Handle with Care: Personally Identifiable Information

By August 27, 2019 Cyber Security

COL (R) Lawrence D. Dietz

TAL Global Corporation
General Counsel and Managing Director
Information Security

*****

We don’t share our toothbrushes because we feel they’re personal, yet sensitive and valuable. Personally Identifiable Information or PII is shared freely and compromised on a daily basis. As you might expect, PII is defined a bit differently by different jurisdictions.


What is Personal Data?

The EU’s Article 4 of the General Data Protection Regulation (GDPR) definition is: ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”


California, as you might expect, defines personal data/information a bit differently in the California Consumer Protection Acct (CCPA) California Civil Code 1798.140: (o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. Any categories of personal information described in subdivision (e) of Section 1798.80.
  3. Characteristics of protected classifications under California or federal law.
  4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

From a practical perspective, personal data is any data that criminals can sell or can use to create a fake digital ‘you’. With this fake, stolen identity, criminals can open new credit cards, transfer assets and engage in other nefarious purposes.


Identity Theft

Identity Theft is big business. It is the third most reported fraud to the FTC. The FTC reported in its Consumer Sentinel Network Data Book 2018 that they received more than 444,602 reports of fraud in 2018 from people who said their information was misused on an existing account or to open a new credit card account. This represented an astounding 37.5% increase over 2017.


Legal Liability

When an organization’s IT system is breached and PII is potentially exposed, the organization is immediately responsible for complying with their state’s Data Breach law and potentially the laws of other states whose citizens might be impacted by the breach. Organizations may very well be liable for any harm suffered by those whose data was compromised. They could also be subject to possible government action for not properly following the relevant data breach laws.

According to the National Conference of State Legislatures, each of the 50 states as well as the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have data breach laws.

There are a number of common provisions across these laws. Some of them are:

  • Notification to affected state residents without unreasonable delay.
  • Notification to stage agencies, consumer reporting agencies and others.
  • Exceptions are granted for data encryption, low risk of harm and good-faith access by employees.
  • Civil penalties that are enforced by the state’s attorney general.

While there are common provisions, it is also fair to say that there is a great deal of differences among them as well. Massachusetts is well known for having among the toughest breach laws.


Practical Ways to Minimize Exposure

An ounce of prevention in this case is worth a ton of cure. A key step is safeguarding your information by what it is, not where it is. Your mail contains quite a bit of PII. Shred documents, don’t just throw them in the trash. Employ access control, encryption and other cyber security products or services and restrict access to your phone, computer, tablet, etc.

Avoid giving out PII elements such as your Social Security Number, birthday, etc. Of these, the Social Security Number is probably the most important. While you can get new credit cards, passports and driver’s licenses – each coming with a new number- you can’t get a new Social Security Number.

If you are not planning on any major purchases, you can freeze or lock your credit until you are ready to do so. While these two terms may be used interchangeably, they are different. The credit freeze requires you to contact the three major credit reporting bureaus: Equifax, Experian and TransUnion. Unfreezing requires a PIN or password protected account. A credit lock is easier to manage; but is not a free service. For example, Experian gives you a free month and then charges $19.99 a month. Equifax offers a free lock service and Trans Union offers credit lock as a part of a $24.95 a month package.


Conclusion

Individuals and organizations must do all they can to safeguard their own personal data and that PII which is entrusted to them for storage and/or processing. Severe legal liability attaches to organizations when they are breached, and personal data is exposed.

Sincerely,

COL (R) Lawrence D. Dietz
TAL Global Corporation
General Counsel and Managing Director, Information Security



Colonel (R) Lawrence D. Dietz
is a nationally recognized expert in the areas of cyber security, cyber warfare, information security and intellectual property. Mr. Dietz is a licensed attorney and also provides litigation and legal support to our clients in these matters.

As a retired Army Reserve Colonel specializing in intelligence and PSYOPS, Mr. Dietz has over 30 years of diversified military and commercial information and cyber security experience. This unique knowledge combined with the thought leadership of academia enables Mr. Dietz to bring varied approaches and solutions to clients’ challenges.
As always, we value your feedback which helps us shape our perspective on recent events, security and the services we offer.

Feel free to reply to this email and share your thoughts with our team.

Stay safe,
Your Friends @ TAL Global
1-408-993-1300
[email protected]

© TAL Global, 2019