End User PII

21 minutes

Video Transcription

All right. So let's pick up with our next topic. And our next topic is a discussion of P. I. I personally identifiable information. You've probably heard that acronym. That's what it means personally identifiable information. And I'm gonna use the acronym, probably most of the this next lecture.
So when we talk about personally identifiable information, what is it and what's its significance?
Well, you know, we have to look at the environment which were in currently We're not necessarily at the pinnacle of privacy these days. We have a lot of different media tools that air out their social media. You know, I'm sure everybody's familiar Facebook and Twitter and many of the others
that air really designed to share information. But what I want to talk about today is information that should not be shared.
And again, that's your personally identifiable information and usually what you can think of. Um, if you just want a quick answer for what p I is think about if you call your bank or your credit card company, think about some of the information that they ask you to verify your account. Okay? So, Miss Hanrahan, can I have your name
What's your address?
Ah, what are the last four digits of your Social Security number? What's your mother's maiden name? So those air, some ideas and many others that could be used as personally identifiable information. You know, the official definition of that is something that can be used to uniquely identifying individual
or lead to the ability to contact that individual.
And, uh, you know, the big thing is, that's information that we frequently use to gain access to other information, like my credit card information bank transfers, healthcare information. So even though this chapter focuses on being aware of that in the workplace,
please take it from me. That is
equally important, that you keep that information of your own private as well when you're accessing social media sites or any type of online activity. Or it doesn't even have to be online activity just being very, very cautious about the information that we put out there. And we disclosed others
all right, So like I said, several different things are part of that
biometric information. You know, a lot of health care agency are a lot of health clubs. Rather are asking for thumbprints when you sign up for their gym because people are sharing badges, white card badges. That biometric information is also personally identifiable information.
And that's a big one. We've gotta be very careful about biometric information that we're turning over
other things. You may not think about vehicle registration number. That's significant. That's partial to your vehicle as well as our proprietary to your vehicle license number. Uh, anything that will uniquely identify me. And as you'll notice. Okay, so,
Dad, if I the data that can identify unique individual. But check out the second option here
aggregation. So it's not just a single piece of information can that be joined with something else. So just because, you know, my first name doesn't necessarily mean that you can lead to contact me or impersonate me. But if you take my name and of course, my Social Security number now that's really significant. So
bringing multiple pieces of P I ay together
can certainly lead to a huge threat. We refer to that as aggregation, which simply means adding together.
All right, so why do we care? Well, there are a lot of reasons we care about P ay, ay ah, First of all, because we have to and we have to, because the law says so, depending on the type of business or the type of work that you do. There are numerous regulations that dictate how we have to care for and protect
P I I.
So I have listed out just a couple of the types of, AH standards that are out there, the payment card industry. And if you think about that, of course, I want my personally identifiable information protected by my credit card company. And we're all aware that credit card fraud is huge. Today,
if you've ever gotten a call or a message from your bank saying your card's been compromised, they're going to send you a new card.
And if you haven't yet, you will just just hold tight because that's something that's very, very common today. Ah, that's because P I information, which would include your credit card number, has been disclosed. Ah, the European Data directive. One of the things that if you've traveled abroad,
you'll find out is in the European Union. They have stricter standards to protect privacy information.
Then we do here in the States, you know they've had the or if I d chips on the credit cards long before we did, and passports and so on. So the European Data Directive is a very specific set of rules about the privacy of public information. You may be familiar with the safe harbor laws, which are not on here
but with the safe harbor laws addresses businesses here in the States
doing business in the European Union and the different set of standards that we have to go through to protect European Union citizens. Uh, privacy in their information
HIPPA. I'm sure most people are familiar with HIPPA protecting the privacy of health care information, and along with that, a newer law, the high tech act and basically the difference is hippos directed at health care providers. So if I'm a physician's office,
or if I'm an insurance company that has direct access to patient information, I have to, of course, protect that patient information.
So maybe I decide that in my office I don't have the capabilities of being hip a compliant. So I decide toe outsource that to another company, have a business associate.
Well, that company different my outsource the processing that health care information is also liable under the high tech at. So, uh, what will continue to see and there's Criminal Justice and Immigration Act and also there many other security regulations that address this. But the bottom line is
as more and more compromises continue to happen,
laws pop up, get approved different regulations, standards within the industry, so personally identifiable information. We're legally obligated to protect that. So one of the first steps, what do we do? Well, first of all, you have to think about who has access
to personally identifiable information. We start there and we look at what's RP II,
then who can access it?
We want to put controls in place to make sure this information isn't being copied. It isn't being saved. It isn't being exported. As a matter of fact, you may have heard of various data breaches several companies. Target was compromised Home Depot, just to name a few.
There are many others, and there's no real intent in singling those out other than
