[BreachExchange] Ever Hear of Pii? What You Need to Know About Its Life Cycle in Business
Audrey McNeil
audrey at riskbasedsecurity.com
Wed May 11 20:41:55 EDT 2016
http://www.foxnews.com/us/2016/05/11/ever-hear-pii-what-need-to-know-about-its-life-cycle-in-business.html
In high school you learned about pi, remember? Pi is the the ratio of a
circle's circumference to its diameter, commonly approximated as 3.14159.
All well and good. But now it’s time to learn about pii.
PII stands for "personally identifiable information." And personally
identifiable information can mean an assortment of things, such as name,
address, social security number and biometric data, like voice and
fingerprint identifiers.
As such, pII isn’t always private information, but often it is sensitive.
Think: passport number, health information and medical records -- all part
of the concept of “privacy” you hear so much about, in terms of personal
information and cyberspace. Companies, such as banks and health plans,
which store private, personal information about people should allow those
same people to determine how their pII is used or revealed.
And that brings up the matter of the pii life cycle. At birth, pii is
rounded up and collected because the need exists for this data, for various
small business transactions. At death, if you want to call it that, the
cycle is finished: Pii data is no longer needed.
What are the in-between stages? After pii is gathered, it’s stored and
maintained in a computer system. It’s ready for use -- the next stage of
the life cycle. Along with that exists the need to share the pii, as in
disclosure or transfer or even sales/marketing. In a business, when the pii
is no longer needed, there are policies that determine when the time period
for holding on to the data has expired.
As mentioned, pii is usually of a sensitive nature, though not always, and
includes such items as email addresses and birthdates. A business’
responsibility is to handle sensitive data with lots of TLC, keeping it
protected from theft and private, based on the terms set forth by the
business that collects it and the client who agreed to those terms.
In fact, businesses have a lot of heavy responsibility when it comes to
handling pii:
Proper management of the entire life cycle
Protection of data, in offline form as well.
Prompt reporting of any violations of privacy
The end of the life cycle may be referred to as disposition. Proper
disposition is a must. This entails thorough shredding of sensitive
documents. It does notmean tossing out an old computer that still has its
hard drive into a rubbish can (where dumpster divers can retrieve it, take
out the hard drive and see what kind of juicy data is on it, like bank
account numbers and social security numbers).
Businesses need to watch out: Punishment for privacy violation is no picnic
and includes the possibility of criminal charges.
The Laws of Privacy
You’ve probably seen “HIPPA” and heard people say “Hippa.” The abbreviation
is actually HIPAA, short for the Health Insurance Portability and
Accountability Act. This means that your mother’s cardiologist isn’t going
to tell you what’s going on with her heart unless your mother “puts you on
her HIPAA.”
Translation: She authorizes the doctor to share information. HIPAA also
bars, for example, nurses telling a reporter why a movie star was treated
in the emergency room. HIPAA further makes it possible for patients to
access their own records.
Ever hear of COPPA? The Children’s Online Privacy Protection Act requires
that parental consent be obtained for websites that gather personal
information on kids under the age of 13. Here is a brief rundown of other
pii elements to be aware of:
The Privacy Act of 1974 is a primer for the gathering, use and sharing of
personal data.
The Office of Management and Budget Mandate M-07-16 requires protection for
pii in cyber and offline form.
The E-Government Act of 2002, titles II and III, makes it necessary for
federal agencies to analyze the influence of privacy for systems that
gather public data.
Policy Number HHS-OCIO-2008-0001.003: When suspicious things occur relating
to pii, action must be taken, and that’s where this policy comes in.
The National Institutes of Standards and Technology (NIST) Special
Publication 800-53, Revision 4, Security and Privacy Controls for Federal
Information Systems and Organizations. Check out the information about
privacy controls in Appendix J.
If you're unaware of these items, you need to start learning about them
now. Security for privacy requires a very systematic, strategic approach on
the part of businesses. And the advent of online data has only complicated
matters, raising the bar for security and protection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160511/18423ddb/attachment.html>
More information about the BreachExchange
mailing list