Identifying and Safeguarding Personally Identifiable Information (PII) Answers

Welcome to the study guide on Personally Identifiable Information (PII). In today’s digitized world, where data is often touted as the “new oil,” understanding the significance and intricacies of PII has never been more critical.

This guide has been meticulously crafted to serve as a comprehensive tool for learners, regardless of their prior knowledge about PII.

The intent is to shed light on the subtle nuances that differentiate PII from other types of information. By exploring its definition and delving deep into the various facets of PII, this guide aims to equip you with a robust understanding that transcends mere textbook knowledge.

We want you to grasp not only what PII is but also appreciate its vulnerability and the dire need to shield it from potential breaches.

Identifying and Safeguarding PII v5.0 Answers

Question	Answer
What law establishes the federal government’s legal responsibility for safeguarding PII?	The Privacy Act of 1974
Which of the following is NOT a permitted disclosure of PII contained in a system of records?	The record is disclosed with a new purpose that is not encompassed by SORN
If someone tampers with or steals an individual’s PII, they could be exposed to which of the following?	All of the above
True or false? A System of Records Notice (SORN) is not required if an organization determines that PII will be stored using a system of records.	False
Which of the following is NOT an example of PII?	Pet’s nickname
Which of the following is NOT included in a breach notification?	Articles and other media reporting the breach.
True or False? Paper-based PP is involved in data breaches more often than electronic PP documentation.	False
Which of the following is NOT an example of an administrative safeguard that organizations use to protect PII?	List all potential future uses of PII in the System of Records Notice (SORN)
Organizations that fail to maintain accurate, relevant, timely, and complete information may be subject to which of the following?	Civil Penalties
You are reviewing personnel records containing PII when you notice a record with missing information. You contact the individual to update the personnel record. Is this complaint with PII safeguarding procedures?	No
Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as record identification. Is this compliant with PII safeguarding procedures?	Non-compliant
Your coworker was teleworking when the agency e-mail system shut down. She had an urgent deadline so she sent you an encrypted set of records containing PII from her personal e-mail account. Is this compliant with PII safeguarding procedures?	Non-compliant
You are reviewing personnel records containing PII when you notice a record with missing information. You contact the individual to update the personnel record.	Compliant
You are tasked with disposing of physical copies of last year’s grant application forms. These documents contain PII so you use a cross-cut shredder to render them unrecognizable and beyond reconstruction. Is this compliant with PII safeguarding procedures?	Compliant
Phishing is responsible for most of the recent PII Breaches. True or false?	True
If you discover PII on the web, immediately close your browser and delete all information regarding the URL. True or false?	False
Following a breach, organizations must issue a breach notification. True or false?	True
Organizations can incur civil penalties for failing to uphold their PII responsibilities. True or false?	True
Individuals are immune to criminal penalties, even if they fail to uphold their PII responsibilities. True or false?	False

