PII Flashcards: Protecting Personal Information

Questions and Answers

Which action requires an organization to carry out a Privacy Impact Assessment?

Storing paper-based records

Collecting PII to store in a new information system (correct)

Collecting PII to store in a National Security System

Collecting any CUI, including but not limited to PII

What is the purpose of a Privacy Impact Assessment (PIA)?

Determine whether Protected Health Information (PHI) is held by a covered entity

Determine whether the collection and maintenance of PII is worth the risk to individuals (correct)

Determine whether paper-based records are stored securely

Determine whether information must be disclosed according to the Freedom of Information Act (FOIA)

Information that can be combined with other information to link solely to an individual is considered PII.

True

What guidance identifies federal information security controls?

OMB Memorandum M-17-12: Preparing for and Responding to a Breach of Personally Identifiable Information Signup and view all the answers

An organization that fails to protect PII can face consequences including:

All of the above Signup and view all the answers

If someone tampers with or steals an individual's PII, they could be exposed to which of the following?

All of the above Signup and view all the answers

Which of the following is not an example of PII?

Pet's nickname Signup and view all the answers

What law establishes the federal government's legal responsibility for safeguarding PII?

The Privacy Act of 1974 Signup and view all the answers

An organization with an existing system of records decides to start using PII for a new purpose outside the 'routine use' defined in the System of Records Notice (SORN). Is this a permitted use?

No Signup and view all the answers

Which of the following is responsible for the most recent PII data breaches?

Phishing Signup and view all the answers

Which of the following is not an example of an administrative safeguard that organizations use to protect PII?

List all potential future uses of PII in the System of Records Notice (SORN) Signup and view all the answers

Within what timeframe must DoD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?

1 Hour Signup and view all the answers

Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following?

Criminal penalties Signup and view all the answers

Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as a record identification. Is this compliant with PII safeguarding procedures?

No Signup and view all the answers

Identify if a PIA is required:

B and D Signup and view all the answers

Which of the following is NOT included in a breach notification?

Articles and other media reporting the breach. Signup and view all the answers

Misuse of PII can result in legal liability of the individual.

True Signup and view all the answers

Which regulation governs the DoD Privacy Program?

DoD 5400.11-R: DoD Privacy Program Signup and view all the answers

Using a Social Security Number to track individuals' training requirements is an acceptable use of PII.

False Signup and view all the answers

Misuse of PII can result in legal liability of the organization.

True Signup and view all the answers

Which type of safeguarding measure involves restricting PII access to people with a need-to-know?

Administrative Signup and view all the answers

Study Notes

Privacy Impact Assessment (PIA)

A PIA is required when collecting PII for a new information system.
The purpose of a PIA is to assess whether the risks of collecting and maintaining PII outweigh the potential harm to individuals.

Personally Identifiable Information (PII) Definitions

PII includes information that can be combined to identify an individual.
Pet's nickname is NOT considered PII.
Legal responsibility for safeguarding PII is established by the Privacy Act of 1974.

Consequences of Failing to Protect PII

Organizations face remediation costs, loss of trust, and legal liability due to improper PII management.

Data Breaches

Phishing is the leading cause of modern PII data breaches.
Breaches must be reported to the US-CERT within 1 hour of discovery.

Safeguarding PII

Administrative safeguards include conducting risk assessments and ensuring employee training.
Using Social Security Numbers to track employee training is non-compliant with PII safeguarding procedures.
Knowingly disclosing PII without a need-to-know can lead to criminal penalties.

Reporting and Compliance

A breach notification does not include media articles related to the breach.
Organizations must seek guidance from regulations like DoD 5400.11-R for privacy programs.
A PIA is required for converting paper PII records to electronic form or when puchasing a new PII storage system.

Important True/False Facts

Information misuse can result in legal liability for both individuals and organizations.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

Test your knowledge on Personally Identifiable Information (PII) with these flashcards. Each card presents a question related to privacy impact assessments and the handling of PII in various contexts. Perfect for anyone studying privacy regulations and practices.

PII Flashcards 4.0