Guidelines take stab at guarding personal information
Connecting state and local government leaders
New NIST guidelines describe what constitutes personally identifiable information and how it should be protected.
Agencies still struggle with protecting confidential personal information, the data that can allow thieves to steal identities. Now the National Institute of Standards and Technology has released new guidelines to help agencies safeguard the information.
The document outlines a risk-based approach to security, which it describes using a quote from McGeorge Bundy, national security adviser to Presidents Kennedy and Johnson, who once told Congress, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.”
“The escalation of security breaches involving personally identifiable information has contributed to the loss of millions of records over the past few years,” the guidelines warn. Those breaches can expose individuals to identity theft and fraud and expose the organizations that lose the data to the loss of public trust, legal liability, and the cost of remediating damage.
Special Publication 800-122, titled "Guide to Protecting the Confidentiality of Personally Identifiable Information," provides guidance to agencies for identifying PII and determining the appropriate level of protection for it. It also suggests controls to provide that level of protection and gives recommendations for developing breach response plans. The risk-based approach means that agencies should put the bulk of their efforts into protecting the most critical information.
NIST defines personally identifiable information as information that can be used to distinguish or trace an individual‘s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name, or biometric records. The definition also includes any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information. It can include telephone numbers, IP or Media Access Control addresses, or any static identifier that links to a single person or to a small, well-defined group of people.
The Office of Management and Budget already requires agencies to periodically review their holdings of PII for accuracy and need and to reduce these holdings to the necessary minimum, as well as to develop plans to eliminate the unnecessary collection and use of Social Security numbers. The new NIST publication gives guidance for evaluating the impact level of the information and for implementing the appropriate security controls.
To effectively protect personally identifiable information, NIST recommends that organizations:
- Identify all PII residing in their environments. “An organization cannot properly protect PII it does not know about,” the publication states. Examples of PII include full names; identification numbers such as Social Security numbers, driver’s license numbers or account numbers; addresses; and personal characteristics such as photographs or biometric data.
- Limit the collection and retention of PII to what is necessary for the mission. You can’t lose what you don’t have. Only the information that is necessary to an agency's mission should be collected, and that should be purged when not needed. NIST suggests that agencies could have an annual PII purging awareness day. Disposal should be done in accordance with retention schedules approved by the National Archives and Records Administration, as well as with any litigation holds placed on information.
- Categorize PII by its impact level. “All PII is not created equal,” the document states. Agencies should distinguish the “diamonds” from the “toothbrushes” within their holdings. The guidelines define impact as low, moderate or high, depending on the potential harm posed to the individual or agency by its loss. Factors to consider include how distinguishable personal information is, how it is organized and used, and how accessible it is.
- Apply the appropriate safeguards based on the impact level. Some PII, such as public directories, is not considered confidential and does not need to be protected. Agencies should create policies and procedures for protecting PII that is confidential, conduct training on these policies, remove data from PII when possible to make it less identifiable, use access controls and encryption to protect the data, and audit events.
- Develop an incident response plan for PII breaches, including how and when individuals affected are to be notified, when a breach should be reported publicly and what remedial services such as credit monitoring should be offered to potential victims.
- Encourage close coordination between privacy officers, chief information officers, information security officers and legal counsel in addressing PII issues.
NEXT STORY: Warning: Infrastructure not ready for imminent cyber attacks