PII AWARENESS

TRAINING
DON’T BE TOMORROW’S HEADLINES…

JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING

AGENDA

• What does PII actually mean?

• Current Issues where PII is threatened.
• Guidelines: Federal and State
• How can we comply? Strategies and Practices
• How can PII Leak out?
• Some Pragmatic Defenses.
PRIVACY, IN
GENERAL

• Privacy and Data Privacy are becoming

topics du jour

• The word “privacy” does not appear in

either the US Constitution or the Bill of
Rights

So, What is “privacy”, especially in the

electronic era?
MULTIPLE NAMES AND ACRONYMS

• PII – Personally Identifiable Information

• NPPI – Non Public Personal Information
• NPPFI – Non Public Personal Financial Information
• IIF – Information in Identifiable Form
• PHI – Protected Health Information (HIPAA)
• IIHI – Individually Identifiable Health Information
WHAT IS CERTAIN…
Whenever the acronym PII crops up – particularly in the media, the connotation is bad

WHY?
PII LOSS
It usually occurs in connection with one of
the following:

• Breach of Security
• Most data breaches were due to malicious
or criminal attacks

• Loss or unauthorized disclosure

• Theft

• Postal
COST OF DATA
BREACHES
• …rose by 10% from 2013 to 2014
• US $201 per RECORD
• Average total cost in 2014: $5.8 Million
• Costs included
• Notification
• Credit monitoring services
• Engaging forensic experts
• Audit Services
• Lost Business
WHAT IS PERSONALLY IDENTIFIABLE
INFORMATION?
IN GENERAL

Information (electronic or other) that can be used..

• To uniquely identify, contact or locate a single person
• Or which can be used with other sources to uniquely identify a
single individual

Official Sources
• US Office of Management and Budget (OMB) – Government
Agencies
• US National Institute of Standards (NIST) – IT Source
• Maine State Attorney General – State Government
OMB EXAMPLES OF PII

• Full Name • Credit Card Numbers

• Birth Date • IP addresses
• Birthplace • Vehicle Registration Numbers
• National ID Numbers: • Digital Identity
• SSN, Passport, taxpayer ID, • Biometrics
driver’s license
• Genetic Information
• Mother’s maiden name
• Sex or Race
NIST EXAMPLES OF PII

• Name: full name, maiden name, mother’s maiden name or alias

• Personal ID Numbers: SSN, passport, driver’s license, taxpayer ID, patient ID,
credit or debit card numbers
• Address Information: street or email address
• Asset Information: IP or MAC address
• Telephone Numbers: mobile, business and personal numbers
• Personal Characteristics: photographic image, X-Rays, fingerprints or other
biometric
• Personally Owned Property: Vehicle registration or title number
“ PII IS ANY INFORMATION ABOUT AN
INDIVIDUAL THAT CAN BE USED TO
DISTINGUISH OR TRACE AN
INDIVIDUAL’S IDENTITY. PII IS ALSO ANY
OTHER INFORMATION THAT IS LINKED
(OR LINKABLE) TO AN INDIVIDUAL, SUCH
AS MEDICAL OR FINANCIAL
”
INFORMATION

MaineHousing Authority definition of PII – MaineHousing Acceptable Use Policy,

June 2011
MAINEHOUSING EXAMPLES OF PII

• Any information provided by applicants or participants in

MaineHousing programs (includes information provided by third
parties working on behalf of an applicant/participant)
• Personal Identification Numbers, such as social security number (SSN),
passport number, driver’s license number
• Financial account or credit card information, including account
numbers, card numbers, expiration dates, cardholder name or service
codes
MAINEHOUSING EXAMPLES OF PII

• Healthcare / Medical information disclosed to MaineHousing

• Names and addresses of clients participating in MaineHousing
programs or on waiting lists
• The address of a shelter or other living accommodations for victims of
domestic violence.

• THE FORMAT DOES NOT MATTER (Electronic or Paper)

CONFUSED YET?
FUN TIME – BREACH EXAMPLES!
MIT LEAKS PII
• Personal records, including SSN of approximately 800
members of the MIT community were emailed to an
MIT mailing list – 150 people received this list!

• SSN of 11K MIT employees posted in a publicly

accessible file
• Six months before system administrators became
aware of the problem!
UNIVERSITY OF
MARYLAND
• 300K personal records for faculty, staff and
students were compromised

• Information breached included Names, SSN, DOB

and university identification numbers

-Millions of $$$ in credit protection service for 5 years

*one of the only universities in the US offering a PHD

in… Information/Network Security!
TARGET
• Had installed network monitoring software
• Alerted admins to suspicious activity after hackers
infiltrated

• Due to “workload” the warnings were ignored

• 40M credit card numbers, 70M addresses and phone

numbers

• Cost 60 Million in Q1 alone

• CEO and CIO were fired
HOME DEPOT
• Identified the same attack vector as Target
• Commissioned a project to “batten down the hatches”

