If you suspect that personal information has been lost, accessed or disclosed without authorization, it is important to report the incident immediately to the Privacy Office at privacy@psu.edu or Information Security at security@psu.edu. Don’t wait, timely reporting is critical and can help mitigate risk.
Notifiable PII
“PII” refers to “personally identifiable information.” The Pennsylvania Breach of Personal Information Notification Act applies to the data elements below when there is an associated name (first initial or first name and last name) in combination with any of the following:
- Social Security number
- Driver’s license number or a state identification card number issued in lieu of a driver’s license
- Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Passport numbers
- Biometric data (including fingerprints, retina/facial images, and DNA profile)
- Individually identifiable health information
- Health insurance information
- Username or email address, in combination with a password or security question and answer that would permit access to an online account
If the Privacy Office has determined a security breach to be notifiable, it will provide guidance on next steps, including reporting obligations for other applicable state breach laws.
Note:
P-cards are not considered to be notifiable; however the department should notify its local financial officer about the detected P-card(s) so they can close the account(s).
Financial account numbers may be handled differently per Penn State practice. This is very dependent on other data components which may accompany the bank account number. Please check with the Privacy Office if bank account numbers are detected to determine whether the data is notifiable.
For more information refer to University Privacy Policy, AD53.