What is information transmitted without encryption that includes information collected from public records?

OMB Memorandum Policies

PII refers to information that can be used to distinguish29 or trace30 an individual’s identity, such as their name, Social Security number, biometric records, and so on, alone, or when combined with other personal or identifying information that is linked31 or linkable32 to a specific individual, such as date and place of birth, mother’s maiden name, and so on [9].

PII can include the following types of information:

Name.

Social Security number.

Date and place of birth.

Mother’s maiden name.

Biometric records.

Education.

Financial transactions.

Medical history.

Criminal or employment history and information, which can be used to distinguish or trace an individual’s identity.

OMB has established a number of governing policies for federal agencies relating to PII over the years. Table 4.4 provides a list of applicable privacy-related policies that must be adhered to by federal agencies.

Table 4.4. Federal Privacy-Related Policies

Personally Identifiable Information (PII) Restrictions

“Personally identifiable information” (PII) includes, for example, birth dates, names of under-age individuals, addresses, passport numbers, health care information, social security/medicare numbers, driver’s license numbers, bank account numbers, and similar personal information. As a quick rule of thumb, if you think it probably has value to identity thieves, it should be treated as PII.

If information relevant to the case contains PII as defined by federal law and regulations, or other personal information, these particular elements of the information must be protected from disclosure. Unless required by a specific court order, all PII must be taken out of the ESI before it is produced to opposing parties.

All federal trial courts have standing orders that require PII to be blocked in all documents filed with the court, because the information in those documents becomes a public record. The courts also restrict use of documents as evidence offered in court unless all PII has been redacted (covered up) or otherwise blocked.

We note in passing that some software programs that purport to redact or otherwise conceal PII in electronic documents are ineffective, for the simple reason that the person viewing the document can use many common word-processing programs to cancel the blocking instruction. Be warned.

Even worse, in this author’s experience in forensic examination of digital evidence, I have from time to time received ESI containing medical records, social security numbers, drivers’ licenses, and other personal information from the opposing party’s business records, when that content was not requested nor required to resolve the case. It was clear to me that the personal information was produced due to improper processing techniques by less than competent forensic consultants and/or IT personnel ignorant about that requirement.

It is important that the work of forensic consultants be reviewed by the attorneys before producing it to the opposing party, on a sampling basis at a minimum, to be sure that industry and regulatory guidelines and federal law are not violated in the production of ESI.

2.1.3.3 Personally Identifiable Information (PII)

The term PII is defined in OMB Memorandum M-07-1616 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.

(GSA, 2015)

11.3.2.2.1 Personally identifiable information

Many countries have defined PII and have set rules and regulations to determine how PII should be treated. In the Privacy Act (PRIact), for instance, personal information is defined as “information about an identifiable individual that is recorded in any form”. Similarly, in the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information is defined as “information about an identifiable individual”. This definition is a little bit more general since the information does not need to be recorded to be considered PII. Finally, in the technology environment, PII is defined as “any piece of information which can potentially be used to uniquely identify, contact or locate a single person”.

4.1 Legal Responsibility When Handling Other People’s Data

There are a number of state and federal laws and regulations that must be considered when moving data to the cloud. What laws apply depends on the type of business and the type of data that the business collects, stores, and maintains. The majority of these laws focus on the protection of personally identifiable information (PII).

The National Institute of Science and Technology (NIST) defines PII as, “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information” (NIST, 2015).

Note that this definition uses the word “agency” and is intended primarily for US federal government agencies, but other organizations may find the definition useful.

Examples of PII include, but are not limited to:

Name, such as full name, maiden name, mother‘s maiden name, or alias

Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number

Address information, such as street address or email address

Personal characteristics, including a photographic image (especially of the face or other identifying characteristics), fingerprints, handwriting, or biometric data (e.g., retina scan, voice signature, facial geometry)

Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

The US federal government has enacted a number of laws that regulate the collection, transmittal, storage, and maintenance of PII. Many states have also enacted state laws that impact storage and use of PII. While these laws focus mainly on specific business sectors, such as the healthcare and financial industries, services provided by cloud storage providers must adhere to the same laws and regulations as the businesses that use them for storage of PII.

This section will focus on four US federal laws that govern or impact data storage in the cloud. These include:

HIPAA – The Health Insurance Portability and Accountability Act of 1996 establishes federal standards for protecting patients’ health information. Entities that have access to medical data are required to protect the privacy of patient information by adhering to prescribed guidelines.

Dodd-Frank – The purpose of the Dodd-Frank Wall Street Reform and Consumer Protection Act is to “promote the financial stability of the United States by improving accountability and transparency in the financial system, to end ‘too big to fail’, to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services practices, and for other purposes” (Dodd-Frank, 2010). To achieve these goals, organizations must collect, store, maintain, and provide search capabilities for all communication records relating to transactions.