• Took 6 months to find, select, test and deploy system

• Hackers were in and out…

• 56M debit and credit cards
• 53M email addresses
• Cost 60M (excluding lawsuits ongoing)
JP MORGAN
• One of the world’s largest banks: 96B in revenues
(2013)

• Cyber attack compromised 76M households and

7M business accounts

• Names, addresses, phone numbers, email

addresses

• Internal JP Morgan information about users

• Hacker’s gained “the highest level of admin

privilege on more than 90 of the bank’s servers
HOW PRIVATE IS PII?
1. MIT Study showed that 69% of
the individuals on a voting list
Attribute Combination Uniqueness
were identifiable using only 5-
digit zip code and DOB, while DOB and 9-Digit Zip 97%
97% were identifiable using 9- DOB and 5-Digit Zip 69%
digit zip code and DOB.
53%
DOB, Sex and place (City, town, municipality
2. This information could be linked
with medical data to discern
medical diagnosis, procedures
and medications to an
individual
MIT STUDY
De-identified Medical Insurance List

• 135K State of Massachusetts Employees

• Included the Governor Weld (who lived

in Cambridge, MA)

• Medical Data linked with Voter

Registration List

• Only 6 people in Cambridge with his

DOB

• Only 3 were men

• Only one had his 5-digit ZIP!!

MOBILE PHONE
• In 2010, computer scientists
studied more than 2 dozen
smart phone apps
• Half of these apps transmit the
SIM card ID, the IMEI number
and the GEOLOC coordinates
real-time back to the remote
servers of the app vendor
• Duke built an app that can track
this behavior
WEBCAM ABUSE
Welcome to being watched!!

Hackers can remotely turn on cameras and capture activity

• Cyprus – man arrested for taking illicit pictures of teenagers

• Spain – man stole thousands of banking passwords, worldwide
• Robbins vs. Lower Merion School District – class action lawsuit
involving 2 high school students using school provided laptops to
spy on others; both during school and at home: settled for $160K
QUESTION
Would the following be classified as PII
and Why?
-an organization publishes a phone
directory of employees’ names and work
phone numbers on the web, so members of
the public can contact them?
Answer: No
Reason: the organization has authority to
release that information publicly
ARE YOU SCARED?
“ONCE MORE UNTO THE BREACH,
DEAR FRIENDS

Henry V, ACT III

”
RECENT GOVERNMENT LOSSES

• Farm Services Agency: inadvertently releases CDs containing SSN

and tax IDs from US tobacco producers
• US Marine Corps: Loses a thumb drive with names, SSN, and other
PII for Marines on active duty, 2001-2005
• HHS: Contractor loses a laptop with names, phone #s, medical
records and DOB – 49K Medicare beneficiaries
• VA: computer stolen from employee’s home exposing 26.5M active
duty records
RECENT PRIVATE ENTERPRISE LOSSES

• Sony: 100M accounts lost including credit and debit card data
• Heartland Payment Systems: 130M credit cards stolen
• Epsilon: World’s largest email marketing service provider is
hacked, losing PII from hundreds of corporate customers:
• TiVo, JP Morgan, Ritz-Carlton, Marriot, Walgreens, LL Bean!
AND ON, AND ON…
SAFEGUARDS –
PROTECTING PII

• Physical Safeguards

• Technical Safeguards

• Administrative Safeguards
PHYSICAL
SAFEGUARDS
• Paper records should be stored in locked
file cabinets

• Areas where PII is referenced should be

monitored and access limited

• Never leave files, storage media, or

computers unattended, or in vehicles

• Records should be disposed of properly

TECHNICAL
SAFEGUARDS
ENCRYPTION!!!!
• Ensure ALL email containing PII are
encrypted
• Ensure PII records are access controlled –
Need to know only
• Ensure SSN, including the last 4 are not
posted on public facing websites
• Install Data Leak Prevention software and
tools
ADMINISTRATIVE
SAFEGUARDS
• Create policies concerning the handling of PII
• Require annual security awareness training with
an emphasis on PII

• Follow applicable federal and state compliance

rules and guidance

• Perform a Privacy Impact Assessment

• Review reports, scripts and spreadsheets to

determine if PII is required
MAINEHOUSING’S SAFEGUARDS
• Physical files are locked every night
• Access to interior building areas
controlled
• All physical medium
destroyed/shredded on-site
• Outgoing emails scanned for
unencrypted PII – BLOCKED
• All portable hardware is encrypted
• Data Leak Prevention system blocks
USB drives and CDRom Access
• Limited “Cloud” Access
• Privacy policy in place
• Annual Security Awareness Training
mandatory for all employees
• Review of access controls in all
applications
WEAKEST LINK

Do not be the weakest

link…
• Maintain awareness…
• Think twice about sending
that PII
• Ask for help!
QUESTIONS?