pii awareness training don’t be tomorrow’s headlines… jason dupuy, director of it,...
DESCRIPTION
PRIVACY, IN GENERAL Privacy and Data Privacy are becoming topics du jour The word “privacy” does not appear in either the US Constitution or the Bill of Rights So, What is “privacy”, especially in the electronic era?TRANSCRIPT
![Page 1: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/1.jpg)
PII AWARENESS TRAININGDON’T BE TOMORROW’S HEADLINES…
JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING
![Page 2: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/2.jpg)
AGENDA
• What does PII actually mean?• Current Issues where PII is threatened.• Guidelines: Federal and State• How can we comply? Strategies and
Practices• How can PII Leak out?• Some Pragmatic Defenses.
![Page 3: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/3.jpg)
PRIVACY, IN GENERAL• Privacy and Data Privacy are
becoming topics du jour
• The word “privacy” does not appear in either the US Constitution or the Bill of Rights
So, What is “privacy”, especially in the electronic era?
![Page 4: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/4.jpg)
MULTIPLE NAMES AND ACRONYMS• PII – Personally Identifiable Information• NPPI – Non Public Personal Information• NPPFI – Non Public Personal Financial Information• IIF – Information in Identifiable Form• PHI – Protected Health Information (HIPAA)• IIHI – Individually Identifiable Health Information
![Page 5: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/5.jpg)
WHAT IS CERTAIN…Whenever the acronym PII crops up – particularly in the media, the connotation is badWHY?
![Page 6: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/6.jpg)
PII LOSSIt usually occurs in connection with one of the following:• Breach of Security
• Most data breaches were due to malicious or criminal attacks
• Loss or unauthorized disclosure• Theft• Postal
![Page 7: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/7.jpg)
COST OF DATA BREACHES• …rose by 10% from 2013 to 2014• US $201 per RECORD• Average total cost in 2014: $5.8
Million• Costs included• Notification
• Credit monitoring services• Engaging forensic experts• Audit Services• Lost Business
![Page 8: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/8.jpg)
WHAT IS PERSONALLY IDENTIFIABLE INFORMATION?
![Page 9: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/9.jpg)
IN GENERAL
Information (electronic or other) that can be used..• To uniquely identify, contact or locate a single person• Or which can be used with other sources to uniquely
identify a single individual
Official Sources• US Office of Management and Budget (OMB) – Government
Agencies• US National Institute of Standards (NIST) – IT Source• Maine State Attorney General – State Government
![Page 10: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/10.jpg)
OMB EXAMPLES OF PII
• Full Name• Birth Date• Birthplace• National ID Numbers:
• SSN, Passport, taxpayer ID, driver’s license
• Mother’s maiden name• Sex or Race
• Credit Card Numbers• IP addresses• Vehicle Registration
Numbers• Digital Identity• Biometrics• Genetic Information
![Page 11: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/11.jpg)
NIST EXAMPLES OF PII
• Name: full name, maiden name, mother’s maiden name or alias• Personal ID Numbers: SSN, passport, driver’s license, taxpayer
ID, patient ID, credit or debit card numbers• Address Information: street or email address• Asset Information: IP or MAC address• Telephone Numbers: mobile, business and personal numbers• Personal Characteristics: photographic image, X-Rays,
fingerprints or other biometric• Personally Owned Property: Vehicle registration or title number
![Page 12: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/12.jpg)
“”
PII IS ANY INFORMATION ABOUT AN INDIVIDUAL THAT CAN BE USED TO DISTINGUISH OR TRACE AN INDIVIDUAL’S IDENTITY. PII IS ALSO ANY OTHER INFORMATION THAT IS LINKED (OR LINKABLE) TO AN INDIVIDUAL, SUCH AS MEDICAL OR FINANCIAL INFORMATION
MaineHousing Authority definition of PII – MaineHousing Acceptable Use Policy, June 2011
![Page 13: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/13.jpg)
MAINEHOUSING EXAMPLES OF PII• Any information provided by applicants or participants in
MaineHousing programs (includes information provided by third parties working on behalf of an applicant/participant)• Personal Identification Numbers, such as social security
number (SSN), passport number, driver’s license number• Financial account or credit card information, including
account numbers, card numbers, expiration dates, cardholder name or service codes
![Page 14: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/14.jpg)
MAINEHOUSING EXAMPLES OF PII• Healthcare / Medical information disclosed to
MaineHousing• Names and addresses of clients participating in
MaineHousing programs or on waiting lists• The address of a shelter or other living
accommodations for victims of domestic violence.
• THE FORMAT DOES NOT MATTER (Electronic or Paper)
![Page 15: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/15.jpg)
CONFUSED YET?
![Page 16: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/16.jpg)
FUN TIME – BREACH EXAMPLES!
![Page 17: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/17.jpg)
MIT LEAKS PII• Personal records, including SSN of
approximately 800 members of the MIT community were emailed to an MIT mailing list – 150 people received this list!
• SSN of 11K MIT employees posted in a publicly accessible file• Six months before system administrators
became aware of the problem!
![Page 18: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/18.jpg)
UNIVERSITY OF MARYLAND• 300K personal records for faculty, staff
and students were compromised• Information breached included Names,
SSN, DOB and university identification numbers
-Millions of $$$ in credit protection service for 5 years*one of the only universities in the US offering a PHD in… Information/Network Security!
