Managing Personally Identifiable Information (PII)

Managing

Personally
Iden0ﬁable
Informa0on
(PII)

KP
Naidu

May
2011

What
is
PII?

 Personally
Iden0fiable
Informa0on

(PII)
is
any
informa0on,
maintained

by
a
company,
which:

•  can
be
used
to
dis0nguish
or
trace
an

individual’s
iden0ty

•  is
linked
or
linkable
to
an
individual

 Examples
of
PII:

•  Name,
Address,
SSN,
Date
of
Birth,
Phone
Number

•  Device
specific
sta0c
iden0fier
(e.g.,
IP
Address,
UDID,
etc.)

•  Logs
of
user
ac0ons

•  Financial,
Employment
or
Loca0on
data

Page:
2

PII
Data
Breaches
(2010/2011)

>
77M
Users

32M
Users

45
out
of
51
companies
surveyed
had
a
data
breach
in
2010

(Symantec
sponsored
study
carried
out
by
Ponemon
Ins0tute)

Page:
3

PII
and
the
Law

Page:
4

PII
and
the
Law

 US
Government
Ac0ons:

•  Federal
Grand
Jury
inves0ga0ng
mobile
apps
and
the

data
they
transmit
about
user
ac0ons

•  Boucher-‐Stearns
draY
bill

•  Rush:
Best
Prac0ces
Act
of
2011
(draY)

•  Pending/current
state
laws
&
rules
regula0ng
use
of
PII

Page:
5

Other
Impacts
of
a
PII
Breach

 Loss
of
customers

 Revenue
loss

 Drop
in
customer
conﬁdence

 Adverse
publicity

 Departure
of
key
employees
Sony
execu0ves
apologize
aYer
recent
data
breach

Average
cost
per
compromised
record:
$266

Page:
6

Steps
to
Managing
PII

 Assess
Conﬁden0ality
Impact
Levels

for
PII
collected
and
used
by
the

organiza0on

 Implement
Appropriate
Controls

•  Opera0onal
Safeguards

•  Privacy
Safeguards

•  Security
Controls

 Prepare
Incident
Responses
for

Data
Breaches

Page:
7

Confiden0ality
Impact
Levels
-‐
I

  The
confiden0ality
of
PII
should
be
protected
based
on

its
impact
level.
Items
of
PII
which
do
not
need

protec0on
include:

•  Publicly
available
informa0on
(phone
book)

•  Informa0on
voluntarily
shared/disclosed

•  Informa0on
that
organiza0on
has
permission
or
authority

to
release
publicly

  Assess
the
harm
caused
by
a
breach
of
confiden0ality

•  Individual
Harm:
Relates
to
adverse
affects
experienced
by
an

individual
when
a
breach
of
confiden0ality
occurs
with
their
PII

•  Organiza>onal
Harm:
This
may
take
the
form
of
financial
losses,

loss
of
public
reputa0on
and
public
confidence,
legal
liability

and
addi0onal
administra0ve
work

Page:
8

Confiden0ality
Impact
Levels
-‐
II

Impact
Level


LOW
MODERATE
HIGH

Impact
Type


Limited

Mission
capability
Significant
Degrada0on
Severe
Degrada0on

Degrada0on

Organiza0onal
Assets
Minor
Damage
Significant
Damage
Major
Damage

Financial
Loss
Minor
Significant
Major

Significant;
does
not
Catastrophic;
involves

Harm
to
Individuals
Minor
involve
loss
of
life
or
loss
of
life
or
serious

serious
injuries
injuries

Page:
9

Confiden0ality
Impact
Levels
–
III

The
following
factors
must
be
considered
while
determining

impact
levels:

  Iden>fiability:
Evaluate
how
easily
PII
can
be
used
to
iden0fy

specific
individuals

•  SSNs
can
uniquely
and
directly
iden0fy
individuals
(High)

•  Zip
Code
or
Date
of
Birth
can
significantly
narrow
a
list
(Moderate)

  Quan>ty
of
PII:
Consider
how
many
individuals
are
iden0fied
in

the
informa0on

•  25
records
(Low)
versus
2
million
records
(High)