Identifying and Safeguarding PII v4.0 Answers

Question	Options	Answer
Which of the following must Privacy Impact Assessments (PIAs) do?	Analyze how an organization handles information to ensure it satisfies requirements mitigate privacy risks determine the risks of collecting, using, maintaining, and disseminating PII on electronic information systems. all of the above	All of the Above
True or False? An Individual whose PII has been stolen is susceptible to identity theft, fraud, and other damage.	True or False	True
What / Which guidance identifies federal information security controls?	The Freedom of Information Act (FOIA) The Privacy Act of 1974 OMB Memorandum M-17-12: Preparing for and responding to a breach of PII DOD 5400.11-R: DOD Privacy Program	OMB Memorandum M-17-12
Which of the following is NOT an example of PII?	Driver’s License Number Pet’s nickname Social Security Number Fingerprints	Pet’s nickname
Which of the following is NOT a permitted disclosure of PII contained in a system of records?	These are all permitted disclosures The record is disclosed for a new purpose that is not specified in the SORN The record is disclosed for routine use. The individual has requested that their record be disclosed.	The record is disclosed for a new purpose that is not specified in the SORN
PIA is required when organization collects PII from:	Existing information systems and electronic collections for which no PIA was previously completed. New information systems or electronic collections (before development or purchase and/or converting paper records to electronic systems)	-Existing information systems and electronic collections for which no PIA was previously completed. New information systems or electronic collections (before development or purchase and/or converting paper records to electronic systems)
PIA is not required when the information system or electronic collection:	does not collect, maintain, or disseminate PII is a national security system, including one that processes classified info is solely paper-based	does not collect, maintain, or disseminate PII is a national security system, including one that processes classified info is solely paper-based
Within what timeframe must DOD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?	1 hour 12 hours 48 hours 24 hours (FYI: 24 hours to Component Privacy Office and 48 hours to Defense Privacy, Civil liberties, and transparency division)	1 hour for US-CERT
Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as record identification. Is this compliant with PII safeguarding procedures?	Yes or No	NO
You are tasked with disposing of physical copies of last year’s grant application forms. These documents contain PII so you use a cross-cut shredder to render them unrecognizable and beyond reconstruction. Is this compliant with PII safeguarding procedures?	YES or NO	YES
Organizations that fail to maintain accurate, relevant, timely, and complete information may be subject to which of the following?	Neither civil nor criminal penalties civil penalties criminal penalties both civil and criminal penalties	Civil Penalties
True or False? Paper-based PP is involved in data breaches more often than electronic PP documentation?	True or False	False- Phishing is responsible for most of the recent PII Breaches
Which regulation governs the DoD Privacy Program?	The Freedom of Information Act (FOIA) The Privacy Act of 1974 OMB Memorandum M-17-12: Preparing for and responding to a breach of PII DOD 5400.11-R: DOD Privacy Program	DOD 5400.11-R: DOD Privacy Program
Which of the following is NOT included in a breach notification?	A. Articles and other media reporting the breach. B. What happened, date of breach, and discovery. C. Point of contact for affected individuals. D. Whether the information was encrypted or otherwise protected.	A. Articles and other media reporting the breach.
TRUE OR FALSE. A PIA is required if your system for storing PII is entirely on paper.	TRUE or FALSE	FALSE
TRUE OR FALSE. Misuse of PII can result in legal liability of the individual.	TRUE or FALSE	TRUE
TRUE OR FALSE. Misuse of PII can result in legal liability of the organization.	TRUE or FALSE	TRUE
Where is a System of Records Notice (SORN) filed?	A. National Archives and Records Administration B. Congress C. Federal Register D. SORNs are for internal reference only, and don’t need to be filed with a third party.	Federal Register
Organizations must report to Congress the status of their PII holdings every:	A. Six Months B. Year C. Five years D. Organizations are not required to report to Congress	Year
Jane Student is delivering a document that contains PII, but she cannot find the correct cover sheet. She should:	A. Mark the document CUI and deliver it without the cover sheet. B. Mark the document as sensitive and deliver it without the cover sheet. C. Mark the document CUI and wait to deliver it until she has the cover sheet. D. None of the above; provided she is delivering it by hand, it does not require a cover sheet or markings.	Mark the document CUI and wait to deliver it until she has the cover sheet
The acronym PHI, in this context, refers to:	A. Protected Health Information B. Public Health Institute C. Public Health Informatics D. Public Health Intelligence	Protected Health Information

Defining Personally Identifiable Information (PII)

Definition

What is PII and how is it distinguished from other data?

• Conceptual Overview: At its core, Personally Identifiable Information, or PII, refers to any information that can be used on its own or with other data to identify, contact, or locate a single person, or to identify an individual in context. It’s the digital footprint of an individual’s identity.
• Distinguishing PII: Not all data about an individual is PII. For a piece of information to be PII, it should be something that can identify a person distinctly. For instance, a person’s name alone might not be PII, but when combined with their date of birth, it can become unique enough to identify a single individual.

---

Types of PII

Distinguishing between sensitive and non-sensitive PII.

• Sensitive PII: This is data that, when disclosed, could result in harm to the individual. Examples include Social Security numbers, driver’s license numbers, bank account numbers, and passport details. Breaches involving sensitive PII can lead to identity theft or other malicious activities.
• Non-sensitive PII: This refers to information that is generally available in public records and doesn’t necessarily pose an immediate risk to individuals if disclosed. This could include information like an individual’s name, address, or telephone number. However, it’s crucial to note that combinations of non-sensitive PII can sometimes be used to deduce sensitive PII.

---

Examples

Common instances of PII in everyday life and work.

• Direct Identifiers: These are pieces of information that can directly pinpoint an individual. Examples include full names, Social Security numbers, address, email address, phone numbers, and biometric data (like fingerprints or retina scans).
• Indirect Identifiers: These might not identify a person on their own but can do so when combined with other data. Examples include a person’s occupation, race, religion, or date of birth.
• Work-related PII: In professional settings, PII can encompass employee identification numbers, personal email addresses, personal phone numbers, and even computer IP addresses.
• Everyday Interactions: From signing up for a newsletter, making an online purchase, to booking a doctor’s appointment, PII is exchanged frequently. Recognizing these instances helps in being vigilant about where and how our data is being used.

Remember, the line between sensitive and non-sensitive PII can often blur, especially as technology and data analytics evolve. What might seem non-sensitive today could become a crucial piece of a larger puzzle tomorrow. It underscores the need for vigilance and proactive protection at all times.

Importance of Safeguarding PII

Legal Implications

Laws and regulations that mandate the protection of PII.

• Federal Laws: In the U.S., several federal laws address the protection of PII. The Health Insurance Portability and Accountability Act (HIPAA) protects personal health information. The Fair and Accurate Credit Transactions Act (FACTA) governs consumer report information. The Family Educational Rights and Privacy Act (FERPA) ensures the protection of student education records.
• State Laws: Many U.S. states have their own data protection laws, like the California Consumer Privacy Act (CCPA), which grants California residents specific rights regarding their personal information.
• Global Regulations: For global entities or those dealing with international clients, the General Data Protection Regulation (GDPR) in the European Union sets stringent requirements for handling and protecting PII.

---

Ethical Considerations

The moral responsibility of handling personal data.

