The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where individuals gain access or potential access to personally identifiable information, whether physical or electronic for an unauthorized purpose.

Back to the Top

Credit Protection Services

Services to assist an individual with recovering and rehabilitating his or her credit after experiencing identity theft.

Back to the Top

Cyber Security Incident

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices (National Institute of Standards and Technology Special Publication 800-61). In general, types of activity that are commonly recognized as being in violation of a typical security policy include, but are not limited to, attempts (either failed or successful) to gain unauthorized access to a system or its data, including PII-related incidents, unwanted disruption or denial of service, the unauthorized use of a system for processing or storing data and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.

Back to the Top


The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge.

Back to the Top

For Official Use Only (FOUO)

FOUO is a DoD dissemination control applied to unclassified information when disclosure to the public of that particular record, or portion thereof, would reasonably be expected to cause a foreseeable harm.

Back to the Top


Any adverse effects that would be experienced by an individual or organization (e.g., that may be socially, physically, or financially damaging) or undermines the integrity of a system or program whose information was breached. This includes any adverse effects experienced by the organization that maintains the information.

Back to the Top


An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. (44 U.S.C. section 3552).

Back to the Top

Identity Theft

The act of obtaining or using an individual’s identifying information without authorization in an attempt to commit or facilitate the commission of fraud or other crimes. The resulting crimes usually occur in one of the following ways. Identity thieves may attempt to:

  • Gain unauthorized access to existing bank, investment, or credit accounts using information associated with the person
  • Withdraw or borrow money from existing accounts or charge purchases to the accounts
  • Open new accounts with a person’s identifiable information without that person’s knowledge
  • Obtain driver’s licenses, social security cards, passports, or other identification documents using the stolen identity
Back to the Top

Lost, Stolen, or Compromised Information

Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for an other than authorized purposes where one or more individuals will be adversely affected. Such incidents also are known as breaches.

Back to the Top

Personally Identifiable Information (PII)

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information).

Back to the Top


Phishing is an attempt to acquire information such as usernames, passwords, credit card details, bank account information, and Social Security Numbers through electronic communication by claiming to be a trustworthy organization or company.

These communications are designed to trick a user into believing that he or she should provide a password, account number or other information. The user than typically provides that information to a website controlled by the attacker. Do not reply to email, text, or pop-up messages that ask for your personal or financial information or click on links within them.

Spear phishing” is a phishing attack that is tailored to the individual user, such as when an email appears to be from the user’s boss, instructing the user to provide information.

Back to the Top

Protected Health Information (PHI)

Individually identifiable health information that relates to the individual’s past, present, or future physical or mental health, the provision of health care, or the payment for health services, and that identifies the individual or it is reasonable to believe the information can be used to identify the individual. PHI is a subset of PII.

Back to the Top


The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals given the potential impact of a threat and the likelihood of that threat occurring.

Back to the Top

Risk Assessment

An analysis considering information sensitivity, vulnerabilities, cost and the potential level of impact assessed in determining whether a breach notification is required.

Back to the Top