Personally Identifiable Information (PII) Breaches: Risk Determination

Examples of data elements include: Social Security Number (SSN), biometric record, financial account number, Personal Identification Number (PIN) or security code for financial account, health data, birth date, government-issued identification number (driver's license, etc.), name, address, and telephone number.

The sensitivity of the data element is contextual. A data element in one context may be less sensitive than in another context. For example, theft of a database containing individuals’ names in conjunction with SSNs, and/or dates of birth may pose a high level of risk of harm, while a theft of a database containing only the names of individuals may pose a lower risk, depending on its context.

Depending upon a number of physical, technological, and procedural safeguards employed by the agency, the fact the information has been lost or stolen does not necessarily mean it has been or can be accessed by unauthorized individuals. If the information is properly protected by encryption, for example, the risk of compromise may be low. In this context, proper protection means encryption has been validated by National Institute of Standards & Technology (NIST).

Activities will first need to assess whether the breach involving personally identifiable information is at a low, moderate, or high risk of being used by unauthorized persons to cause harm to an individual or group of individuals. The assessment should be guided by NIST security standards and guidance.

For example, a breach may involve Social Security Numbers (SSNs); however, the SSNs may be stored on a Common Access Card enabled and encrypted laptop making it very unlikely the information is accessible, usable, or will lead to harm. Data elements, such as the SSN typically rate as high, however, after evaluating and considering all relevant risks the likelihood of harm resulting from the breach is considered to be of low impact given the technical safeguards in place.

Other considerations may include the likelihood any unauthorized individual will know the value of the information and either use or sell the information to others.

The magnitude of the number of affected individuals may dictate the method(s) chosen when providing notification, but should not be the determining factor for whether notification should be provided.

1. Broad Reach of Potential Harm. Army activities should consider a number of possible harms associated with the loss or compromise of information. Such harms may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, the disclosure of address information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem.

2. Likelihood Harm Will Occur. The likelihood a breach may result in harm will depend on the manner of the actual or suspected breach and the type(s) of data involved in the incident. Social Security Numbers, account information, date of birth, passwords, and mother’s maiden name can be used to commit identity theft. If the information involved, however, is a name and address or other personally identifying information, the loss may also pose a significant risk of harm if, for example, it appears on a list of recipient patients at a clinic for treatment of a contagious disease.

In considering whether the loss of information could result in identity theft or fraud, agencies should consult guidance from the Identity Theft Task Force.

Within an information system, the risk of harm will depend on how the activity is able to mitigate further compromise of the system(s) affected by a breach. In addition to containing the breach, appropriate countermeasures, such as monitoring system(s) for misuse of the personal information and patterns of suspicious behavior, should be taken. For example, if the information relates to disability beneficiaries, monitoring a beneficiary database for requests for change of address may signal fraudulent activity.

Such mitigation may not prevent the use of the personal information for identity theft, but it can limit the associated harm. Some harm may be more difficult to mitigate than others, particularly where the potential injury is more individualized and may be difficult to determine.

The factors should be weighed collectively and carefully to determine the severity of actual or potential harm. Based on the assessment, the potential impact level will be low, moderate, or high.