1. The type of personal information involved;
2. Any steps that have been taken to prevent further unauthorized acquisition of personal information;
3. The types of assistance, if any, to be provided to affected persons;
4. Information about what individuals can do to protect themselves from identity theft; and
5. Any resources available to individuals in order to protect themselves from identity theft, e.g., the Federal Trade Commission Web site (http://www.ftc.gov/bcp/edu/microsites/idtheft/) or a Web site where consumers may monitor and review their credit report (www.annualcreditreport.com/cra/index.jsp).
For most agencies and organizations, the question is not if a security breach will occur, but when. Having a comprehensive MOU in place at the inception of an integrated justice information system is critical to ensuring a proper response to a breach and contributes to the ultimate success of the system.
1. Kathleen deGrasse is a Master Sergeant and an attorney with the Illinois State Police. Prior to becoming Transportation Counsel for the Illinois Commerce Commission, Wil Nagel served as a policy analyst with the Illinois Integrated Justice Information System. The opinions expressed herein are those of the authors and do not reflect the position of the Illinois State Police or the Illinois Commerce Commission.
2. 815 ILCS 530/20 - A violation of PIPA constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.
3. 815 ILCS 530/10 (a) - Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system; (b) Any data collector that maintains computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person; (b-5) The data collector may first take any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. Notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the data collector with a written request for the delay. The data collector must make notification as soon as it will no longer interfere with the investigation. 4. A system administrator may encrypt its system’s data during transmission but not while the data is at rest in the warehouse. In this case, PIPA notification requirements would apply only if the personally identifying information were accessed while at rest.
5. See David M. Walker, “Preventing and Responding to Improper Disclosures of Personal Information,” U.S. Govt. Accountability Off. 06-833T, 16 (2006); Lisa J. Sotto and Aaron P. Simpson, “A How-To Guide to Information Security Breaches,” The Privacy Advisor (newsletter of the Intl. Assn. of Priv. Prof.) Vol. 7, No. 5 (May 2007).