Identifying and Safeguarding PII V4.0 Flashcards

Questions and Answers

Which of the following must Privacy Impact Assessments (PIAs) do? (Select all that apply)

• Analyze how an organization handles information to ensure it satisfies requirements
• Mitigate privacy risks
• Determine the risks of collecting, using, maintaining, and disseminating PII on electronic information systems
• All of the above (correct)

An Individual whose PII has been stolen is susceptible to identity theft, fraud, and other damage.

True (A)

What guidance identifies federal information security controls?

• The Privacy Act of 1974
• The Freedom of Information Act (FOIA)
• OMB Memorandum M-17-12: Preparing for and responding to a breach of PII (correct)
• DOD 5400.11-R: DOD Privacy Program

Which of the following is NOT an example of PII?

Pet's nickname (C)

Which of the following is NOT a permitted disclosure of PII contained in a system of records?

The record is disclosed for a new purpose that is not specified in the SORN (B)

When is a PIA required?

When an organization collects PII from existing information systems and electronic collections for which no PIA was previously completed, or for new information systems or electronic collections.

When is a PIA not required?

When the information system or electronic collection does not collect, maintain, or disseminate PII, is a national security system, or is solely paper-based.

Within what timeframe must DOD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?

1 hour (C)

Using employee Social Security Numbers as record identification for tracking training completion is compliant with PII safeguarding procedures.

False (B)

Using a cross-cut shredder to dispose of physical copies of documents containing PII is compliant with PII safeguarding procedures.

True (A)

Organizations that fail to maintain accurate, relevant, timely, and complete information may face which type of penalties?

Civil penalties (C)

Paper-based PP is involved in data breaches more often than electronic PP documentation.

False (B)

Which regulation governs the DoD Privacy Program?

DOD 5400.11-R: DOD Privacy Program (A)

Which of the following is NOT included in a breach notification?

Articles and other media reporting the breach (D)

A PIA is required if your system for storing PII is entirely on paper.

False (B)

Misuse of PII can result in legal liability of the individual.

True (A)

Misuse of PII can result in legal liability of the organization.

True (A)

Where is a System of Records Notice (SORN) filed?

Federal Register (A)

Organizations must report to Congress the status of their PII holdings every:

Year (B)

What should Jane Student do if she cannot find the correct cover sheet for a document containing PII?

Mark the document CUI and wait to deliver it until she has the cover sheet (C)

The acronym PHI, in this context, refers to:

Protected Health Information (B)

Study Notes

Privacy Impact Assessments (PIAs)

• PIAs are essential for assessing organizational handling of information to meet compliance requirements.
• They aim to mitigate privacy risks and evaluate the implications of collecting, using, maintaining, and disseminating Personally Identifiable Information (PII).

Identity Theft Vulnerability

• Individuals whose PII has been stolen are at risk of identity theft, fraud, and other damages.

Federal Information Security Controls

• OMB Memorandum M-17-12 provides guidance on federal information security controls related to breaches of PII.

Defining PII

• PII examples include a driver's license number, social security number, and fingerprints.
• A pet's nickname is not classified as PII.

Permitted Disclosure of PII

• A disclosure of PII is not permitted if it is for a new purpose not previously specified in the System of Records Notice (SORN).

PIA Requirements

• A PIA is mandated for existing information systems without a prior PIA and for new systems or collections of PII.

Exceptions to PIA Requirements

• No PIA is needed if the system does not collect, maintain, or disseminate PII, operates as a national security system handling classified info, or is purely paper-based.

Reporting PII Breaches

• DOD organizations must report PII breaches to the US-CERT within one hour upon discovery.

Use of Social Security Numbers

• Utilizing employee Social Security Numbers for tracking training completion does not comply with PII safeguarding procedures.

Disposal of PII

• Proper disposal of PII, such as shredding documents with a cross-cut shredder, complies with safeguarding procedures.

Consequences of Inaccurate Information

• Organizations failing to maintain accurate and timely information may face civil penalties.

Breach Notification Requirements

• Breach notifications exclude articles and media reports surrounding the incident.

Legal Liability for PII Misuse

• Misuse of PII can lead to legal liability for both individuals and organizations.

System of Records Notices (SORN)

• SORNs are filed with the Federal Register, ensuring public access and transparency.

Reporting PII Holdings to Congress

• Organizations are required to report the status of their PII holdings to Congress annually.

Proper Document Delivery Practices

• If a PII document cannot be delivered with a correct cover sheet, it should be marked appropriately and not delivered until the cover sheet is available.

Protected Health Information (PHI)

• The acronym PHI stands for Protected Health Information, highlighting the sensitivity of health-related data.

Description

Test your knowledge on Privacy Impact Assessments and the proper handling of Personally Identifiable Information (PII) with these flashcards. This quiz will help you understand the requirements and privacy risks organizations face in managing PII, as outlined in version 4.0, 2022. Boost your privacy assessment skills and awareness.