OLA Guidelines on Identify Theft

Libraries collect and store personal data about our users, volunteers, donors and staff. We have legal and ethical responsibilities to protect that data. The OLA Legislative Committee developed these guidelines to address state and federal law concerning ID Theft. We used several resources including this excellent guide from the State of Oregon - Protecting Your Personal Information - A Business Guide. 

State and federal law mandate that libraries have reasonable safeguards to ensure the safety of personal information. Many libraries will be included in the plans developed by their city, university or county. Others such as independent library districts need to address the issue independently. Even if covered by a larger entity, libraries have some unique issues and concerns with personal information. Consequently, OLA recommends reviewing your policies and procedures. 

Preventing identity theft in the library is different from protecting patron privacy.  They relate, but libraries need to take steps to protect our users' personal information from theft.  The American Library Association provides valuable advice on patron privacy and every library should have such a policy in place.  

Definitions 

Personal information means an individual’s name, address, date of birth, photograph, fingerprint, biometric data, driver license number, identification card number or any other unique personal identifier or number. (HB 2371) 

In the library, personal information includes circulation records and Internet use, including database use. It includes surveillance media and other physical accounting of an individual’s presence in the library. With the advent of more virtual services, personal information can appear in records of reference transactions such as e-mail, instant messaging and chat.

OLA suggests that all libraries address our responsibilities in regards to the personal information of our users, our staff members and our volunteers. 

• Develop a policy 
• Implement procedures 
• Train staff to respond 

Resources 

• Oregon Identify Theft Law 
• Information from Oregon Department of Finance and Corporate Securities 
• Protecting Your Personal Information - A Business Guide (.pdf)
• U.S. Red Flags Rule 

Policies and Procedures 

All libraries should have a policy in place to protect our data. 

Even if your city, university, school, county, etc. has a policy, libraries have some unique issues. You should make sure these issues are addressed in either a library policy or the broader institutional one. 

Any policy should contain: 

• The reasons for the policy
• The relevant laws 
• Definitions of terms used 
• Explicit timing of periodic review 

Here are two policies as examples– one where the library is part of a city and the other as a separate district. 

City of Waldport 

Baker County Library District

Procedures describe how to execute the policy. Library issues revolve around ID 

data collection, its use, storage and de-accession. They should address the following: 

• Physical collection, protection and destruction of personal data including human resources information 
• Legal concerns such as contracts with vendors, intergovernmental agreements · Staff access to data including volunteers and student workers 
• Local governance issues that address the library’s relationship with the data repositories controlled by others including the city, the county, university, etc. 

These procedures follow best practices identified from a variety of sources. 

Physical Access 

1. Lock CD’s floppy disks, zip drives, tapes, and backups in a file cabinet or locked room with limited access 
2. Limit access to the servers and staff computers that store personal ID information. 
3. Create firewalls when appropriate. 
4. Properly dispose of computers and data storage by removing personal ID information. 

Data Collection 

1. Review what you collect, including what you ask for on the library card application and what you input on volunteers 
2. Don’t collect information that you are not going to use. 
3. Maintain library personal ID data that is separate from non-library departments, units, etc. 
4. Tell people what you do with what you collect. 
5. Shred paper forms once converted to electronic form. 
6. Develop a regular schedule for reviewing and deleting patron records. 
7. Develop a regular schedule for reviewing, archiving and deleting other personal ID records that the library may accumulate, such as personnel, volunteers and donors. 

Data Protection 

1. Select service providers capable of maintaining appropriate safeguards and require those safeguards by contract. 
2. Do an inventory of what personal ID information is stored and where. 
3. Assess who has access to what and that those people are aware of the sensitivity of the data. 
4. Train staff to protect the data using robust passwords, establish firewalls and encrypt data as appropriate. 
5. Conduct a risk assessment and security audit on a regular basis. 

Sharing Data 

1. When contracting, choose providers capable of maintaining appropriate safeguards and require those safeguards by contract. 
2. When developing Intergovernmental and consortial agreements, identify what ID is shared, where it is stored and who is responsible for its protection. 
3. When working within your institutional setting, identify what ID is shared internally, where it is stored and who is responsible for its protection. 
4. Address who handles requests for access to library personal ID data. 

Best Practices and Responses

Everyone who works in a library needs to be concerned about identity theft, understand the library’s perspective on privacy, and know how to respond when there’s data breach or a request for personal ID information. 

Staff training and periodic reviews of policy and procedures will help your library protect sensitive data. 

Staff training session components

• Why – professional ethics, library philosophy 
• How to protect – develop and review procedures 
• How to respond to a breach 
• How to respond to law enforcement – crime scene, runaway on Internet 
• How to respond to patron requests 
• Responding to claims of ID theft  

How to respond to a breach: 

1. Communicate to appropriate staff. 

a. Those detecting a breach in security should inform the library administration first. 

b. Law enforcement should be informed after library administration has assessed the situation. 

c. A current list of emergency contacts with the appropriate hierarchy should be revised regularly. 

2. Coordinate the response. 

a. Notify patrons whose records were possibly compromised. Include what information was compromised and how the library is responding. 

b. Notify institution and governing bodies (e.g. Library board). 

c. Inform library staff appropriately including volunteers. 

d. Be prepared to respond to the media and an anxious public. 

3. After the response, review the breach and take appropriate actions to resolve security issues. 

Responding to requests for personal information: 

OLA recommends that what personal information is shared with law enforcement and others should be limited. While library patron requests are exempt from public disclosure, this does not prevent a local library or jurisdiction from sharing them with law enforcement. In 1995, the Oregon Attorney General offered a Letter of Advice describing in more detail the issue of exemption.  It is worth reviewing when drafting your library's policy. 

There are situations that arise that can be challenging for library staff to address, especially if the request will benefit the library or it involves the police. 

Internal Use

At times, your friends group may ask for a list of library card holders because they want to mail out thank-yous to all library users. OLA suggests that your policy restrict internal use again to protect the user's privacy and identity. A best practice would be having an opt-in for patrons; you would ask the patron, when registering, if they want to share their personal ID with the Friends group or other library entity. 

Law Enforcement  Requests

Every library should have a policy in place that describes how to interact with law enforcement requests for personal information. OLA suggests the following as best practices or guidelines:

• If the police request personal information about a library user, they should get a subpoena. One of the few exceptions is if the law enforcement officer has a National Security Letter as authorized by the Patriot Act. 
• Anytime a law enforcement officer requests information, the library administration should be notified immediately and before any information is relinquished. 

Here are some situations that provide good training scenarios for staff: 

• A 16 year old emailed her parents from the library. The police arrive and want to know what computer she had used and what she had viewed. Need a subpoena because you need to match her ID, library card number, to the terminal log data.
• Police come in with library videos found at a crime scene. She wants to know who had checked them out. They would need a subpoena.
• Some kids tagged a wall and were seen running into the library. The police want to see the security tapes, set them up with popcorn.
• Police arrive looking for a missing 10 year old. They show the staff a picture. You can id from the photo.
• FBI shows up wanting to see the circulation record of a 24 year old they need a subpoena unless they have a national security letter. If they have a NSL, library staff should immediately contact library administration and the institution's lawyer.