Personally Identifiable Information (PII): Breaches

WHAT IS A BREACH?

For the purpose of safeguarding against and responding to the breach of personally identifiable information (PII) the term “breach” is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.

HOW DO YOU KNOW IF A BREACH HAS OCCURRED?

A breach/compromise incident occurs when it is suspected or confirmed that PII data in electronic or physical form is lost, stolen, improperly disclosed, or otherwise available to individuals without a duty-related official need to know.

WHAT ARE SOME EXAMPLES OF PII BREACHES?

Breaches often occur when PII or Personal Health Information (PHI) is mishandled. Examples of these types of breaches may include, but are not limited to:

  • Posting PII on public websites
  • Sending PII via email to unauthorized recipients
  • Transmitting unsecured emails and unencrypted files containing PII
  • Providing hard copies containing PII to individuals without a need to know
  • Failing to properly secure documents containing PII when mailing or transporting
  • Misdirected fax documents containing PII that reach anyone other than the intended recipient
  • Lost or stolen electronic devices or media storing PII (e.g., laptop, BlackBerry®, CD, or flash-based storage media)
  • Successful network intrusions
  • Unauthorized access to computer systems
  • Inappropriate disposal of documents containing PII
  • PII use by employees for unofficial business
  • Unauthorized access to credit card information
  • Loss or unauthorized access to PII (including a temporary loss of control)
  • Anytime persons gain access to PII without an official need-to-know on intra-agency websites and through bulletin boards in common areas
  • All other unauthorized access to PII

WHAT SHOULD YOU DO WHEN THERE IS AN ACTUAL OR SUSPECTED BREACH/COMPROMISE OF PII?

See Report a PII Incident