Part 3 - Personally Identifiable Information (PII)

Video Activity

This lesson covers personally identifiable information (PII). This term encompasses any combination of information that identifies an individual and can include but is not limited to: · First and last name · Address and phone number · Full Social Security Number · Unique biometric data (e.g., a fingerprint) · E mail address Should a data breach occ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers personally identifiable information (PII). This term encompasses any combination of information that identifies an individual and can include but is not limited to: · First and last name · Address and phone number · Full Social Security Number · Unique biometric data (e.g., a fingerprint) · E mail address Should a data breach occur, there are two types of notices to let people know what has happened: · Individual notice: notice to people via e mail, phone or writing · Media notice: notify the media if it is believed more than 5,000 people were affected

Video Transcription
00:03
>> Shifting focus away from
00:03
the search warrant requirements and
00:03
the requirements to search computer systems.
00:03
We go into other legal aspects and the
00:03
definition of personally identifiable information.
00:03
This is going to come into play for data breaches and
00:03
for information that might be
00:03
exposed where an organization
00:03
would not want that exposed.
00:03
This is a legal definition of what constitutes
00:03
personally identifiable information
00:03
for the United States.
00:03
If you're working in some other type of jurisdiction,
00:03
particularly across the seas
00:03
outside of the United States,
00:03
then this more than likely will not apply to you.
00:03
Sensitive personally identifiable information is
00:03
any information or compilation of information in
00:03
electronic digital form that
00:03
includes any of the following: so number 1,
00:03
you have an individual's first and last name
00:03
or first initial and last name,
00:03
and any combination with any of the
00:03
two of the following data elements.
00:03
So that's going to be their home address,
00:03
home telephone number, mother's maiden name,
00:03
and month, day, and year of birth.
00:03
Again, it has to be that first part of that sentence,
00:03
their first and last name,
00:03
and a combination of A, B,
00:03
or C in order to
00:03
constitute personally identifiable information.
00:03
Number 2 would be
00:03
a non-truncated social security number,
00:03
so that's going to be all the digits of your social,
00:03
a driver's license number,
00:03
a passport number,
00:03
alien registration number,
00:03
eight numbers as it's often referred to,
00:03
or other government-issued
00:03
unique identification numbers of
00:03
that could be a DOD identification number,
00:03
>> for instance.
00:03
>> Number 3 is going to be
00:03
unique biometric data such as fingerprint,
00:03
voice print, a retina-iris image
00:03
or any other unique physical representation.
00:03
Number 4 is going to be a unique account identifier,
00:03
including a financial account number
00:03
or a credit or debit card number,
00:03
electronic identification number,
00:03
user name or routing code.
00:03
Number 5, you'll have a user name or electronic mail
00:03
address in combination with
00:03
the password or security question,
00:03
and answer that would permit access
00:03
>> to an online account.
00:03
>> This is number 6,
00:03
which combines a lot of these elements,
00:03
any combination of following data elements.
00:03
An individuals first and last name
00:03
or a first initial and last name,
00:03
a unique account identifier,
00:03
including a financial account number
00:03
or a credit card number,
00:03
electronic identification, user name
00:03
or routing code, or any security code,
00:03
access code or password,
00:03
or source code that could be used to
00:03
generate such codes or passwords.
00:03
Those are some of the basic elements
00:03
that constitute personally identifiable information.
00:03
The reason that you need to know that is
00:03
when you do or if you do suffer a data breach,
00:03
the type of information that's exposed will warrant
00:03
your response of how you're supposed to
00:03
notify your customers of that breach.
00:03
Now that we have an understanding of
00:03
what personally identifiable information is,
00:03
at least that defined at the federal level,
00:03
we can start looking at some of
00:03
the notification requirements and what is required or
00:03
how you're supposed to notify
00:03
individuals if there is a data breach.
00:03
Essentially, there's two types of notice;
00:03
you have an individual notice
00:03
and you have a media notice.
00:03
For individual notice, notice to individuals can
00:03
be accomplished by one of the following means.
00:03
You'd have three means of an individual notice.
00:03
You have written notification to
00:03
the last known home mailing address at
00:03
the individual in the records of the business entity.
00:03
For the second method, you'd have
