You are reviewing personnel records containing PII when you notice a record with missing information

Índice

  • Why does PII need to be secured?
  • What is considered PII?
  • Sensitive vs. nonsensitive PII
  • How is PII used in identity theft?
  • PII laws and regulations
  • PII security best practices
  • PII vs. PHI

Personal Identifiable Information (PII) is defined as:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

Department of Labor (DOL) contractors are reminded that safeguarding sensitive information is a critical responsibility that must be taken seriously at all times. DOL internal policy specifies the following security policies for the protection of PII and other sensitive data:

  • It is the responsibility of the individual user to protect data to which they have access. Users must adhere to the rules of behavior defined in applicable Systems Security Plans, DOL and agency guidance.
  • DOL contractors having access to personal information shall respect the confidentiality of such information, and refrain from any conduct that would indicate a careless or negligent attitude toward such information. Contract employees also shall avoid office gossip and should not permit any unauthorized viewing of records contained in a DOL system of records. Only individuals who have a "need to know" in their official capacity shall have access to such systems of records.

The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because DOL employees and contractors may have access to personal identifiable information concerning individuals and other sensitive data, we have a special responsibility to protect that information from loss and misuse.

With these responsibilities contractors should ensure that their employees:

  • Safeguard DOL information to which their employees have access at all times.
  • Obtain DOL management's written approval prior to taking any DOL sensitive information away from the office. The DOL manager's approval must identify the business necessity for removing such information from the DOL facility.
  • When approval is granted to take sensitive information away from the office, the employee must adhere to the security policies described above.

Contractors should ensure their contract employees are aware of their responsibilities regarding the protection of PII at the Department of Labor. In addition to the forgoing, if contract employees become aware of a theft or loss of PII, they are required to immediately inform their DOL contract manager. In the event their DOL contract manager is not available, they are to immediately report the theft or loss to the DOL Computer Security Incident Response Capability (CSIRC) team at .

Personally identifiable information (PII) is any data that could potentially identify a specific individual.

Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII.

PII may be used alone or in tandem with other relevant data to identify an individual and may incorporate direct identifiers, such as passport information, that can identify a person uniquely or quasi-identifiers, such as race, that can be combined with other quasi-identifiers, like date of birth, to successfully recognize an individual.

Why does PII need to be secured?

Protecting PII is essential for personal privacy, data privacy, data protection, information privacy and information security. With just a few bits of an individual's personal information, thieves can create false accounts in the person's name, incur debt, create a falsified passport or sell a person's identity to a criminal.

As individuals' personal data is recorded, tracked and used daily -- such as in biometric scans with fingerprints and facial recognition systems used to unlock devices -- it is increasingly essential to protect individuals' identity and any pieces of identifying information unique to them.

What is considered PII?

Any information that can uniquely identify people as individuals, separate from all others, is PII. It may include the following:

  • name
  • address
  • email
  • telephone number
  • date of birth
  • passport number
  • fingerprint
  • driver's license number
  • credit or debit card number
  • Social Security number

Definitions for PII vary. According to the U.S. General Services Administration (GSA), "The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available -- in any medium and from any source -- that, when combined with other available information, could be used to identify an individual."

Although the legal definition of PII may vary from jurisdiction to jurisdiction and state to state, the term typically refers to information that can be used to distinguish or trace an individual's identity, either by itself or in combination with other personal or identifying information that is linked or linkable to an individual.

The Department of Energy (DOE) defines PII as follows: "Any information collected or maintained by the department about an individual, including but not limited to education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual's identity, such as his/her name, Social Security number, date and place of birth, mother's maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual."

This information includes more examples of what can be considered PPI and can be more sensitive depending on the degree of harm, embarrassment or inconvenience it will cause an individual or organization "if that information is lost, compromised or disclosed," according to the DOE.

Sensitive vs. nonsensitive PII

PII can be labeled sensitive or nonsensitive. Nonsensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. Nonsensitive PII can be easily gathered from public records, phone books, corporate directories and websites. This might include information such as zip code, race, gender, date of birth and religion -- information that, by itself, could not be used to discern an individual's identity.

Sensitive PII is information that, when disclosed, could result in harm to the individual if a data breach occurs. This type of sensitive data often has legal, contractual or ethical requirements for restricted disclosure.

Sensitive PII should therefore been crypted in transit and when data is at rest. Such information includes biometric data, medical information covered by Health Insurance Portability and Accountability Act (HIPAA) laws, personally identifiable financial information (PIFI) and unique identifiers, such as passport or Social Security numbers.

Employee personnel records; tax information, including Social Security numbers and Employer Identification Numbers (EINs); password information; credit card numbers; bank accounts; electronic and digital account information, such as email addresses and internet account numbers; and school identification numbers and records are also on the list of sensitive PII.

How is PII used in identity theft?