• Trust and Expectation: When individuals share their PII with an organization, they trust that it will be used for the intended purpose and will be protected. Ethically, organizations must uphold this trust and avoid misusing the data.
• Transparency: It’s an ethical obligation for entities to be transparent about how they collect, use, and store PII. This includes notifying individuals about any changes to data handling policies.
• Consent: Before using someone’s PII for a purpose other than what was initially agreed upon, organizations must ethically seek consent.

---

Consequences of PII Breaches

The multifaceted impact of data breaches on individuals and organizations.

• Financial Impact: Breaches can lead to significant monetary losses for individuals (due to fraud or identity theft) and for organizations (in the form of fines, lawsuits, and remediation costs).
• Reputation Damage: For businesses, a PII breach can result in severe reputational harm. Trust is hard to gain but easy to lose. Once lost, it’s challenging and costly to rebuild.
• Emotional and Psychological Consequences: For individuals, knowing that their personal data is in the hands of malicious actors can lead to stress, fear, and anxiety.
• Operational Setbacks: For organizations, a breach can disrupt operations. Remedying the breach, investigating its causes, and implementing stronger security measures can divert resources from core business activities.

Best Practices for Handling PII

Data Minimization

Collecting only the necessary PII and for a specified purpose.

• Purpose Limitation: Before collecting PII, clearly define the purpose for which it is being collected. Refrain from obtaining data that isn’t directly relevant to that purpose.
• Time Limitation: Keep PII only for the duration necessary to serve its intended purpose. Establish and adhere to data retention policies that outline when and how to safely dispose of or de-identify PII once it’s no longer needed.
• Avoiding Redundancy: Ensure that multiple departments or teams within an organization aren’t collecting the same PII independently of one another. Centralize PII collection processes when possible to avoid redundancy.

---

Secure Storage

Techniques and tools to securely store PII.

• Encryption: Use robust encryption techniques to protect stored PII. This ensures that even if data is accessed by unauthorized entities, it remains unreadable.
• Access Control: Implement strict user access controls. Only allow authorized personnel who have a genuine need to access specific PII. Regularly review and update access permissions.
• Regular Backups: Ensure that PII is regularly backed up to a secure location. This aids in data recovery in case of accidental deletions or system failures.
• Physical Security: If PII is stored in physical form, use locked filing cabinets, secure rooms, and other means to prevent unauthorized access.

---

Safe Transmission

Ensuring encrypted and secure channels when transmitting PII.

• Secure Sockets Layer (SSL) and Transport Layer Security (TLS): When transmitting PII over the internet, use SSL or TLS to establish an encrypted link between the server and the client.
• VPN (Virtual Private Network): If employees need to access PII remotely, ensure they use a VPN. This creates a secure, encrypted tunnel for data transmission.
• Avoid Email: Refrain from sending PII via regular email. If it’s essential, ensure the data is encrypted, and use secure email solutions or platforms designed for confidential data sharing.
• Regularly Update and Patch: Systems used for transmitting PII should be regularly updated and patched to protect against known vulnerabilities.

Exam Preparation

Mock Questions & Answers

Sample questions to test understanding and readiness.

1. What does PII stand for?
   • Answer: Personally Identifiable Information.
2. Distinguish between sensitive and non-sensitive PII with an example of each.
   • Answer: Sensitive PII could lead to substantial harm or inconvenience if lost, compromised, or disclosed, like Social Security numbers. Non-sensitive PII, like a person’s name, might not cause harm by itself but can become sensitive when combined with other personal data.
3. List one legal implication and one ethical consideration related to PII breaches.
   • Answer: Legal: Organizations may face lawsuits or hefty fines for data breaches. Ethical: Organizations have a moral responsibility to protect an individual’s privacy and personal data.
4. Which method ensures secure transmission of PII over the internet?
   • Answer: Using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

---

Revision Techniques

Strategies for efficient review of the material.

• Spaced Repetition: Review the material at increasing intervals to reinforce memory retention.
• Mind Mapping: Create a visual representation of the main concepts and how they connect to each other. This can help in visualizing the overall structure of the topic.
• Teaching: Explaining the concepts to someone else or even to oneself can help solidify understanding.
• Practice Exams: Regularly test oneself using mock exams to get familiar with the format and type of questions.

---

Resources & Tips

Additional reading material, study tips, and insights into potential exam challenges.

• Resources:
  • Data Privacy and Protection Handbook – A comprehensive guide to understanding PII and its significance.
  • The PII Protection Portal – An online platform offering articles, case studies, and best practices related to PII safeguarding.
• Study Tips:
  • Focus on real-world examples of PII breaches to understand the consequences and lessons learned.
  • Use mnemonic devices for remembering specific terms or legal mandates.
  • Engage in group discussions to get varied perspectives and deeper insights.
• Insights into Potential Exam Challenges:
  • The exam might present hypothetical situations where one needs to identify whether specific data is PII or not.
  • Some questions might test understanding of the ethical considerations behind PII protection, requiring more than just rote memorization.
  • Stay updated with recent changes in laws or guidelines related to PII, as these could be integrated into the exam.