00:03
telephone notice to the individual personally.
00:03
Last one is you're going to have the email notice.
00:03
The email notice if the individual has
00:03
consented to receive such notice and the notice is
00:03
consistent with the provisions permitting
00:03
electronic transmission of notices under
00:03
section 101 of the Electronic
00:03
Signatures in Global and National Commerce Act.
00:03
You'll have to go in and look at
00:03
that Act if you're going to consider
00:03
notifying customers of potential data breach
00:03
to that specific Act.
00:03
The next one you're going to have is media notice.
00:03
A media notice,
00:03
if number of residents of the state
00:03
whose sensitive personally
00:03
identifiable information was or
00:03
is reasonably believed to have been accessed or
00:03
acquired by an authorized person exceeds 5,000,
00:03
notice to media reasonably
00:03
calculated to reach such individuals
00:03
such as major media outlets
00:03
serving the state or jurisdiction.
00:03
What is wrapped up in that
00:03
is that the individuals have to be
00:03
isolated to one state
00:03
and the number of that has to exceed 5,000.
00:03
On top of that, you're having to put notices in
00:03
a very major media outlet
00:03
serving that particular state or jurisdiction.
00:03
Obviously, you can't find
00:03
the smallest newspaper or the smallest radio station in
00:03
state and expect to reach
00:03
>> every person within that state.
00:03
>> Again, I would seek
00:03
legal counsel advice if
00:03
you are considering to do any of these,
00:03
but it just provides
00:03
a broad overview of what is generally expected.
00:03
Going forward, we look at
00:03
the national data breach notification standard.
00:03
This standard essentially provides any business entity
00:03
engaged in or affecting
00:03
interstate commerce that uses, accesses,
00:03
transmit, stores,
00:03
disposes of, or collect
00:03
sensitive personally identifiable information
00:03
about more than 10,000 individuals
00:03
during any 12-month period shall,
00:03
following the discovery of
00:03
a security breach of such information,
00:03
notify all individuals who
00:03
sensitive personally identifiable information has been
00:03
or is reasonably believed to have been accessed or
00:03
acquired unless there is
00:03
no reasonable risk of harm or fraud such individual.
00:03
There's a lot wrapped up in
00:03
that statement but essentially,
00:03
very large businesses that are dealing
00:03
with 10,000 or more individuals in
00:03
that 12-month period are required to essentially notify
00:03
those individuals if they believe
00:03
their data has been exposed.
00:03
Now there are exceptions to
00:03
this national data breach standard,
00:03
and those are generally reserved for
00:03
Law Enforcement and National Security Concerns.
00:03
More than likely what will happen
00:03
is that in certain cases,
00:03
the organization will actually be contacted by
00:03
Law Enforcement and International Security elements to
00:03
not notify customers and that goes back to
00:03
our previous topic of operational security.
00:03
Just as incident responders,
00:03
we want to maintain operational security
00:03
>> to not notify the attackers that we're
00:03
>> investigating them with our networks.
00:03
Law Enforcement and National Security
00:03
individuals would also want to maintain
00:03
>> operation security,
00:03
>> so they may contact your business.
00:03
Now that being said,
00:03
you as a business owner or as an incident responder,
00:03
don't have the authority to make that call.
00:03
Again, that would have to be at the direction of
00:03
Law Enforcement and National Security elements.
00:03
Then in order to determine if we're going
00:03
back to the last part of that statement,
00:03
is reasonably believed to have been accessed,
00:03
acquired unless there's no reasonable risk
00:03
of harm or fraud,
00:03
a risk assessment has to be conducted by
00:03
or on behalf of the business entity and
00:03
concluded that there is no reasonable risk that
00:03
a security breach has resulted in
00:03
>> or will result in harm.
00:03
>> The harm that individuals
00:03
>> whose sensitive personally identifiable information
00:03
was subject to the security breach.
00:03
Again, a lot of words in that.
00:03
Basically, it's summarized that as
00:03
the business has conducted that risk assessment.
00:03
However, you're going to do it,
00:03
you'd have to look and analyze that data
00:03
and come to that determination that you do not
00:03
believe that individuals information who is
00:03
exposed will come to any reasonable harm.
00:03
However, if you're doing that and you mess that up,
00:03
you might actually be in violation of the law
00:03
>> and you can subject yourself to further scrutiny
00:03
>> on dark or action by the government.
00:03
Again, it's very important to seek
00:03
legal counsel when or if you're
00:03
going to decide to do
00:03
that risk assessment and not notify individuals.
00:03
You want to make sure that you're doing
00:03
that correctly and above board.
Up Next