  Data
Field
Sensi>vity:
Evaluate
the
sensi0vity
of
each
individual

PII
data
field
as
well
as
sensi0vity
of
the
fields
together

•  An
individual’s
SSN
is
more
sensi0ve
than
his
phone
number

•  A
combina0on
of
name
and
address
is
more
sensi0ve
than
either
one
by
itself

•  Some
data
fields
have
higher
poten0al
for
harm
when
used
in
contexts
other

than
their
intended
use.
E.g.,
mother’s
maiden
name,
place
of
birth
are
oYen

used
to
recover
account
passwords

Page:
10

Confiden0ality
Impact
Levels
-‐
IV

  Context
of
Use:
This
is
the
purpose
for
which
PII
is
collected

and
used

•  E.g.,
providing
services,
behavioral
analysis,
evalua0on
of
preferences,
serving
up

ads,
sta0s0cal
analysis
or
law
enforcement

•  Important
for
understanding
how
disclosure
can
harm
individuals
and
the

organiza0on

•  Relevant
to
evalua0ng
impact
to
different
categories
of
people
–
list
of

newslemer
subscribers
compared
to
list
of
law
enforcement
officers

  Obliga>on
to
Protect
Confiden>ality:

•  There
may
be
legal
or
contractual
obliga0ons
to
protect
PII.
The
collected
PII

may
being
assigned
higher
impact
levels
as
a
result

  Access
to
and
Loca>on
of
PII:
Factors
to
consider:

•  Number
of
people
who
have
access
to
PII

•  Frequency
of
access

•  Remote,
offsite
or
offshore
access
or
backups

•  Accessed
or
carried
around
by
mobile
workers

Page:
11

Opera0onal
Safeguards

  Create
Policies
and
Procedures
in
the
following
areas:

•  Access
Rules
for
PII

•  PII
Reten0on
Schedules
and
Procedures

•  PII
Incident
and
Data
Breach
No0fica0on

•  Privacy
in
the
SDLC
process

•  Limita0on
of
collec0on,
disclosure,
sharing
and
use
of
PII

•  Consequences
for
failure
to
follow
these
policies

  Training
and
Educa0on:

•  Designed
to
change
behavior
or
reinforce
PII
prac0ces

•  Focus
amen0on
on
protec0on
of
PII

•  Updates
on
the
latest
scams
and
breaches
and
their
impacts

•  Examples
of
how
staff
involved
in
inappropriate
ac0ons
have
been
held

accountable

•  Examples
of
recommended
prac0ces

•  Specific
role-‐based
training

Page:
12

Privacy
Safeguards
-‐
I

  Minimize
the
Collec0on,
Use
and
Reten0on
of
PII.
This
is

the
“minimum
necessary”
principle

•  Collect
only
those
items
of
PII
which
are
essen0al
to
meet
the

organiza0on’s
business
purpose

•  If
PII
serves
no
current
purpose,
then
it
should
no
longer
be
collected

and
used

•  Check
if
previously
collected
PII
is
s0ll
relevant
and
necessary.
If
not,

then
the
PII
must
be
properly
destroyed.
Ensure
that
destruc0on

conforms
to
any
legal
or
contractual
requirements

  Conduct
a
Privacy
Impact
Assessment
(PIA).
This
is
a

structured
process
to
iden0fy
conﬁden0ality
risks
at
every

stage
of
SDLC.
Collect
details
of:

•  PII
to
be
collected

•  Reason
for
collec0ng
this
PII

•  The
intended
use
of
the
PII

•  How
the
PII
will
be
secured

Page:
13

Privacy
Safeguards
-‐
II

  De-‐Iden0fying
Informa0on:

•  Full
data
records
not
always
required.
E.g.,
correla0ons,
trend
analysis

•  Obscure
enough
PII
so
that
remaining
informa0on
does
not
iden0fy
an

individual

•  May
be
re-‐iden0fied
via
a
code
or
algorithm
assigned
to
each
record

•  Re-‐iden0fying
code
or
algorithm
should
not
be
derived
from
other

related
informa0on
about
the
individual

•  Means
of
re-‐iden0fica0on
should
only
be
known
to
authorized
staff

and
not
disclosed
to
anyone
without
the
authority
to
re-‐iden0fy

records

•  Can
be
assigned
a
PII
confiden0ality
impact
level
of
LOW
provided
the

following
condi0ons
are
both
true:

  The
re-‐iden0fica0on
algorithm
or
code
is
maintained
in
a
separate
system,

with
controls
to
prevent
unauthorized
access;
and

  The
data
elements
are
not
linkable,
via
public
records
or
other
reasonably

available
external
records
in
order
to
re-‐iden0fy
the
data

Page:
14

Privacy
Safeguards
-‐
III

  Anonymized
Informa0on:

•  De-‐iden0fied
informa0on
for
which
a
code
or
algorithm
for
re-‐
iden0fica0on
no
longer
exists

•  Informa0on
is
no
longer
PII

•  Usually
involves
applica0on
of
disclosure
limita0on
techniques
like:

  Generalizing
the
Data
–
making
informa0on
less
precise

  Suppressing
the
Data
–
Dele0ng
an
en0re
record
or
certain
parts
of
a
record

  Introducing
Noise:
Adding
small
amounts
of
varia0on
into
selected
data

  Swapping
Data:
Exchanging
data
fields
of
one
record
with
the
same
data
fields

of
another
similar
record
(e.g.,
swapping
ZIP
codes
of
two
records)

  Replacing
data
with
the
average
value
–
replacing
a
selected
value
of
data
with

the
average
value
for
the
en0re
group
of
data

•  Useful
for
system
tes0ng
since
realis0c
proper0es
are
retained

Cau>on:
PII
used
in
test
environments
requires
the
same
level
of

protec0on
as
in
produc0on
environment

Page:
15

Security
Controls
-‐
I

Specific
security
controls
should
be
established
to
ensure

confiden0ality
of
PII

  Access
Controls:

•  Iden>fica>on
and
Authen>ca>on:
Users
must
be
uniquely
iden0fied
and
authen0cated

prior
to
accessing
PII.
Typically,
two-‐factor
authen0ca0on
is
required
as
well
as
a
0me-‐
out
func0on
for
remote
access

•  Enforcement:
Control
access
to
PII
through
role-‐based
access
control
to
allow
each
user

to
only
access
pieces
of
data
necessary
for
the
user’s
role;
or
allow
access
only
through

an
applica0on
which
0ghtly
restricts
access
to
PII

•  Least
Privilege:
Ensure
that
users
only
have
access
to
the
minimum
amount
of
PII,
along

with
those
privileges
–
read,
write,
execute
–
that
are
necessary
to
perform
their
work

•  Remote
Access:
Prohibit
or
strictly
limit
access
to
PII.
If
remote
access
is
permimed,

ensure
that
the
communica0ons
are
encrypted

•  Mobile
Devices:
Prohibit
or
strictly
limit
access
to
PII
from
portable
or
mobile
devices

because
these
are
generally
higher-‐risk
than
non-‐portable
devices.
If
access
is
permimed,

ensure
devices
are
properly
secured
with
up-‐to-‐date
an0-‐malware
soYware
and
OS

patches

•  Media
Access:
Restrict
access
to
media
(CDs,
USB
flash
drives,
tapes,
paper,
etc.)

containing
PII

Page:
16

Security
Controls
-‐
II

  Separa>on
of
Du>es:
Enforce
separa0on
of
du0es
for
roles

involving
access
to
PII.
For
example,
users
of
de-‐iden0ﬁed

data
should
not
also
be
in
roles
that
permit
them
to
access

the
codes
needed
to
re-‐iden0fy
the
records

  Monitoring
and
Audits:

•  Monitor
all
access
to
PII
to
detect
unauthorized
access
events
or

amempts

•  Monitor
PII
internally
or
at
network
boundaries
for
unusual
or

suspicious
data
transfers

•  Regularly
review
and
analyze
system
logs
for
indica0ons
of

inappropriate
or
unusual
ac0vity
aﬀec0ng
PII
and
inves0gate

suspicious
ac0vity
or
suspected
viola0ons

Page:
17

Security
Controls
-‐
III

  Media
Handling:

