PII Protection Overview Quiz
30 Questions
100 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which action requires an organization to carry out a Privacy Impact Assessment?

  • Storing paper-based records
  • Collecting PII to store in a National Security System
  • Collecting any CUI, including but not limited to PII
  • Collecting PII to store in a new information system (correct)
  • Which of the following is an example of a physical safeguard that individuals can use to protect PII?

  • Locking file cabinets
  • Shredding documents
  • Using access controls
  • All of the above (correct)
  • What is the purpose of a Privacy Impact Assessment (PIA)?

  • Determine whether Protected Health Information (PHI) is held by a covered entity
  • Determine whether paper-based records are stored securely
  • Determine whether the collection and maintenance of PII is worth the risk to individuals (correct)
  • Determine whether information must be disclosed according to the Freedom of Information Act (FOIA)
  • Information that can be combined with other information to link solely to an individual is considered PII.

    <p>True</p> Signup and view all the answers

    What guidance identifies federal information security controls?

    <p>OMB Memorandum M-17-12: Preparing for and Responding to a Breach of Personally Identifiable Information</p> Signup and view all the answers

    An organization that fails to protect PII can face consequences including:

    <p>All of the above</p> Signup and view all the answers

    If someone tampers with or steals an individual's PII, they could be exposed to which of the following?

    <p>All of the above</p> Signup and view all the answers

    Which of the following is NOT a permitted disclosure of PII contained in a system of records?

    <p>The record is disclosed for a new purpose that is not specified in the SORN.</p> Signup and view all the answers

    Which of the following is not an example of PII?

    <p>Pet's nickname</p> Signup and view all the answers

    All privacy impact assessments (PIAs) must do the following:

    <p>True</p> Signup and view all the answers

    What law establishes the federal government's legal responsibility for safeguarding PII?

    <p>The Privacy Act of 1974</p> Signup and view all the answers

    Organizations that fail to maintain accurate, relevant, timely, and complete information may be subject to which of the following?

    <p>Civil penalties</p> Signup and view all the answers

    What law establishes the public's right to access federal government information?

    <p>The Freedom of Information Act (FOIA)</p> Signup and view all the answers

    An organization with an existing system of records decides to start using PII for a new purpose outside the 'routine use' defined in the System of Records Notice (SORN). Is this a permitted use?

    <p>No</p> Signup and view all the answers

    A System of Records Notice (SORN) is not required if an organization determines that PII will be stored using a system of records.

    <p>False</p> Signup and view all the answers

    Which of the following is responsible for the most recent PII data breaches?

    <p>Phishing</p> Signup and view all the answers

    Which of the following is not an example of an administrative safeguard that organizations use to protect PII?

    <p>List all potential future uses of PII in the System of Records Notice (SORN)</p> Signup and view all the answers

    Within what timeframe must DoD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?

    <p>1 Hour</p> Signup and view all the answers

    Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following?

    <p>Criminal penalties</p> Signup and view all the answers

    Individuals who maintain a system of records without publishing the required public notice in the federal register may be subject to which of the following?

    <p>Both civil and criminal penalties</p> Signup and view all the answers

    Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as a record identification. Is this compliant with PII safeguarding procedures?

    <p>No</p> Signup and view all the answers

    You are tasked with disposing of physical copies of last year's grant application forms. These documents contain PII, so you use a cross-cut shredder to render them unrecognizable and beyond reconstruction. Is this compliant with PII safeguarding procedures?

    <p>Yes</p> Signup and view all the answers

    Identify if a PIA is required:

    <p>B and D</p> Signup and view all the answers

    Which of the following is NOT included in a breach notification?

    <p>Articles and other media reporting the breach.</p> Signup and view all the answers

    You are reviewing personnel records containing PII when you notice a record with missing information. You contact the individual to update the personnel record. Is this compliant with PII safeguarding procedures?

    <p>Yes</p> Signup and view all the answers

    Misuse of PII can result in legal liability of the individual.

    <p>True</p> Signup and view all the answers

    Which regulation governs the DoD Privacy Program?

    <p>False</p> Signup and view all the answers

    Using a Social Security Number to track individuals' training requirements is an acceptable use of PII.

    <p>False</p> Signup and view all the answers

    Misuse of PII can result in legal liability of the organization.

    <p>True</p> Signup and view all the answers

    Which type of safeguarding measure involves restricting PII access to people with a need-to-know?

    <p>Administrative</p> Signup and view all the answers

    Study Notes

    Personally Identifiable Information (PII) Overview

    • A Privacy Impact Assessment (PIA) is mandatory when collecting PII to store in a new information system.
    • Physical safeguards to protect PII include various tangible security measures like locked filing cabinets and secure locations.
    • A PIA assesses whether the collection of PII is justified against potential risks to individuals.

    Identifying PII

    • Information that can be combined with other data to identify an individual qualifies as PII.
    • Pet's nickname does not qualify as PII, unlike fingerprints, driver’s license numbers, or Social Security numbers.
    • OMB Memorandum M-17-12 provides guidance on federal information security controls related to PII breaches.
    • The Privacy Act of 1974 establishes the federal government's responsibility to safeguard PII.
    • The Freedom of Information Act (FOIA) ensures public access to federal government information.

    Risks and Consequences

    • Organizations failing to protect PII risk remediation costs, loss of trust, and legal liabilities.
    • Individuals may face embarrassment, fraud, and identity theft from PII breaches.

    Disclosure Regulations

    • Disclosures of PII are not permitted if the purpose isn't specified in the System of Records Notice (SORN).
    • Failure to publish required public notice may lead organizations to face both civil and criminal penalties.

    Compliance and Safeguarding Practices

    • Using Social Security numbers for record identification violates PII safeguarding procedures.
    • Proper disposal methods, like cross-cut shredding, comply with PII protection protocols.
    • Administrative measures require restricting PII access to only those with a need-to-know basis.

    Breach Reporting and Notification

    • DoD organizations must report PII breaches to US-CERT within one hour of discovery.
    • Breach notifications should include what happened, the date, discovery details, and contact information but exclude media articles.
    • Misuse of PII can lead to legal liability for both individuals and organizations.
    • Accurate and relevant data maintenance is crucial to avoid civil penalties against organizations.

    PII Management and Training

    • Annual security training is critical, but using Social Security numbers for tracking is not compliant with regulations.
    • Employees should be trained on proper PII handling and the importance of safeguarding sensitive information.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Test your knowledge on Personally Identifiable Information (PII) and the measures taken to protect it. This quiz covers topics including Privacy Impact Assessments, legal frameworks, and risk management strategies related to PII. Enhance your understanding of how organizations safeguard sensitive data.

    More Like This

    Use Quizgecko on...
    Browser
    Browser