PII compromises lead to financial, security issues
January 13, 2011
FORT RUCKER, Ala. -- People use it every day. It is a very powerful thing that, if harmed or compromised, can cause them financial hardships or even put them at security risks.
It is personally identifiable information, and as 2011 begins, Fort Rucker officials want to ensure people safeguard others' PII properly.
PII is "any information about an individual maintained by an agency, including, but not limited to name, Social Security number, birth information, biometric information, or medical information, according to Lillian Yance, Directorate of Human Resources records and publication management.
Federal government agencies were required to protect PII beginning with the Privacy Act of 1974.
"It required agencies to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity, which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual on whom information is maintained," Yance said. "It is imperative that federal agencies protect the confidentiality of PII unauthorized and from inappropriate access, use and disclosure because it can seriously impact individuals by contributing to identity theft."
Michael Whittaker, installation antiterrorism officer, said the loss of PII can lead to security breaches for individuals, as well.
"We've heard of people getting phone calls and all kinds of harassment," he said. "It's not just the terrorists. There are a lot of whack-a-dos out there."
Government agencies label breaches based on low, moderate or high impact. Low impacts create a minor inconvenience, while mode moderate impacts include financial loss, denial of benefits or discrimination, Yance said.
High impacts lead to serious physical, social or financial harm.
These are mitigated through several steps, Yance said.
Organizations should develop proper security policies and train all individuals on them. They should also implement privacy-specific protection measures.
For all paper-based records, PII should include "FOR OFFICIAL USE ONLY" markers. When faxing PII, label the information FOUO and call the destination to ensure someone is waiting to receive the fax immediately.
When e-mailing PII, encrypt the correspondence.
If a breach is believed to occur, Whittaker said people should immediately call the Network Enterprise Center or their information management officer. If people spot a breach, an immediate response would be to reply to the e-mail and issue a desist command, he added.
Failure to report an unintentional compromise can be interpreted as an intentional breach, and people responsible for it can be held criminally liable, Whittaker said.
"We are all vulnerable to identity theft, whether on a government computer or a personal computer. Hackers might take over your computer to send spam or perform attacks on other computers using your (Internet protocol) address," Yance said. "Remember that it is easier to protect your PII before it is stolen than it is to restore it afterward.
"If you are a government employee who maintains records that contain PII, remember: if you collect it, protect it," she said.