•  Marking:
Label
media
containing
PII
to
indicate
how
it
should
be

distributed
and
handled

•  Storage:
PII
on
paper
or
on
digital
media
must
be
securely
stored
un0l

it
is
destroyed
or
sani0zed.
For
example,
encrypt
data
stored
on

storage
drives,
backup
taps
and
removable
media

•  Transport:
Protect
media
and
mobile
devices
containing
PII
that
is

transported
outside
the
organiza0on’s
controlled
areas

•  Sani>za>on:
Sani0ze
media
containing
PII
before
it
is
disposed
or

released
for
reuse

  Informa>on
Transmission:
Protect
the
conﬁden0ality
of

transmimed
PII
either
by
encryp0ng
the
communica0ons
or

by
encryp0ng
the
informa0on
before
it
is
transmimed

Page:
18

Incident
Responses
-‐
I

Breaches
involving
PII
must
be
handled
differently
from
other

incidents
because
there
are
specific
features
and
risks
associated

with
breaches
involving
PII
which
may
not
be
associated
with

other
incidents.

  Prepara>on

•  Integrate
response
plans
for
PII
breaches
into
exis0ng
incident

response
plans.

•  Train
en0re
staff
on
policies
and
procedures

•  Carry
out
simula0on
exercises
to
evaluate
whether
exis0ng
procedures

are
adequate
and
to
assess
whether
staff
are
able
to
perform
their

roles
as
required

•  Employees
must
clearly
know
how
to
iden0fy
a
PII
breach
and
what

informa0on
about
the
breach
needs
to
be
reported

•  Employees
must
be
able
to
report
any
breach
involving
PII

immediately,
24x365

•  Iden0fy
person
or
commimee
(named
members)
responsible
for

coordina0ng
organiza0ons
response

Page:
19

Incident
Responses
-‐
II

  Informa>on
to
be
collected
about
Breach

•  Person
repor0ng
the
incident

•  Person
who
discovered
the
breach

•  Date
and
0me
the
breach
was
discovered

•  Nature
of
the
incident

•  Name
of
system
and
possible
interconnec0vity
with
other
systems

•  Descrip0on
of
informa0on
lost
or
compromised

•  Controls
in
place
to
prevent
unauthorized
use
of
compromised
informa0on

•  Number
of
individuals
poten0ally
affected

•  Storage
medium
from
which
informa0on
was
compromised

•  Whether
law
enforcement
was
contacted

  Elements
of
Breach
No>fica>on
plans

•  Whether
no0fica0on
to
affected
individuals
is
required

•  Timeliness
of
the
no0fica0on

•  Source
of
the
no0fica0on

•  Contents
of
the
no0fica0on

•  Means
of
providing
the
no0fica0on

•  Who
receives
the
no0fica0on;
public
outreach
response

•  What
ac0ons
were
taken
and
by
whom

Page:
20

Incident
Responses
-‐
III

  Breach
Detec>on
&
Analysis

•  Evaluate
all
incidents
to
check
if
a
breach
of
PII
is
involved

  Containment,
Eradica>on
&
Recovery

•  Media
sani0za0on
may
be
required
when
PII
is
deleted
during
recovery

from
a
breach

•  Check
if
PII
needs
to
be
preserved
for
evidence;
check
with
legal
counsel

prior
to
sani0zing
PII

•  Use
forensics
techniques
to
ensure
preserva0on
of
evidence

•  Determine
whether
PII
was
accessed
and
how
many
records
or

individuals
were
aﬀected

  Post-‐incident
Ac>vity

•  Conduct
retrospec0ve
analysis
to
gather
key
lessons

•  Share
informa0on
and
lessons
learned
within
organiza0on
as
well
as

with
external
agencies
as
required.

•  Update
incident
response
plan
as
required

Page:
21

KP
Naidu

kpnaidu@gmail.com

Page:
22

Managing Personally Identifiable Information (PII)

More Related Content

What's hot

Viewers also liked

Similar to Managing Personally Identifiable Information (PII)

Managing Personally Identifiable Information (PII)