![Page 19: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/19.jpg)
TARGET• Had installed network monitoring software• Alerted admins to suspicious activity after
hackers infiltrated• Due to “workload” the warnings were
ignored• 40M credit card numbers, 70M addresses
and phone numbers• Cost 60 Million in Q1 alone• CEO and CIO were fired
![Page 20: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/20.jpg)
HOME DEPOT• Identified the same attack vector as
Target• Commissioned a project to “batten down
the hatches”• Took 6 months to find, select, test and
deploy system• Hackers were in and out…
• 56M debit and credit cards• 53M email addresses• Cost 60M (excluding lawsuits ongoing)
![Page 21: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/21.jpg)
JP MORGAN• One of the world’s largest banks: 96B in
revenues (2013)• Cyber attack compromised 76M
households and 7M business accounts• Names, addresses, phone numbers,
email addresses• Internal JP Morgan information about
users• Hacker’s gained “the highest level of
admin privilege on more than 90 of the bank’s servers
![Page 22: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/22.jpg)
HOW PRIVATE IS PII?Attribute Combination Uniqueness
DOB and 9-Digit Zip 97%DOB and 5-Digit Zip 69%
DOB, Sex and place (City, town, municipality
53%
1. MIT Study showed that 69% of the individuals on a voting list were identifiable using only 5-digit zip code and DOB, while 97% were identifiable using 9-digit zip code and DOB.
2. This information could be linked with medical data to discern medical diagnosis, procedures and medications to an individual
![Page 23: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/23.jpg)
MIT STUDYDe-identified Medical Insurance List• 135K State of Massachusetts
Employees• Included the Governor Weld
(who lived in Cambridge, MA)• Medical Data linked with Voter
Registration List• Only 6 people in Cambridge
with his DOB• Only 3 were men• Only one had his 5-digit ZIP!!
![Page 24: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/24.jpg)
MOBILE PHONE• In 2010, computer
scientists studied more than 2 dozen smart phone apps
• Half of these apps transmit the SIM card ID, the IMEI number and the GEOLOC coordinates real-time back to the remote servers of the app vendor
• Duke built an app that can track this behavior
![Page 25: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/25.jpg)
WEBCAM ABUSEWelcome to being watched!!
Hackers can remotely turn on cameras and capture activity
• Cyprus – man arrested for taking illicit pictures of teenagers
• Spain – man stole thousands of banking passwords, worldwide
• Robbins vs. Lower Merion School District – class action lawsuit involving 2 high school students using school provided laptops to spy on others; both during school and at home: settled for $160K
![Page 26: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/26.jpg)
QUESTIONWould the following be classified as PII and Why?-an organization publishes a phone directory of employees’ names and work phone numbers on the web, so members of the public can contact them?Answer: NoReason: the organization has authority to release that information publicly
![Page 27: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/27.jpg)
ARE YOU SCARED?
![Page 28: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/28.jpg)
“”
ONCE MORE UNTO THE BREACH, DEAR FRIENDS
Henry V, ACT III
![Page 29: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/29.jpg)
RECENT GOVERNMENT LOSSES
• Farm Services Agency: inadvertently releases CDs containing SSN and tax IDs from US tobacco producers• US Marine Corps: Loses a thumb drive with names, SSN,
and other PII for Marines on active duty, 2001-2005• HHS: Contractor loses a laptop with names, phone #s,
medical records and DOB – 49K Medicare beneficiaries• VA: computer stolen from employee’s home exposing
26.5M active duty records
![Page 30: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/30.jpg)
RECENT PRIVATE ENTERPRISE LOSSES• Sony: 100M accounts lost including credit and debit
card data• Heartland Payment Systems: 130M credit cards stolen• Epsilon: World’s largest email marketing service
provider is hacked, losing PII from hundreds of corporate customers:• TiVo, JP Morgan, Ritz-Carlton, Marriot, Walgreens, LL
Bean!
![Page 31: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/31.jpg)
AND ON, AND ON…
![Page 32: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/32.jpg)
SAFEGUARDS – PROTECTING PII
• Physical Safeguards• Technical Safeguards• Administrative
Safeguards
![Page 33: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/33.jpg)
PHYSICAL SAFEGUARDS• Paper records should be stored in
locked file cabinets• Areas where PII is referenced
should be monitored and access limited
• Never leave files, storage media, or computers unattended, or in vehicles
• Records should be disposed of properly
![Page 34: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/34.jpg)
TECHNICAL SAFEGUARDSENCRYPTION!!!!
• Ensure ALL email containing PII are encrypted
• Ensure PII records are access controlled – Need to know only
• Ensure SSN, including the last 4 are not posted on public facing websites
• Install Data Leak Prevention software and tools
![Page 35: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/35.jpg)
ADMINISTRATIVE SAFEGUARDS• Create policies concerning the
handling of PII• Require annual security awareness
training with an emphasis on PII• Follow applicable federal and state
compliance rules and guidance• Perform a Privacy Impact Assessment• Review reports, scripts and
spreadsheets to determine if PII is required
![Page 36: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/36.jpg)
MAINEHOUSING’S SAFEGUARDS• Physical files are locked every
night• Access to interior building
areas controlled• All physical medium
destroyed/shredded on-site• Outgoing emails scanned for
unencrypted PII – BLOCKED• All portable hardware is
encrypted
• Data Leak Prevention system blocks USB drives and CDRom Access
• Limited “Cloud” Access• Privacy policy in place• Annual Security Awareness
Training mandatory for all employees
• Review of access controls in all applications
![Page 37: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/37.jpg)
WEAKEST LINK
Do not be the weakest link…• Maintain awareness…• Think twice about
sending that PII• Ask for help!
![Page 38: PII AWARENESS TRAINING DON’T BE TOMORROW’S HEADLINES… JASON DUPUY, DIRECTOR OF IT, MAINEHOUSING](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b167f8b9ab059991ad7/html5/thumbnails/38.jpg)
QUESTIONS?