that's been somewhat recently in the news. But the idea is, uh, when you see a company lose five million credit cards or 70 million credit card numbers, what we have to make sure we have tools in place, that air monitoring the ex filtration of this type of data.
Weah's end users have to be very, very conscious about
about disclosing this information to anyone on the phone, certainly, or in person. Is it necessary that we store this and how do we protect it? Personally identifiable information should be password protected at the very least, but we have to make sure that we as guardians of this information
and here to some of those guidelines in some of those rooms
and again this is relevant to us in the business. It's also relevant to us as individual users. 7% of people 16 years or older were victim of identity theft back in 2012. This number continues to grow. Continues to grow continues to grow.
As a matter of fact, I had a good friend who was on an airline on an airplane sitting on the tarmac
in Atlanta, Georgia, and the plane was delayed, was delayed, and two federal marshals came and escorted her off the plane. And after about 13 hours of rigorous questioning, which you could imagine, it's delightful. It was determined that a tremendous amount of fraudulent purchases.
Basically, she was a victim of identity theft,
and, uh, that was somewhere around 11 years ago. And she's still suffering issues with that identity theft and huge hits. To your credit, those aren't things that go away. Everybody can feels like, Well, it's after seven years. Everything's fine, not the case. They're still many issues. The bright side of that was she did get to testify in Congress
and actually got to meet the president. So, you know, you kind of way you're pros and cons.
15 years of bad credit. Meet the president. Sometimes it's a trade off,
all right. I guess it depends on who the president is at a time. All right, So the majority of identity theft incidents involved the use of account information, credit card information, bank information. And let me tell you, as a social engineering, we have a whole chapter that's devoted to social engineering.
In a quick nutshell. Social engineering
is a means of me Impersonating a legitimate source or a legitimate entity. So I'm gonna call you and say, Hey, I have a business need for your password. Can you give that to me over the phone or, you know, I think your credit card has been compromised. What's that number again? So that's social engineering.
And basically, when we see here, 85% of identity theft
stands around the compromise of this information, and a lot of that comes from social engineering.
So we have to be very, very careful about the information that we disclose. And like I said, we'll talk about this in another chapter. But not all of these attacks or technical. As a matter of fact, most of the attacks that you're seeing today. And if you watch the news, the news media, it's very hard to miss these compromises.
Most of them originate with some form of social engineering.
All right, so
victims who had personal information ah, used to open a new account for fraudulent purposes
were more likely than victims of existing account fraud. All right, so basically what happened and this also happened to my friend is because the individual had certain identifying characteristics. She was able to go out and open up a new account.
Uh, what was good about that or what was helpful toe to the the criminal, essentially, because that's what she was,
um was she could send bills to her address. Everything came and my friend had no idea all this was going on. So she was using her information to create brand new accounts. Even took out a mortgage in my friend's name. That's heavy duty. I feel like you gotta have a lot of chutzpah to take out a mortgage and someone else's name.
But again, I guess if you're not paying the bills and you got a lot going on,
um, I cannot stress enough now. I think most of us know if somebody calls and says, Hey, what's your Social Security number? We know not to give that, but these these criminals are very, very sneaky. The Today Show hired a private investigator firm, and what they did is they set up a little kiosk at the mall,
and the kiosk
had big signs that said, free no interest credit card college students.
Now, why college students think about that for a second?
So first of all, you figure out, you know, these air younger folks don't maybe don't have a lot of experience out in the workforce out in the world, so to speak, but also they haven't really had time to mess up their credit yet for most of them. So in one single day they collected over 100 applicants
for their credit card that didn't exist.
And you think about when you apply for a credit card. The information you give. It's all P I I give me your name. Give me your Social Security number. Give me your address and phone number. What accounts do you currently have open? What's your banking information? And when I found to be most interesting was after, um,
essentially after they pulled these folks of aside and said, Look, didn't you feel a little strange about giving this information just because somebody has a kiosk set up in the mall? But most of those college students said, Yeah, I felt a little weird about it, but the people there were so nice,
you know, that's the art of social engineering.
All right? Ah, 14% of identity theft experience out of pocket losses of a dollar arm or I can guarantee you is fairly significantly a dollar more. Think about this. You know, we all kind of take comfort. Well, if if our credit card number gets stolen, then our bank will take care of that. All right,
that's true. But over what course of time and how long and what are the requirements?
Because, you know, our bank has suffered tens hundreds of millions of dollars in law studio identity theft. So there are some requirements. If your card was stolen, you have to have reported it within a certain time frame, and there's some requirements there. And of course, they'll do a thorough investigation. But also
think about. If I use my debit card
and my debit card gets compromised, let's say that I had $8000 in my bank and somebody went in the shopping spree and and spent $7999. My bank isn't gonna re populate my checking account, right?
That money is gone to me,
at least for a period of time. Now, the bank result does their investigation three months later and determines I was a true victim. They may restore that money to my account, but nothing happens in the interim while that investigation is going on, unless your bank commits to do that right.
So we have to really think about when we use our debit card versus when we use our credit card
from the realm of identity theft. And let me tell you,
we are very, very callous about credit cards. You know, I'll hand my credit card to a server at a restaurant. He goes away behind a door, comes back 10 minutes later with the receipt. But what's he done with that?
