In April 2010, the National Institute of Standards and Technology published a set of recommendations as a guide for protecting the confidentiality of Personally Identifiable Information [PDF]. Co-authored by Erika McCallister (Acting Director of the ISO / IEC 29115 and renowned computer scientist [PDF]), Tim Grance (Building Secure Public Clouds for Governments) and Karen Scarfone (Also co-authored the NIST publication on securing full virtualization technologies [PDF] as a part of a very impressive resume), this guide on protecting PII called out something that the industry may not have paid sufficient attention to:
All PII is not created equal
It went on to give some great examples of factors that could be considered by organizations as they, as a first order of business, evaluated their PII to determine its impact level. These were:
- Identifiability. Organizations should evaluate how easily PII can be used to identify specific individuals. For example, a SSN uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people.
- Quantity of PII. Organizations should consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII
confidentiality impact level should only be raised and not lowered based on this factor.
- Data Field Sensitivity. Organizations should evaluate the sensitivity of each individual PII data field. For example, an individual‘s SSN or financial account number is generally more sensitive than an individual‘s phone number or ZIP code. Organizations should also evaluate the sensitivity of the PII data fields when combined.
- Context of Use. Organizations should evaluate the context of use—the purpose for which the PII is collected, stored, used, processed, disclosed, or disseminated. The context of use may cause the same PII data elements to be assigned different PII confidentiality impact levels based on their use. For example, suppose that an organization has two lists that contain the same PII data fields (e.g., name, address, phone number). The first list is people who subscribe to a general-interest newsletter produced by the organization, and the second list is people who work undercover in law enforcement. If the confidentiality of the lists is breached, the potential impacts to the affected individuals and to the organization are significantly different for each list.
- Obligations to Protect Confidentiality. An organization that is subject to any obligations to protect PII should consider such obligations when determining the PII confidentiality impact level. Obligations to protect generally include laws, regulations, or other mandates (e.g., Privacy Act, OMB guidance). For example, some Federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), are subject to specific legal obligations to protect certain types of PII.
- Access to and Location of PII. Organizations may choose to take into consideration the nature of authorized access to and the location of PII. When PII is accessed more often or by more people and systems, or the PII is regularly transmitted or transported offsite, then there are more opportunities to compromise the confidentiality of the PII.
The typical mention of “Personally Identifiable Information” conjures up visions of data that is somewhat close to the typical definition. For example, here is the US General Services Administration definition:
Personally Identifiable Information (PII). The term “PII,” as defined in OMB Memorandum M-07-1616 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual
If you yawned, you’re not alone. In summary, this makes most think of “name, birthdate, social security number, blood type….stuff like that, maybe?”
Hold that thought and lets switch gears for a bit. If you’ve followed most of the data breaches in the news lately, some of the following may ring a bell:
- Credit card companies have been hacked
- Healthcare companies have been hacked
- Universities have been hacked
- Grocery stores have been hacked
- The United States Postal Services has been hacked, ditto the United Parcel Service
- LinkedIn has reported a password security concern
- Charitable institutions, restaurants and casinos have been hacked
They say hacking is typically associated with money, ideology or emotion. Assuming that most of the above seven were not compromised because of a philosophical or emotional disconnect between the geopolitical impact of the services involved and the folks that worked on the compromise; then we could surmise that all of this information is being sold on the ominous “underground” for money.
Dell SecureWorks published an excellent report in December 2014 about Underground Hacker Markets [PDF]. Amongst the various eye-opening details in it, there was one that stood out. It said “100% Satisfaction Guarantee” – and offered replacements if otherwise.
In the same report, there was a specific callout on the desire for stolen credentials.
So, presumably, there is an effort to correlate the data compromised from these multiple breaches as it is being sold. Imagine this: there’s a record somewhere that has at least one credit card number, associated with health information, associated with package delivery information, associated with academic qualification data, associated with professional resume data, associated with your name; where you live, work, eat, gamble and donate.
Thinking again about Personally Identifiable Information now? Specifically, “Identifiability” and the “Obligations to Protect Confidentiality” from the NIST guidelines at the start of this article?
Take a step back to think about a different question: Is there any organization, commercial or otherwise, that you engage with as a consumer and/or participant; that does not have your Personally Identifiable Information?
Over the last few days, buzz is building about a security compromise stemming from the PNI Digital Media platform used by market heavyweights like Costco, Walmart Canada, CVS, Tesco and many others. This transaction platform is built to empower something that we regard as relatively commonplace offering today – a photo printing tool. The compromise is in the context of credit cards, but as a photo-printing service that users upload photos to; how far is it from the infamous Apple photo hack from 2014? Photos (and video) contain some irrefutable PII. Faces, context, association, location data, activity data and more.
Should all photo sites need to be marked as repositories of PII and required to enforce the strictest PII handling requirements?
But, given the focus on photography in all forms of social media; could and would something like this truly get off the ground? Or have we willingly accepted the social declassification of our most important PII as a necessary evil in our evolution to behind-the-computer social engagement at a global level?
To build on what I called out earlier, imagine this: there’s a record somewhere that has at least one credit card number, associated with health information, associated with package delivery information, associated with academic qualification data, associated with professional resume data, associated with your name; where you live, work, eat, gamble and donate – and now there are photos (and video) of you, your family, friends and associates in various settings and engaged in various different activities; associated with that record.