Personal Identifiable Information (PII) Security
By Ken Bramlett
Over the past several years the increase in security breaches involving PII has contributed to the loss of millions of records. Security breaches involving PII are harmful to both organizations and individuals. Organizational damages may include a loss of public trust, legal liability, or remediation costs. Individual damages might include identity theft, embarrassment, or blackmail. According to the United States Government Accountability Office, PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
In this article, the term “breach” is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any other situation where someone other than the authorized user and/or any other than authorized purpose have access or potential access to PII, whether that access is physical or electronic.
A recent audit conducted by the City of Albuquerque (COA) Office of Internal Audit identified 27,037 records containing high-risk PII in one of the three systems tested. According to the 2018 Cost of Data Breach Study-Global Overview, performed by the Ponemon Institute LLC, the average cost per record breached is $148 per record. A breach of the 27,037 records would result in a cost of approximately $4 million to the COA.
The Ponemon Institute is considered the preeminent research center dedicated to privacy, data protection, and information security policy. Their annual consumer studies on privacy trust are widely quoted in the medical field and their research quantifying the cost of a data breach has become valuable to organizations seeking to understand the business impact of lost or stolen data.
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. The Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information was used as criteria in the above referenced audit by the COA.
The Control Objectives for Information and Related Technology (COBIT) and NIST have established best practices for PII including collecting, classifying, inventorying, safeguarding, and responding to data breaches.
COBIT 5 is a framework created by the Information Systems Audit and Control Association (ISACA) for information technology (IT) governance and management. COBIT 5:
- Provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.
- Helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.
- Enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
- Is generic and useful for enterprises of all sizes, whether commercial, not-for-profit, or in the public sector.
Information Technology (IT) can effectively maintain PII security on their systems by maintaining an active inventory of systems and devices containing PII. Each governmental entity should ensure policies and procedures and underlying controls for classifying and safeguarding PII at various departmental levels are established and updated as necessary. Ensuring employees having access to PII are trained on and aware of their responsibility to safeguard PII is an essential responsibility of management.
The COA has adopted a Sensitive Data Policy (SDP) that includes the handling, use, and safeguarding of PII. This policy applies to all City employees, contractors, consultants, vendors, temporary employees, volunteers, and other City workers to include personnel affiliated with third parties doing business with the City. Under the SDP, PII is classified as sensitive data and is the responsibility of each individual with access to sensitive data to safeguard this data.
Safeguards of PII are important to ensure the protecting PII from loss, theft, or misuse while simultaneously supporting the agency mission. The following are examples of safeguards:
- Administrative Safeguards – Training personnel on PII best practices;
- Physical Safeguards – Ensuring paper records and systems are secured and access is controlled; and
- Technical Safeguards – Encrypting system transmissions and emails, and requiring user access and login restrictions for systems.
The above information was extrapolated from a COA Performance Audit of Personal Identifiable Information (PII) Security on City Systems Report No. 18-103. The audit was conducted by the Office of Internal Audit, Senior Information Systems Auditor Alan Gutowski, and published on February 27, 2019. The Performance Audit is available in its entirety at https://www.cabq.gov/audit/documents/18-103-pii-security-on-city-systems-final-for-the-web-js_.pdf/view. In the event of a data breach involving PII there are steps that must be immediately undertaken to both prevent any further breach and to comply with applicable law. Immediate action is required to secure your system and to correct or mitigate any vulnerabilities that may have caused the breach. There are also other steps that must be taken to comply with applicable law. Those steps will vary dependent on the type of PII data breached as well as State and Federal laws. A guide for responding to PII data breaches is provided by the Federal Trade Commission (FTC).
There are several strategies for mitigating the risk of PII data loss.1 These strategies are:
- Encryption which is proven to help prevent data loss. Encryption will help protect against cybercriminals accessing PII as well as accidental mistakes by employees involving PII.
- Strong passwords are essential for online security. The NIST recommends a password policy framework based on the following:
- Drop the crazy, complex mixture of upper-case letters, symbols, and numbers. Use a user-friendly phrase with a minimum of eight characters and a maximum length of 64 characters.
- Do not use the same password twice. Some sites will make you not use the last five passwords. So, think of a few!
- Choose something easy to remember and never leave a password hint out in the open or make it publicly available for hackers to see. This includes leaving your password out on a sticky note on your desk or workspace.
- Reset your password when you forget it. But, change it once per year as a general refresh. (Other best practices recommend changing it at least once a quarter)
- Two Factor Authentication is another way to protect data. This will add an additional layer of security to the standard method of online identification using passwords.
- Backup your data in order to be able to restore it should you have a computer crash, a virus, or become the victim of ransomware. It is recommended that data be stored 3 places. Backup data on both internal and external hard drives and at an offsite location.
- Safely dispose of old media with PII data. PII is often stored on hard drives contained in desktop computers, and laptops. Now even many copiers contain a hard drive. It is important to overwrite, magnetically erase, or physically destroy the PII stored on electronic devices that will be disposed of. If PII is contained in paper media, it should be destroyed by secure shredding.
- Use a secure wireless network and not public Wi-Fi that may be available in airports, hotels, and establishments such as Starbucks where hackers are prone to lurk and try to intercept your data.
- Use a VPN service if you must use public Wi-Fi. The VPN application will encrypt your connection to a server and allow access to a private network while sharing data remotely via a public network. The VPN protects sensitive data on your device and is similar to a firewall.
- Lock your device when you are away from it.
- Use anti-virus and anti-malware software.
In conclusion, both government and private entities are expected to manage their PII data appropriately. Every precaution should be taken to protect the data from loss, unauthorized access, or theft. Failure to properly manage PII and take appropriate security precautions can lead to data being compromised resulting in significant financial cost as well as damage to the reputation of the organization.
About the Author
Ken Bramlett is the Inspector General and Interim City Auditor for the City of Albuquerque, New Mexico. He earned his B.S. from Shorter College and his MPA from Columbus State University and is a graduate of the FBI National Academy, 162nd Session and Georgia Law Enforcement Command College. Ken was selected for the 10th delegation of the Georgia International Law Enforcement Exchange to the State of Israel and is also a Certified Fraud Examiner, Certified Inspector General, Certified Inspector General Inspector/Evaluator and a Certified Board Adviser.
1 25 Tips for Protecting PII and Sensitive Data - Ciphercipher.com › blog.