GLBA – The Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act of 1999, requires financial institutions to establish standards for protecting the security and confidentiality of customer non-public personal information.

SOX – The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act, was established to regulate the financial practices of US public companies to protect against fraud. Part of the SOX Act directly affects data storage that includes the preservation and accuracy of electronic records, the recommended retention period for record storage, and the types of business records that SOX rules apply to, which includes all communications.

22.5 Protecting Personally Identifiable Information

Personally Identifiable Information (PII) is information that can be used to uniquely identify an individual. If a criminal obtains the personally identifiable information of someone it makes stealing their identity a very real possibility. For this reason, there are laws regulating the types of protection that organizations must provide for it. The laws on protecting PII vary from country to country. If your organization does business in multiple countries, you should know the rules for each of them.

Examples of information that constitute PII include:

An individual’s full name, if that name isn’t common

A national identity number in countries where such numbers are issued

In the United States a Social Security Number

Passport number

A driver’s license number

Credit card numbers

Date of birth

Birthplace

Biometric information such as fingerprints, iris scans, and facial geometry

Home and personal cell telephone numbers

Mother’s middle and maiden names

Military records

Some common industry recommendations for how PII should be secured include:

If PII is stored on workstations or mobile devices it must be encrypted using FIPS 140-2 certified encryption module

PII stored electronically should only be accessible with access controls like User IDs and passwords

PPI stored on network drives or databases should be available on a need to know basis

When extracts are created from PII databases, the activity should be logged including the creator, date, and the type of information extracted

PII transmitted over the Internet must be encrypted

PII that is transmitted by e-mail needs to be encrypted

Questions regarding PII that an Application Administrator should be able to answer include:

Does the application you’re supporting include PII?

Are you adhering to industry best practices to protect personally identifiable information?

What do you have to do to prove that you’re following industry best practices?

Have the application and/or your processes been audited?

Is your data encrypted?

If so where is it encrypted? On the disk, in-flight or both?

What type of encryption is being used, for example, DES, 3DES, AES, RSA?

How many bits are used in the encryption algorithm?

How are the encryption keys managed?

Are your backup tapes encrypted?

Do you audit the security of your contractors?

Do you audit the security of firms that work is outsourced to?

Do you audit the security of your offsite storage vendor?

Privacy Act of 1974

All governments have a wealth of personally identifiable information on their citizens. The Privacy Act of 1974 was created to codify protection of U.S. citizens’ data that is being used by the federal government. The Privacy Act defined guidelines regarding how U.S. citizens’ personally identifiable information would be used, collected, and distributed. An additional protection was that the Privacy Act provides individuals with access to the data being maintained that is relative to them, with some national security-oriented exceptions.

Note

The recent developments of breach notification laws are associated with personal data privacy concerns. The push for mandatory notification of persons whose personal data has been, or is likely to have been, compromised started with state laws. There are currently close to 40 states that have passed breach notification laws, though they can differ markedly. At the time of the writing of this book, there was no federal breach notification legislation, but there have been several bills proposed over time in both the U.S. House and Senate. Additional details about breach notification laws will be discussed later in the chapter in the U.S. Breach Notification section of important laws and regulations.

Privacy

One of the unfortunate side effects of the explosion of information systems over the past few decades is the loss of privacy. As more and more data about individuals is used and stored by information systems, the likelihood of it being inadvertently disclosed, sold to a third party, or intentionally compromised by a malicious insider or third party increases.

14.1.1.5 Encryption

If your data contains PII (Personally Identifiable Information), then the backup media should be encrypted. This is especially true if it is being stored off-site. There are regular stories in the trade press about backup tapes that get misplaced. If they aren’t encrypted, then any data on them is readily available to whoever found, or stole, the media.

What form of encryption is being used? Is it strong enough to keep the bad guys at bay? The field of security and encryption is changing on a daily basis. Any guidelines that I could write today will be outdated before this book hits the shelf. Your best course of action is to consult with experts regarding what encryption algorithm and key size should be chosen and deployed.

Information Management

The Privacy Act requires agencies to safeguard personally identifiable information contained in systems of record against threats to confidentiality and integrity. The law refers generally to “appropriate administrative, technical, and physical safeguards” [40], all of which can be addressed using the reference set of security controls contained in Special Publication 800-53 [23]. With respect to the integrity of PII contained in agency systems of records, the language in the Privacy Act focuses on the correctness or validity of the information, which should be accurate, complete, current, and relevant to the purposes for which the information was collected and will be used [51]. It is important for system owners and information system security officers to identify and incorporate privacy protection requirements and objectives during the process of selecting appropriate security controls for the system, as agencies can be held accountable for failing to comply with the provisions of the Privacy Act due to insufficient or ineffective security controls to protect privacy [52].