Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers personally identifiable information (PII). This term encompasses any combination of information that identifies an individual and can include but is not limited to: · First and last name · Address and phone number · Full Social Security Number · Unique biometric data (e.g., a fingerprint) · E mail address Should a data breach occur, there are two types of notices to let people know what has happened: · Individual notice: notice to people via e mail, phone or writing · Media notice: notify the media if it is believed more than 5,000 people were affected

Video Transcription

00:04
kind of shifting focus away from the search warrant requirements in the requirements to
00:10
to search computer systems. We go into other legal aspects, and the definition of personally identifiable information
00:20
on this is gonna come into play for data breaches for
00:26
information that might be exposed where organization would not want that exposed.
00:32
So this is a legal definition of what constitutes personally identifiable information or the United States. If you're working in some other type of jurisdiction pickling across the seas outside of the United States than this, more than likely will not apply.
00:52
But, uh,
00:54
since it in personally identifiable information, is any information or compilation of information in Elektronik of digital form that includes any of the fall. So number one,
01:06
you have an individual spore shin, last name, first initial and last name
01:10
any combination with any of the two following data elements, So that's gonna be
01:15
home of drafts. Home telephone number, mother's maiden name in month day in your birth. So again, it has to be the first part of that sentence. Their first and last name and a combination
01:30
A, B or C
01:34
and order constitutes personally identifiable information.
01:38
So number two would be a non truncated Social Security numbers that's going to be all the digits of your social.
01:46
Ah, driver's license number. A passport number. Alien registration number eight numbers. It's often referred to our other government issued. You need identification number, so that could be a d o. D. Identification of A. For instance,
02:02
Number three is going to be unique. Biometric data. Such a stinker, print
02:07
voice, print, a retina, iris image or any other unique physical representation.
02:15
Number four is gonna be a unique account wanted to fire, including a financial count number or a credit card number. Elektronik Identification number User Name Her Routing Code
02:28
Number five. You'll have a user name and electronic mail address in combination with the password or security question,
02:35
an answer that would prevent access to an online account.
02:38
Or this is number six, which kind of
02:42
combines a lot of these elements. Any combination of following data Ellen's individuals first and last name
02:49
or a first initial on last name unique count identifier, including a financial account number, credit card number, electronic identification, ever, user name or routing code,
03:00
or any security code access code or password or stocks code. that could be used to generate such codes are passwords.
03:07
So those were some of the basic elements that constitute personally identifiable information and the reason that you need to know that when you do or if you do stuff for a data breach,
03:23
the type of information is exposed will warrant your response of how you're supposed to notify your customers
03:31
of that breach.
03:36
So now that we have an understanding of what personally identifiable information is, it leaks Death E defined At the federal,
03:44
we can start looking at some of the notification requirements and what is required, or how they're supposed to notify individuals if there is a data breach.
03:54
So essentially, there's two types of notice. You have an individual noticed. You have immediate notice.
04:02
So for individual notice notice two individuals could be accomplished by one of the following
04:08
means you have three means of an individual noticing a written notification to the last known home mailing address of the individual and the records of the business entity.
04:19
For the second method, you have telephone notice to the individual personally.
04:24
The last one is you're going to have an e mail notice on the email notice that the individual has consented to receive such notice. And the notice is consistent with the provision permitting electric transmission of notices under section Wanna wanted Elektronik Signatures
04:42
Global and National Commerce Act. So you'll have to go in and look at that act. If you're gonna consider notifying customers of potential data breach
04:54
to that specific act
04:57
So the next one you're gonna have is a immediate notice and then Monique immediate notice if number of residents of the state sensitive, personally identifiable information waas are is reasonably reasonably believed to have been accessed required,
05:12
but unauthorized person exceeds 5000
05:15
Noticed a media reasonably calculated reap such individuals, such as a medium major media outlets serving state jurisdiction. So,
05:25
um,
05:26
kind of what? What is wrapped up in that is that the individuals have be isolated to one state
05:32
and the number of that has to exceed 5000. And on top of that, you're having to to put notices in a very major media outlet serving that particular state jurisdiction. So obviously you can't
05:46
find the smallest newspaper, the smallest radio station state, and expect to reach every person in that state. So again I would seek legal counsel advice that you are considering to do any of these, but it just provides a broad overview of what
06:05
is generally expected.
06:09
So
06:11
going forward, we look at the national data breach notification standard. So this standard essentially provides any business entity engaged in her affecting interstate commerce that uses accesses, transmit stores, disposes of collects, sensitive, personally identifiable information
06:30
about more than 10,000 individuals during any 12 month period
06:33
shell following the discovery of a security breach of since. Information. Notify all individuals whose sensitive, personally identifiable information has been or is reasonably reasonably believed to have been accessed required unless there is no reasonable risk of harm or fraud such
06:53
So there's a lot wrapped up in that statement, but essentially
06:57
very large businesses that are dealing with up with 10,000 or more individuals in that 12 month period of required to essentially notify
07:06
uh,
07:08
those individuals if they believe
07:11
their data has been has been exposed. Now there are exceptions to this
07:16
national data breach standard and those air generally reserved for law enforcement or national security concerns. So
07:26
more than likely, what will happen is that in certain cases,
07:29
the organization will actually be contacted by law enforcement, international security elements to not notify customers. And that kind of goes back to our previous topic of operational security. So just as incident responders, we want to maintain operational security
07:46
did not notify the Attackers
07:49
that we're investigating our network's law enforcement. National security Individuals will also want to maintain operational security
08:01
so they make contact your business. Now that big said, you is a business owner, are incident responders don't have the authority to make that Cole so again that would have to be in the direction of law enforcement or national security elements
08:18
and then, in order to determine if we're going back to that last part of that statement,
08:24
is reasonably reasonably believed to have been accessed
08:30
acquired. Unless there is no reasonable risk of farmer fraud,
08:35
a risk assessment has to be conducted by or on behalf of the business entity and concluded that there is no reasonable risk that security breach has resulted in or or will result in harm
08:48
and the harm of individuals who sensitive personally identifiable information was subject to the security breach. So again,
08:54
a lot of words,
08:56
uh, in that,
08:58
uh,
09:00
basically summarized, that is, the business has conduct that risk assessment. So
09:05
however you're going to do it, you have to look and analyze that data and come to that determination that you do not believe that individual's information was exposed will come to any sort of reasonable heart. However, if
09:20
you're doing that and you you mess that up, you might actually be in violation of the law. And you could subject yourself to burger scrutiny and dark or action by the government. So again, it's very important to seek legal counsel
09:37
when or if you're going to decide to do that, that risk assessment and not notify individuals who want to make sure that you're doing that correctly and about four.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor