Identifying and Safeguarding PII Flashcards

Questions and Answers

An organization that fails to protect PII can face consequences including:

• All of the Above (correct)
• No consequences
• Increased funding
• Enhanced security measures

Information that can be combined with other information to link solely to an individual is considered PII.

True (A)

Which of the following is NOT a permitted disclosure of PII contained in a system of records?

The purpose is disclosed with a new purpose that is not encompassed by SORN

What guidance identifies federal information security controls?

OMB Memorandum M-17-12

Which of the following must Privacy Impact Assessments (PIAs) do?

All of the Above (D)

What regulation governs the DoD Privacy Program?

DoD 5400.11-R: DoD Privacy Program

What law establishes the federal government's legal responsibility for safeguarding PII?

Privacy Act of 1974

What law establishes the public's right to access federal government information?

FOIA

No disclosure of a record in a system of records unless:

The individual to whom the record pertains submits a written request or has given prior written consent

Your coworker sent you an encrypted set of records containing PII from her personal e-mail account. Is this compliant with PII safeguarding procedures?

False (B)

If you discover a data breach, you should immediately notify the proper authority and also:

Document where and when the potential breach was found: record URL for PII on the web

Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following?

Both civil and criminal penalties

Which of the following is NOT an example of an administrative safeguard that organizations use to protect PII?

List all potential future uses of PII in the System of Records Notice (SORN)

Phishing is not often responsible for PII data breaches.

False (B)

Flashcards

PII definition

Personally Identifiable Information (PII) is any data that can identify a specific person when combined with other information.

PII consequences of poor handling

Neglecting PII protection leads to potential fines and legal action.

New PII use and SORN

A new purpose for PII use not listed in a System of Records Notice (SORN) prohibits disclosure.

Federal PII security guidance

OMB Memorandum M-17-12 outlines federal information security controls for PII.

Privacy Impact Assessment (PIA) role

PIAs evaluate privacy risks associated with PII.

DoD PII regulation

DoD 5400.11-R governs PII handling within the Department of Defense.

Federal PII law

The Privacy Act of 1974 establishes the federal legal framework for safeguarding PII.

FOIA purpose

Freedom of Information Act (FOIA) assures public access to federal government information.

PII Disclosure Requirements

PII disclosure requires written requests, prior consents, or adherence to 'routine use' in the SORN.

Telework PII transmission

Sending PII from a personal email account (even encrypted) is non-compliant during telework.

Data breach response

Document and immediately report data breaches, including location of the breach.

Unauthorized PII disclosure penalties

Disclosing PII without a legitimate need-to-know can lead to civil and criminal penalties.

Future PII use and administrative safeguards

Identifying all potential future PII uses in an SORN is not considered an administrative safeguard, focusing instead on security and access management.

Phishing threat

Phishing is a major threat to PII, causing data breaches through fraudulent tactics.

Study Notes

Use and Disclosure of PII

• Organizations that neglect to safeguard Personally Identifiable Information (PII) can face serious consequences, including fines and legal action.
• PII includes any information that can be linked to a specific individual when combined with other data, supporting the need for robust protection measures.
• A new purpose that is not covered by the System of Records Notice (SORN) does not permit the disclosure of PII.
• The Office of Management and Budget (OMB) Memorandum M-17-12 sets forth federal information security control guidelines.
• Privacy Impact Assessments (PIAs) should fulfill multiple essential functions, encompassing comprehensive evaluations of privacy risks related to PII.
• The DoD Privacy Program is governed by DoD 5400.11-R, regulating the handling of PII within the Department of Defense.
• The legal framework for safeguarding PII at the federal level is established by the Privacy Act of 1974.
• The Freedom of Information Act (FOIA) guarantees public access to federal government information, fostering transparency.
• Disclosures of records in systems of records necessitate either a written request from the individual concerned, their prior written consent, or adherence to "routine use" definitions outlined in the SORN.

Safeguarding PII

• Sending PII from a personal email account, even if encrypted, is non-compliant with established safeguarding procedures during telework scenarios.
• Upon discovering a data breach, it is crucial to promptly inform the proper authorities and document the breach's specifics, including the URL where the PII was found.
• Officials or employees disclosing PII without a legitimate need-to-know may face both civil and criminal penalties, highlighting the seriousness of PII handling.
• Identifying all potential future uses of PII in a SORN is not classified as an administrative safeguard, which should focus on security and access management.
• Phishing is a significant threat and frequently leads to data breaches involving PII; therefore, it is crucial to remain vigilant against such tactics.