Personally Identifiable Information (PII) Breaches: Risk Determination
When PII is lost, stolen, or compromised, the potential exists that the information has been used or may be used for unlawful purposes such as identity theft or fraud. The personal impact on the affected individual(s) may be severe if the PII is misused. Army activities responsible for safeguarding the PII at the time of the incident may therefore be required to notify affected individuals when there is a PII breach.
To determine whether a breach notification is required, a risk assessment must be performed to assess the likely risk of harm caused by the incident and to determine the potential level of impact. The likely risk of harm and the potential level of impact will determine when, why, how, and to whom notification should be given.
Incidents must be assessed on a case-by-case basis as the type of harm and potential level of impact is unique to each case.
There are five factors that should be considered when assessing the likely risk of harm.
1. Nature of the data elements breached
Examples of data elements include: Social Security Number (SSN), biometric record, financial account number, Personal Identification Number (PIN) or security code for financial account, health data, birth date, government-issued identification number (driver's license, etc.), name, address, and telephone number.
The sensitivity of the data element is contextual. A data element in one context may be less sensitive than in another context. For example, theft of a database containing individuals’ names in conjunction with SSNs, and/or dates of birth may pose a high level of risk of harm, while a theft of a database containing only the names of individuals may pose a lower risk, depending on its context.
2. Likelihood the information is accessible and usable
Depending upon a number of physical, technological, and procedural safeguards employed by the agency, the fact the information has been lost or stolen does not necessarily mean it has been or can be accessed by unauthorized individuals. If the information is properly protected by encryption, for example, the risk of compromise may be low. In this context, proper protection means encryption has been validated by National Institute of Standards & Technology (NIST).
Activities will first need to assess whether the breach involving personally identifiable information is at a low, moderate, or high risk of being used by unauthorized persons to cause harm to an individual or group of individuals. The assessment should be guided by NIST security standards and guidance.
For example, a breach may involve Social Security Numbers (SSNs); however, the SSNs may be stored on a Common Access Card enabled and encrypted laptop making it very unlikely the information is accessible, usable, or will lead to harm. Data elements, such as the SSN typically rate as high, however, after evaluating and considering all relevant risks the likelihood of harm resulting from the breach is considered to be of low impact given the technical safeguards in place.
Other considerations may include the likelihood any unauthorized individual will know the value of the information and either use or sell the information to others.
3. The number of individuals affected
The magnitude of the number of affected individuals may dictate the method(s) chosen when providing notification, but should not be the determining factor for whether notification should be provided.
4. Likelihood the breach may lead to harm, such as identity theft
-
Broad Reach of Potential Harm. Army activities should consider a number of possible harms associated with the loss or compromise of information. Such harms may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, the disclosure of address information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem.
-
Likelihood Harm Will Occur. The likelihood a breach may result in harm will depend on the manner of the actual or suspected breach and the type(s) of data involved in the incident. Social Security Numbers, account information, date of birth, passwords, and mother’s maiden name can be used to commit identity theft. If the information involved, however, is a name and address or other personally identifying information, the loss may also pose a significant risk of harm if, for example, it appears on a list of recipient patients at a clinic for treatment of a contagious disease.
In considering whether the loss of information could result in identity theft or fraud, agencies should consult guidance from the Identity Theft Task Force.
5. Ability of the Army activity to mitigate the risk of harm
Within an information system, the risk of harm will depend on how the activity is able to mitigate further compromise of the system(s) affected by a breach. In addition to containing the breach, appropriate countermeasures, such as monitoring system(s) for misuse of the personal information and patterns of suspicious behavior, should be taken. For example, if the information relates to disability beneficiaries, monitoring a beneficiary database for requests for change of address may signal fraudulent activity.
Such mitigation may not prevent the use of the personal information for identity theft, but it can limit the associated harm. Some harm may be more difficult to mitigate than others, particularly where the potential injury is more individualized and may be difficult to determine.
The factors should be weighed collectively and carefully to determine the severity of actual or potential harm. Based on the assessment, the potential impact level will be low, moderate, or high.
Potential Level of Impact on Organizations and Individuals
After evaluating each of these factors, activities should reassess the level of impact already assigned to the information using impact levels defined by National Institute of Standards and Technology (NIST). FIPS Publication 199 and NIST Special Publication 800-122 define three levels of potential impact on organizations or individuals.
1. The potential impact is LOW if –
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might:
-
Cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
-
Result in minor damage to organizational assets
-
Result in minor financial loss, or
-
Result in minor harm to individuals
2. The potential impact is MODERATE if –
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might:
-
Cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced
-
Result in significant damage to organizational assets
-
Result in significant financial loss, or
-
Result in significant harm to individuals that does not involve loss of life or serious life threatening injuries
Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law.
3. The potential impact is HIGH if –
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might:
-
Cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions
-
Result in major damage to organizational assets
-
Result in major financial loss, or
-
Result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries
Upon assessing the likely risk of harm and the potential level of impact, Activities will determine whether notifying affected individuals is required.
See Notifications