A number of retailers, health-related organizations, financial institutions -- including banks and credit reporting agencies -- and federal agencies, such as the Office of Personnel Management (OPM) and the Department of Homeland Security (DHS), have experienced data breaches that put individuals' PII at risk, leaving them potentially vulnerable to identity theft.

The kind of information identity thieves are after will change depending on what cybercriminals are trying to gain. By hacking and accessing computers and other digital files, they can open bank accounts or file fraudulent claims with the right stolen information.

In some cases, criminals can open accounts with just an email address. Others require a name, address, date of birth, Social Security number and more information. Some accounts can even be opened over the phone or on the internet.

Additionally, physical files -- such as bills, receipts, a physical copy of birth certificates, Social Security cards or lease information -- can be stolen if an individual's home is broken into. Thieves can sell PII for a significant profit. Criminals may use victims' information without their realizing it. While thieves may not use victims' credit cards, they may open new, separate accounts using their victims' information.

PII laws and regulations

As the amount of structured and unstructured data available keeps mushrooming, the number of data breaches and cyberattacks by actors who realize the value of PII continues to climb. As a result, concerns have been raised over how public and private organizations handle sensitive information.

Government agencies and other organizations must have strict policies about collecting PII through the web, customer surveys or user research. Regulatory bodies are hammering out new laws to protect consumer data, while users are looking for more anonymous ways to stay digital.

The European Union's (EU) General Data Protection Regulation (GDPR) is one of a growing number of regulations and privacy laws that affect how organizations conduct business. GDPR, which applies to any organization that collects PII from citizens in the EU, has become a de facto standard worldwide. GDPR holds these organizations fully accountable for protecting PII data, no matter where they might be headquartered.

Personally identifiable information includes many different elements.

PII security best practices

As organizations continuously collect, store and distribute PII and other sensitive data, employees, administrators and third-party contractors need to understand the repercussions of mishandled data and be held accountable. Predictive analytics and artificial intelligence (AI) are in use at organizations to sift through large data sets so that any data stored is compliant with all PII rules.

Additionally, organizations establishing procedures for access control can prevent inadvertent disclosure of PII. Other best practices include using strong encryption, secure passwords, and two-factor (2FA) and multifactor authentication (MFA).

Other recommendations for protecting PII are:

  • encouraging employees to practice good data backup procedures;
  • safely destroying or removing old media with sensitive data;
  • installing software, application and mobile updates;
  • using secure wireless networks, rather than public Wi-Fi; and
  • using virtual private networks (VPNs).

To protect PII, individuals should:

  • limit what they share on social media;
  • shred important documents before discarding them;
  • be aware to whom they give their Social Security numbers; and
  • keep their Social Security cards in a safe place.

Individuals should also make sure to make online purchases or browse financials on secure HTTP Secure (HTTPS) sites; watch out for shoulder surfing, tailgating or dumpster diving; be careful about uploading sensitive documents to the cloud; and lock devices when not in use.

PII vs. PHI

Protected health information (PHI) includes information used in a medical context that can identify patients, such as name, address, birthday, credit card number, driver's license and medical records.

Whether companies handle PII or PHI, they should employ records management programs to gain better control of their data by moving it to more intense document management systems and repositories or by disposing of content that's no longer required.

In the U.S., PHI is subject to strict confidentiality and disclosure requirements that don't apply to most other industries. While protecting PHI is always legally required, protecting PII is mandated only in some instances. Under HIPAA and revisions to HIPAA made in 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities -- such as healthcare providers, insurers and their business associates -- are limited in the types of PHI they can collect from individuals, share with other organizations or use in marketing. In addition, organizations must provide PHI to patients if requested, preferably in an electronic PHI (ePHI) format.

PHI is useful to patients and health professionals; it is also valuable to clinical and scientific researchers when anonymized. However, for hackers, PHI offers a wealth of personal consumer information that, when stolen, can be sold elsewhere or even held hostage through ransomware until the victimized healthcare organization sends a payoff.

What are PII safeguarding procedures?

SAFEGUARDING PII Safeguards are protective measures the Army takes to prevent unauthorized access to or disclosure of personally identifiable information (PII). Safeguards are used to protect agencies from “reasonably anticipated threats.”

What constitutes a PII violation?

One of the most familiar PII violations is identity theft, said Sparks, adding that when people are careless with information, such as Social Security numbers and people's date of birth, they can easily become the victim of the crime.

How can you help protect PII against unauthorized use?

10 steps to help your organization secure personally identifiable information against loss or compromise.
Identify the PII your company stores..
Find all the places PII is stored..
Classify PII in terms of sensitivity..
Delete old PII you no longer need..
Establish an acceptable usage policy..
Encrypt PII..

What is a permitted disclosure of PII contained in a system of records?

A routine use is a disclosure of PII from a system of records to a recipient outside of DoD. Routine use disclosures must be consistent with the purpose(s) for which the information was collected and must be published in the Federal Register.

Toplist

Neuester Beitrag

Stichworte