Um, it hasn't been all that long ago here in the States when credit cards we were taken, that carbon copy of him
and what happened with the carbon went straight in the trash. And even though secure locations might tear it in half, that's no sort of deterrence. Ah, we leave receipts. And also another thing that hasn't been all that long ago is we're now on Lee, displaying the last four digits of of our credit card number on receipts.
Used to be the full credit card number was displayed over seats, so
we have to think about how our credit card information is being displayed. Over half
of identity theft victims who were able to resolve did so in a very short period of time. If you weren't able to resolve it in a quick period. If it wasn't a quick call to the bank, they halted your credit card. Refunded your money. Since you're new card. If it was something that required investigations,
there was a lot greater chance for loss
on the end of individuals. So all this information comes from the National Criminal Justice Reporting System. I've provided the link for you down below. If you just want to follow up. This is what I refer to is fun trivia for parties.
So why do we care again? Social engineering and I have talked about this. And like I said, you're going to see a full chapter on social engineering because it is such a tremendous threat
today. We need to be skeptical. We don't trust anyone. We require users to authenticate in multiple ways. And we are very hesitant to give out significant information legal compliance. Again, I can be held negligent under law. If I disclose health care information,
uh, we're going to see tremendous amount of lawsuits, and we've already seen tremendous amount of lawsuits for hip of violations
and health care information is something that the industry is very concerned with protecting, and they really crack down on violations. Also, one of the things you'll notice is I don't have a ton of federal laws up here. The federal government has been somewhat reluctant, although they have Ah
ah, some federal privacy guidelines, a few things like that.
But they've been very reluctant at a federal level to mandate privacy. So individual states have come forward. California's been a real leader in requiring certain elements of privacy information to be protected according to certain ways. And then, of course, certain industries.
So what are our best practices? And one of the things you may get tired of me hearing
of me saying throughout this series is following your company's policy. There is a reason policy is in place, and every organizations company policy is driven by their particular needs in their particular industry. If I work in the training profession,
my company's policy is gonna be different than your company policy. If you're in a health care provider,
look to your organization's best practices. If you're if you're managing personally identifiable information, I'll guarantee you there's something in writing that will dictate how you should protect it, know that information and follow it. That's always gonna be best case. When in doubt,
refer the query to a supervisor or someone on your security team.
So maybe I'm really being pressed to release some information, you know, another thing I would add to this is trust your instincts. You know, somebody's really pushing. I don't feel like this is information they should have, but they're really urgent about, and they really need it.
Nobody should put you in a position to violate company policy.
Should not happen. Nobody legitimate. So if that's the case, there is always time to stop and check with the supervisor. Stop and check with your I T. Security team. Um, I hate to say differ blame, but my philosophy is I never want to be
the highest ranking official to make a bad decision.
So what I will tell you is refer to someone else. If you're in doubt, check with security, check with your supervisor and let them make that decision. So again, social engineering really being one of the main element
p I. I can relate to social engineering in a couple of different ways. First of all, I could be a social engineer to get you to disclose P I
But then, once you've disclosed P I to me
now, Aiken socially engineer that information may be to get someone's bank records or bank access or conduct a financial transfer whatever. So I can use social engineering to gain personally identifiable information I can also use it to exploit. And the more I know as a social engineer, the more legitimate I appear.
So that's certainly been official.
Follow best policy rules of authentication. Authentication means you need to prove you are who you say you are.
Which is why, when I call up to cancel my cable account or to enroll for a new cable account or a new credit card or whatever they're gonna request that I give them answer them a series of security questions. Like I said,
many instances the fraud happens by creating new accounts. So before I'm going to give you credit card before
I'm gonna allow you to set up an account for utilities or whatever, I'm gonna ask a series of P I
once again, if an attacker has that will impersonate someone else.
how? How can I be safe? Well, before you ever release information, get the highest degree of assurance that you're talking to a legitimate party. Don't take people's words. Ah, lot of this particular class for security. Fall revolves around the A skeptic. Trust no one.
All right, don't leave your information on your workspace. If I've got health care information, maybe I work for an insurance company and I have a patient's medical history. Before I leave my work desk, I'm gonna clean that up the work station, and I'm gonna put that personally identifiable information away. We refer to that as a clean desk policy,
and we should follow that with personally identifiable information
and, if possible,
don't send this information across the Internet or across your network. Unsecure. Use your encryption features with email. Make sure that any sort of file access and you can always check with your security cape. How is this information protected just so that you know, for peace of mind.
But we don't want things tremendous transmitted across our network or the Internet
in plain text, because Attackers are out there looking for this information particularly.
All right, so that concludes this discussion on personally identifiable information. I hope you understand what P I is as well as it's served its significance. Protect your information and protect your customer and your patient's information. It's of the utmost importance.

Up Next

End User PII

PII, or Personally Identifiable Information, consists of data that can allow an individual to trace and/or contact another person.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor