“It’s not personal…it’s just business.”
I had just received notice of yet another data breach involving my “Personally Identifiable Information” or PII.
From the perspective of the big company, you were just one of millions whose data was lost. From my perspective, it felt personal.
On the other side of the coin is my concern for the organizations we advise here at Fractional CISO. A client recently asked us about whether or not the limited data they collected constituted PII or not. This was an important question — the answer would determine what their obligations were under US Federal Law, and impact their cyber insurance costs.
A subset of PII is PHI — Protected Health Information. There has been even more confusion on what constitutes PHI and what reasonable steps an organization should take to protect PHI. Clinicians need ready access to PHI in order to make life saving decisions means that the security professional must constantly balance the need for quick access with security and privacy.
Let us explore personally identifiable information, our personal rights to privacy, and the legal obligations of organizations.
What is Personally Identifiable Information?
Personal data — often referred to as Personally Identifiable Information or PII — is simply information that is specific to a person.
NIST [5] has a very clear definition for personal information:
“Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
In other words, even though we may not explicitly know the identity of the individual, if we can determine who it is from the data then it is still personally identifiable information. For example, if the data includes home address, sex, and age, then you most likely can determine who that person is. Even your IP address (with no other information at all) is considered personal information under GDPR. This makes sense since you can learn a lot about a person using just an IP address.
There are two components to personal information
Identifiers — such things as name, date of birth, insurance ID, Social Security Number, etc. can be used to uniquely identify who the individual is
Information about the Individual — Data about the individual, such as their ethnic background, religious beliefs, health data, and much more
Personal information includes all of the following and much more [6]:
Name
Date of Birth
Social Security number
Photographs
Political opinions
Labor Union membership
Ethnic background
Genetic data
Biometric data
Health data
As you can see from looking at this list, sensitivity of the information varies — your political opinions may be public knowledge, but your personal health data may be something you greatly desire to keep private.
Protected Health Information
Protected Health Information, or PHI, is a subset of Personally Identifiable Information — it is considered to be sensitive, and is defined[9] as data which:
1. Is created or received by a healthcare entity.
2. Relates to the past, present, or future:
physical or mental health or condition of any individual
provision of healthcare
payment for the provision of healthcare
3. Identifies an individual, or there is a reasonable basis to believe the information can be used to identify an individual
4. Is transmitted, maintained, or shared by electronic media, or in any other form or medium (e.g., paper, films, etc.)
HIPAA also specifies 18 identifiers which can identify an individual:
Names
All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people…
Dates (other than year) directly related to an individual
Phone Numbers
Fax numbers
Email addresses
Social Security Numbers
Medical record numbers
Health insurance beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web URLS
Internet Protocol (IP) address numbers
Biometric identifiers, including finger, retinal and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
HIPAA is a strict regulation, and enforced quite strongly. In the United States, it is probably the privacy regulation you will hear about the most. When the HHS Office of Civil Rights (OCR — not to be confused with other OCR’s. Several government agencies have an OCR) receives notification of a data breach impacting the records of 500 individuals or more, they post it publicly on what has been termed the “wall of shame” but is really the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal . [10]
HIPAA fines can be significant, and are based on a number of factors:
The number of individuals affected
The type of data involved in the breach
The degree of harm that this data breach may cause (for example, a data breach involving mental health data may cause more harm to individuals than a breach of insurance data)
The length of time the violation persisted
Financial strength of the organization that had the breach
There is also a tiered penalty structure which is based on the degree of negligence and willfulness exhibited by the organization. The following table comes from page 5583 of the Federal Register [11]:
HIPAA fines can be avoided if it can be demonstrated that the data which was lost could not possibly be accessed by others — either because the data was properly encrypted, or because the information was de-identified.
PHI is considered de-identified when either:
All 18 types of identifiers were removed from the document, or
A person who has the appropriate knowledge and experience with generally accepted statistical methods for rendering the information unidentifiable has applied such methods to the document and determined that the risk is very small.
This second option is the “Expert Determination Method” which is defined in this manner on the HHS website [12]:
“A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination”
HIPAA does not define specifically what the qualifications of this expert should be, and it does not define the likelihood of identification other than to say “the risk is very small.” It is important that any organization going down this route choose an expert with experience in the de-identification of data, and that they document clearly how they reached their conclusions. Regulators would look at this during a HIPAA audit.
In a future article we will explore HIPAA, PHI, types of data breaches, and regulatory actions in more detail.
Interesting Note: HIPAA probably gets misnamed the most of any regulation out there. Sometimes you see HIPPA and frequently people think the “I” in HIPAA is for “information” when it is actually for “Insurance.”
Variations by Country on PII
Did you know that in the United States Constitution there is no right to privacy? While it covers many rights — freedom of speech, freedom to assemble, freedom of religion, due process of law — privacy is not considered.
The closest US Law comes to a statement on the right to privacy is a dissenting opinion written by Justice Brandeis in 1927 regarding the case of “Olmstead v. United States” [1, 2], a case that involved wiretapping without a warrant. In his opinion, Justice Brandeis refers to “the right to be let alone.” An interesting phrase for privacy!
The University of Michigan has a wonderful “History of Privacy Timeline” here on their website [3]. You can see how interest in privacy has only been increasing over the years.
There are cultural components that account for the variation of privacy laws by country. Europeans have taken a stronger stance on privacy.
“The Privacy Mindset Of The EU Vs. The US” in Forbes magazine[4] noted:
“Unlike the typical mindset in Europe, many Americans choose to believe that their online behavior being tracked happens in their best interests or is a price to pay for getting free or discounted products. Even after Edward Snowden revealed how vastly expanded the government’s ability to spy on its own citizens was after Congress passed the Patriot Act legislation, still only half of Americans said they disagreed with the government’s actions.”
In 2018, the European Union (EU) enacted the General Data Protection Regulation (GDPR) in response to broad NSA surveillance and the rampant data collection by US Tech companies. This is one of the most comprehensive privacy regulations yet and it comes with significant teeth. Even US based businesses may have obligations under the GDPR.
Which Regulations Protect Personal Identifiable Information?
In the United States it is a bit complicated since various federal agencies have authority over different areas. Here are some highlights of the key agencies and regulations. We also make reference to Canadian and EU regulations since many US companies do business in these nations.
Additionally, the Federal Trade Commission (FTC) rules on “unfair and deceptive trade practices,” which at times has involved violations of data privacy.
The Federal Communications Commission (FCC) “regulates interstate and international communications by radio, television, wire, satellite, and cable in all 50 states, the District of Columbia and U.S. territories.”[7] This sometimes includes privacy issues, such as when a communications company uses a third party for marketing purposes without first obtaining customer consent.
State Laws surrounding Personally Identifiable Information
Because federal protections of privacy have failed to keep pace with the challenges from big data, some states have created their own privacy laws. Most notably, California signed the California Consumer Protection Act (CCPA) in 2018 and then further amended it in 2020 with the California Privacy Rights Act (CPRA). As of this writing, 4 other states have enacted privacy laws and bills are in progress for many more [22]. States with current privacy laws are:
California — CCPA effective Jan 1, 2020; CPRA effective Jan 1, 2023
Virginia — Virginia Consumer Data Protection Act effective Jan 1, 2023
Colorado — Colorado Privacy Act effective July 1, 2023
Connecticut — Connecticut Personal Data Privacy and Online Monitoring Act effective July 1, 2023
Utah — Utah Consumer Privacy Act effective Dec 31, 2023
Key Privacy Concepts
The Association of International Certified Professional Accountants (AICPA) created the “Generally Accepted Privacy Principles” (GAPP) and also an updated version called “Privacy Management Framework” (PMF). You will hear GAPP referenced quite often since its 10 privacy principles are broadly accepted.
The purpose of GAPP and similar frameworks is to provide organizations with a set of goals for a privacy program. Organizations who manage personally identifiable information create privacy programs for a number of reasons:
Regulatory compliance — It’s the law.
Ethical obligations —It’s the right thing to do.
Reputation — Failures to protect privacy may adversely impact the organization’s reputation which ultimately hurts the bottom line.
The 10 Generally Accepted Privacy Principles (GAPP) are:
Management — A documented program, accountability assigned
Notice — Notice of privacy policies is provided to individuals and defines what personal information is collected, how it is used, who it will be disclosed to, and retention.
Choice and Consent — Individuals are given choices about their data and must grant consent before it is collected, used, or shared. Consent can be explicit or implicit (implicit – an example of this is when signing up for the service also implies your consent to the agreement)
Collection — The organization will only collect the information that they list in their notice.
Use, retention, and disposal — Organization will only use the data for the intentions it noted, it will retain it for a defined period, and will securely dispose of it.
Access — Individuals are provided access to the data that the organization has collected about them.
Disclosure to third parties — The organization only provides information to third parties for the purposes it identified in the notice, and it must have the consent of the individual (whether that be an implicit or explicit consent)
Security for privacy — Organization must protect the data against unauthorized access. This means it also protects against abuse by internal staff who try to access data outside of what is required by their work duties.
Quality — Information must be accurate and complete. It must also be only information that is relevant to the identified purpose for which it was collected.
Monitoring and Enforcement — Organization monitors for compliance to its policies, and provides procedures for individuals to resolve privacy related issues.
These principles are at the core of the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA, which was then amended by the California Privacy Rights Act in 2020).
The EU enacted the GDPR in 2018 [8], and created requirements designed to ensure organizations are managing privacy appropriately. These include such things as
Appointing a Data Privacy Officer (articles 37-39)
Maintain an inventory of data (article 30)
Data breach management processes — when a breach of data has been discovered, the authorities and all affected individuals must be notified within 72 hours (article 33)
Perform regular Data Protection Impact Assessments or DPIAs (article 35)
Significant fines which can be up to €20 million or 4% of the firm’s global revenue (article 83)
Data Protection by design and by default — data protection principles must be considered when designing a new product, and the default settings should always be the strongest from a personal privacy perspective (article 25)
The GDPR also defines the rights of individuals (“data subjects”) [8]:
The right to be informed
The right of access
The right to rectification
The right to erasure (aka “the right to be forgotten”)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
Knowledge of the GDPR is important for any privacy or security professional since it is viewed as the gold standard, and others are modeling their privacy regulations after it — or at the very least — incorporating the same privacy principles.
Relationship between Privacy and Security
It’s interesting that there are “Security Professionals” and “Privacy Professionals,” and that often they go to separate conferences, come from different backgrounds, and attain different certifications.
Personally, I prefer to speak about Security and Privacy together, rather than either alone. The two go hand-in-hand. We might say that “security is what keeps private data private!”
When we consider the three pillars of security — confidentiality, integrity, and availability — immediately it stands out to us that privacy is just another word for confidentiality. However, integrity and availability are also important to privacy professionals.
Many regulations are designed to also ensure that the data is:
Accurate
Was obtained with the consent of the individual
Is retained and utilized only for the stated purpose
And that people can see their data and request corrections, as needed
Privacy focuses more attention on the right of individuals to control their information.
Being a privacy professional requires a deep understanding of the applicable regulations, how they are interpreted, and current trends in enforcement actions. Not surprisingly, many privacy professionals have a legal background.
Every organization has data which they desire to remain private — financials, client data, employee data, and more. A strong security program is required to protect the organization from harm to the confidentiality, integrity, and availability of their information. Typically the legal and security teams work to ensure security and privacy is maintained.
To fully understand your organization’s obligations, you must determine which role(s) your organization fills:
Data Controller — An organization which “determines the purposes for which and the means by which personal data is processed.” [30]
Data Processor — “Service providers who collect or process personal information on behalf of data controllers.” [31]
When an organization controls or processes personally identifiable information that is regulated, this is when they will create a dedicated privacy program.
Business Risk around Personally Identifiable Information
If your organization experiences a data breach and personally identifiable information is compromised, here are some of the expenses that you may incur:
Legal Costs
Incident Response and Forensics
Notification requirements — it can be costly to determine who was affected and notify all individuals within the required timeframe
Fines from the regulatory body
Civil lawsuits
Criminal charges can be filed in some cases
Reputation: Lost business due to a publicly known data breach
Obligations of Businesses
Each business should do their due diligence. Here are some important steps to get you started, but by no means is this a substitute for seeking professional legal and privacy advice. Every organization has their own unique requirements.
Review the types of personal data they hold
Determine which regulations apply (and learn about the agencies that enforce them)
State
Federal
Other countries where they do business
Work with a lawyer to determine if your current privacy policy is adequate
Is it clear and readable to the average person?
Is the data being utilized for the stated purpose for which it was collected?
Is data being sold to third parties?
Review the security of the private data they manage
Accessible only to authorized staff?
Appropriately secured by administrative and technical controls
Retention policies
Data destruction
Review your incident response procedures
Do they include all of the applicable regulatory requirements?
What are the notification requirements and timeframes?
Who will speak for the organization?
Review your cyber insurance coverage with an expert (preferably a lawyer)
Discuss obligations with any critical third parties
What does the contract state about data breaches?
Consider having the vendor add your business to their cyber insurance policy as an additional insured
And don’t forget that data about your employees is also included.
Some are surprised that the GDPR can apply to US based businesses that do not have a presence in the EU. For example, a Hospital which advertises to EU citizens in order to attract them to come to the US for healthcare, will come under the GDPR.
On a Personal Note, How Can I Protect My Privacy?
Personal privacy concerns vary by person. Some worry little about whether or not their social media posts can be seen by the world or not. Once your personal information is out there, it’s difficult to remove it. While it may seem low risk, the more information that is out there, the more likely it is that someone will use it for fraudulent purposes.
Someone might use your personal photos and information from your posts to create convincing phishing emails — either for phishing you, or for phishing your friends and family.
I have had a few friends whose social media accounts were taken over, and all of a sudden they are asking me to “check out this charity webpage” or to urgently send them money because they are in trouble.
Big Data and Personally Identifiable Information
Who doesn’t like free? Today there are many free services available on the internet. Google is a leader in this space — providing free maps with GPS directions, free searching, free email, free storage, and more! There is a great saying — “when it’s free, you are the product.” Google is able to provide these free services because they are able to sell targeted advertising which you see online.
Other companies gather data about you — your likes and dislikes, online habits, and more — which they then sell to other companies who can use it to gain insights about consumers, and to market their services and products more effectively. These data brokers gather information from businesses you frequent.
As Bruce Schneier notes in his book “Data and Goliath — The Hidden Battles to Collect Your Data and Control Your World” [28], sometimes it’s okay that we make a choice to trade some of our privacy for a useful service, such as when we use google maps. We give google our location and they help us find the optimal route.
It’s important for us as consumers to understand how our data is used, and what risks those present.
Expect to see a lot more attention paid to this area by the Federal Government. Just recently (March 15, 2023) the Consumer Financial Protection Bureau issued a Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information [29].
Financial Aspects of Privacy
While most people obsess over using their credit card online, this generally is a low risk activity. Even when credit card data is stolen, it’s often easily detected and you are not liable for the fraudulent charges (as long as you do take action when you see the problem).
Of much greater concern are identity theft and the security of your banking information.
When someone steals your sensitive personal information — name, social security number, date of birth — they may open new accounts in your name and work to ensure that you don’t even know about them by changing the address on the accounts. While there are some protections in place, it’s typically more difficult to catch. And when you do find out, it’s a major pain to clean up. Instead, consider a credit freeze! It’s free, quick, and easy.
Using debit cards and direct online payments from your bank account does carry some risk. When someone is able to fraudulently steal money using the bank routing information, it can be a much more difficult process to get the funds back. For this reason, consider never using your debit card. Be cautious when doing ACH transactions online.
Lastly, it’s hard to be targeted by criminals when you are invisible online. Michael Bazzell provides some excellent free resources on his IntelTechniques website here [13]. In particular, the data removal workbook [14] has a “most bang for your buck” set of removals that will remove your identity from the majority of online sites. He has also written books on the subject of “Extreme Privacy: What it takes to Disappear.” You might also consider Frank Abagnale Jr’s free website [15] and excellent books [16, 17] as well as J.J. Luna’s book “How to be Invisible.” [18]
In summary, here are some key steps you can take to protect your personal information and yourself:
Think carefully before sharing information
Check your social media settings — there are guides from such reputable sources as CNET and Consumer Reports online, but essentially you should consider:
Setting your profile and posts to be visible by friends only
Limit who can message you
Use a strong password and turn on two factor authentication (2FA)
Review the Advertising settings
Freeze your Credit — Brian Krebs has a great article on this topic here [19]
Sign up for the do not call list [20]
Remove yourself from public sites — Consider using the data removal workbook to remove your address and phone number from such online sites as truepeoplesearch. Make your address and phone number unlisted.
