Sensitive Information Guide: Protecting PII
Collecting personal information is a necessary function of businesses and local governments alike, which makes personally identifiable information, or PII, prevalent in any office. But how do employees prevent a reportable PII data breach?
What can be considered PII?
While each state varies slightly on what they consider sensitive information, Pennsylvnia’s original definition of PII includes:
- Any identifying number, including but not limited to
- social security number
- tax ID
- driver’s license number
- state ID card number
- military ID number
- passport number
- Financial account information, credit card number, or debit card number along with any security code, access code, or password permitting access to the person’s financial account
However, there have been many bills introduced to amend the definition of PII to include:
- medical information
- educational records
- income or socioeconomic information
- information regarding food purchases
- biometric data
- geolocation data
- information collected through an automated license plate recognition system
- username / email address in combination with a password or security question answer that would permit access to an online account
Certain pieces of information alone may not be considered sensitive PII. However, when they are combined with other pieces of information, they can become sensitive PII. For example, your name alone may be considered PII, but when combined with your email address or the last four of your social security number it can become sensitive PII.
What is NOT PII
Information that can be obtained via public records is not PII. Information contained within local, state, or federal records is also not considered PII.
Your PII holds enormous value to identity thieves. With the right PII, criminals can:
- Use a debit card number to steal funds
- Open a new credit card or loan
- Open a bank account to write bad checks
- Give someone else’s personal information in the event of an arrest
- Acquire a new driver’s license or ID
- And much more
Data breaches are one of the most likely and publicized methods PII ends up in the wrong hands. Whether a data breach is by accident or intentional, these breaches cause significant issues for all involved. While it is impossible to completely prevent a data breach, there are steps to decrease the likelihood of one within your organization.
In 2005, the General Assembly enacted the PA Breach of Personal Information Notification Act. Entities that maintain, store, or manage computerized data that includes PII shall provide notice of any breach of the security of the system following discovery of the breach to any resident of PA whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. While the definition of PII is in question here, this Act does not prevent persons affected by a data breach from suing the borough in a civil suit for mishandling sensitive data.
The 2005 Act does not include laws from other states and countries with much stricter PII definitions and data breach laws. Boroughs may be required to follow the laws in each state and country for residents therein. Therefore, if a visitor applied for some sort of borough permit, the borough did not handle the data correctly and suffered a data breach, the laws in which the person is a resident may apply to the requirement for reporting the data breach.
PII Protection for Municipalities & Businesses
Protect the privacy of your residents, customer and/or staff by ensuring the safe handling of sensitive data. To help combat human error (a prominent cause of data breaches), begin creating a culture of security among borough staff.
All employees should be aware of how to safely collect, send, and store electronic PII.
Collect – When collecting PII online, not just any online form will do. Collect PII using a secure form only. Encryption both in transit and at rest is essential.
Send – Use a secure portal to send PII. The data must be encrypted at rest and in transit.
Never email PII. Even if the borough’s email is secure, one cannot be sure if the recipient’s email is secure.
Store – When storing PII locally, whether collected online or entered in the computer by hand, ensure that the network is secure to reduce the risk of a hack. Network security can seem too technical for the average user. If your borough has an IT professional, work with her or him to ensure network security. If your borough doesn’t have an IT professional, a few simple steps to increase network security include layered security, installing updates and patches, changing default credentials, training and procedure enforcement, and employing proper permissions.
When storing PII on a server, it is important to store the data encrypted. Encrypted information is not stored in plain text. It is stored “scrambled” so if an unauthorized person does gain access to the server on which it is stored, the information cannot be read without a key to decrypt the data. Encrypt as much of the data as possible. This way, you have a better chance of being covered as PII laws change.
Never store PII on an unlocked, insecure device, such as a laptop taken to and from the office or a personal smartphone. Criminals could easily steal such a device and gain access to sensitive borough information. Make sure PII is stored on a secure drive on a secure network to minimize the risk of stolen data.
It is worth noting that you should only collect and store the PII that needs to be stored. Consult your solicitor to explore the state and federal regulations that apply to the borough and the data collected, as well as appropriate retention policies.
Protecting your PII as a Consumer
Although a consumer cannot prevent PII data breaches from occurring, it is possible to protect personal information. Limit the amount of personal information shared. This can be difficult, but it can be done. Next time someone asks for PII, truly think about why they need it. If sharing specific information is a must, ask them how they will protect it. Additionally, consider limiting information shared on social media and remember to shred important documents before discarding.
Each piece of data shared could be providing a criminal with a new puzzle piece. Whether as a consumer or a borough official, start protecting PII today to reduce the risk of identity theft.
Disclaimer: CourseVector is not issuing legal advice about the definition or handling of PII or how to handle a data breach. Please consult your lawyer or solicitor to determine next steps if you think your borough may have had a data breach. It is up to each borough to determine an IT security plan on how to collect, send, and store PII.
For more information on PII laws in PA, check out https://www.legis.state.pa.us/ or contact your lawyer or solicitor.
Contact Us to Get Started
"Your passport to all things web."
To contact us after hours please use the panic button.
Fees may be incurred depending on reason for support.