Law

Minimizing PII Exposure and Loss

By Stacey McDaniel

The government has always gone to extraordinary lengths to protect classified data and trade secrets. However, much of the information that is deemed “unclassified data,” such as names, Social Security numbers, birth dates and other forms of Personally Identifiable Information (PII), are also in dire need of stringent security controls.

The shift to e-government -- and all that comes with it, including high-speed networks, mobile computing and better information sharing -- has introduced new risks to PII. At the same time, agencies are being held more accountable for IT security measures, and PII is becoming more valuable to criminals, making the protection of PII a top priority for government officials.

This article provides a look at PII within government, where it’s vulnerable, and steps that can be taken to keep it safe.

Reporting breaches
A July 2006 Office of Management and Budget memo requiring agencies to report all breaches involving PII within one hour of discovery has helped the government realize just how prevalent this issue is. In June 2007, 40 agencies reported an average of 14 incidents that involved exposure of an American’s PII each day. By October 2007, the same agencies were reporting an average of 30 incidents a day. Even though many of the incidents have relatively harmless consequences, agencies can’t afford to take any risks.

Within any government agency, PII is at the fingertips of every staff member who has email, database and Web access at work. The growing use of removable media such as USB drives, CDs/DVDs and portable Mp3 players brings new risk into the picture by making PII easily transportable on devices that aren’t always properly secured.

Here are the most common ways PII can become exposed:

  • Device theft or loss According to a 2007 study by the Ponemon Institute, lost or stolen laptops and other devices such as removable drives accounted for almost half of data breach incidents (49%). A widely publicized theft occurred in May 2006, when a Veterans Affairs employee’s laptop and external hard drives containing digitized records of active-duty troops and veterans was stolen from his home. In another case, a recent review performed by the Commerce Department stated that more than 1,100 of the Department’s laptops have either gone missing or been stolen over the past five years.
  • Database break-in/hacking Criminals are constantly developing new malware, worms and spam to access confidential information for monetary gain. For example, in late October 2007, an Oak Ridge National Laboratory database was penetrated through several waves of phishing email messages. Once inside, the attackers accessed the names, Social Security numbers and birth dates of lab visitors between 1990 and 2004.
  • Insider threat Disgruntled employees seeking revenge or inadvertent human error are to blame for a number of breaches that occur from inside the network. One example: In January 2007, an employee at the Los Alamos National Laboratory unintentionally transferred sensitive information through an unsecured email system.

Protection measures
Government agencies should first minimize the amount of PII that they collect and store. Following that, PII access should be limited to a need-to-know basis. Encryption, strong authentication procedures and other security controls can all make PII unusable by unauthorized individuals. Here’s a closer look:

  • Discovery An agency cannot protect what it cannot find, so it must first identify the PII it has and where it is stored. File servers, databases, desktops, laptops, remote devices and all other data repositories should be scoured for PII. There are solutions available that not only scan for this information but also address any exposed data on the spot.
  • Access control Agencies face similar problems with data usage. Since they do not always know how PII is being used, it is hard to manage it. Mobile endpoints present an even bigger challenge, because it is difficult to track which laptops and devices hold PII, and why it is being exchanged between devices. A solution should be in place to monitor activity and prevent PII from exiting any network gateway or endpoint.
  • Encryption Because device theft and loss is the No. 1 reason for PII exposure, encryption is the best way to ensure that data is useless to criminals. PII contained in databases or stored on mobile computing devices such as laptops, PDAs, CDs or drives should always be encrypted.
  • Education In addition to technical safeguards, employees should be made aware of data security issues and advised to be on the lookout for suspicious activity. Employees will recognize that there are new authentication measures in place, so the best thing to do is educate them on why securing PII is so crucial, as they are an important line of defense.

Conclusion
Today, the government is responsible for storing and managing a staggering amount of PII, the volumes of which continue to grow. All that data must be protected from threats from both inside and outside the network.

 

Stacey McDaniel has been writing about high-tech issues for more than six years.

ADVERTISEMENT

Fast Fact

A July 2006 Office of Management and Budget memo requiring agencies to report all breaches involving PII within one hour of discovery has helped the government realize just how prevalent this issue is. In June 2007, 40 agencies reported an average of 14 incidents that involved exposure of an American’s PII each day.

Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:

Public Sector Backup and Recovery

Playtime: 6 min 30 sec

Download | Subscribe