And don’t forget about your children! Identity thieves love to steal the information for children because they can use that credit for years before anyone will notice. Not until the child applies for their own credit will they discover this problem.
Challenges Ahead
There are challenges ahead for businesses, nations, and security and privacy professionals. New technologies introduce new challenges.
Connected cars — increasingly our vehicles collect data about us, and yet most car companies are very immature when it comes to information security and privacy
Machine Learning/Artificial Intelligence — Training machine learning algorithms requires lots and lots of data, and may include personally identifiable information. How will such data be collected, secured, and destroyed after use? After it is trained, will the AI adopt biases and actually perpetuate discrimination?
Big Data — Companies like Cambridge Analytica [21] obtained large amounts of private data and have used that to manipulate public opinion. This has brought increased regulatory focus on social media and other companies who hold large amounts of personal data.
Enforcement — It is still the early days of enforcement of most privacy regulations. It remains to be seen how effective these regulations will be. After all, it’s nice to say you have a “right to be forgotten” but once your personal data is out there, it is out there. It’s not easy to claw it back.
New regulations continue to be enacted or updated. Various US states are working on privacy regulation, and there is a new focus on privacy by the federal government. Agencies may also choose to enforce privacy regulations more strongly as public pressures increase.
A strong understanding of privacy, security, and regulations is absolutely essential in today’s business environment. Everyone has some kind of private data they manage — whether it is about their clients or their employees — and the risks are only increasing.
In the end, we helped our client — mentioned in the beginning — to accurately portray to their cyber insurance company that they do hold personally identifiable information (PII) as defined under the applicable regulation. This was a significant point — if they did not reveal this to their cyber insurance – and there was an incident – then the cyber insurance would not cover the event. Being clear and accurate is vital when responding to cyber insurance questionnaires.
As you can see, privacy and security are complicated — consider consulting with a Security and Privacy professional today!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
References
IAPP CIPP/US — Certified Information Privacy Professional — Study Guide, pps. 2, 3
Olmstead v. United States (1927) – Bill of Rights Institute
History of Privacy Timeline (University of Michigan)
Forbes: The Privacy Mindset Of The EU Vs. The US
Personal Information – Glossary | CSRC
IAPP CIPP/US — Certified Information Privacy Professional — Study Guide, p. 4
About the FCC | Federal Communications Commission
What is GDPR, the EU’s new data protection law?
HIPAA ‘Protected Health Information’: What Does PHI Include?
U.S. Department of Health and Human Services Office for Civil Rights Breach Portal
Department of Health and Human Services – page 5583 shows the categories of violations and associated penalties.
Methods for De-identification of PHI | HHS.gov
IntelTechniques Online Resources
Privacy Services by Michael Bazzell — Includes a free Data Removal Guide
Frank Abagnale, Jr. ’s official website (author and subject of “Catch me if you can.”) — Free publications and a Fraud bulletin are available.
“Stealing Your Life — The ultimate identity theft prevention plan” by Frank Abagnale
“The Art of the Steal — How to Protect Yourself and Your Business from Fraud, America’s #1 Crime” by Frank Abagnale
“How to be Invisible — Protect Your Home, Your Children, Your Assets, and Your Life” by J.J. Luna
Credit Freezes are Free: Let the Ice Age Begin – Krebs on Security
DoNotCall.gov
Cambridge Analytica and Facebook: The Scandal and the Fallout So Far – The New York Times
US State Privacy Legislation Tracker
Who we are | European Data Protection Board
What are Data Protection Authorities (DPAs)? | European Data Protection Board
GDPR Enforcement Tracker — provided by International Law Firm CMS
Provincial laws that may apply instead of PIPEDA – Office of the Privacy Commissioner of Canada
Privacy in the Age of AI: Risks, Challenges and Solutions
“Data and Goliath — The Hidden Battles to Collect Your Data and Control Your World” by Bruce Schneier
Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information | CFPB
What is a data controller or a data processor? | EU Commission
IAPP CIPP/US — Certified Information Privacy Professional — Study Guide, p. 18