PII Protection Overview Quiz

Questions and Answers

Which action requires an organization to carry out a Privacy Impact Assessment?

Storing paper-based records

Collecting PII to store in a National Security System

Collecting any CUI, including but not limited to PII

Collecting PII to store in a new information system (correct)

Which of the following is an example of a physical safeguard that individuals can use to protect PII?

Locking file cabinets

Shredding documents

Using access controls

All of the above (correct)

What is the purpose of a Privacy Impact Assessment (PIA)?

Determine whether Protected Health Information (PHI) is held by a covered entity

Determine whether paper-based records are stored securely

Determine whether the collection and maintenance of PII is worth the risk to individuals (correct)

Determine whether information must be disclosed according to the Freedom of Information Act (FOIA)

Information that can be combined with other information to link solely to an individual is considered PII.

True

What guidance identifies federal information security controls?

OMB Memorandum M-17-12: Preparing for and Responding to a Breach of Personally Identifiable Information

An organization that fails to protect PII can face consequences including:

All of the above

If someone tampers with or steals an individual's PII, they could be exposed to which of the following?

All of the above

Which of the following is NOT a permitted disclosure of PII contained in a system of records?

The record is disclosed for a new purpose that is not specified in the SORN.

Which of the following is not an example of PII?

Pet's nickname

All privacy impact assessments (PIAs) must do the following:

True

What law establishes the federal government's legal responsibility for safeguarding PII?

The Privacy Act of 1974

Organizations that fail to maintain accurate, relevant, timely, and complete information may be subject to which of the following?

Civil penalties

What law establishes the public's right to access federal government information?

The Freedom of Information Act (FOIA)

An organization with an existing system of records decides to start using PII for a new purpose outside the 'routine use' defined in the System of Records Notice (SORN). Is this a permitted use?

No

A System of Records Notice (SORN) is not required if an organization determines that PII will be stored using a system of records.

False

Which of the following is responsible for the most recent PII data breaches?

Phishing

Which of the following is not an example of an administrative safeguard that organizations use to protect PII?

List all potential future uses of PII in the System of Records Notice (SORN)

Within what timeframe must DoD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?

1 Hour

Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following?

Criminal penalties

Individuals who maintain a system of records without publishing the required public notice in the federal register may be subject to which of the following?

Both civil and criminal penalties

Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as a record identification. Is this compliant with PII safeguarding procedures?

No

You are tasked with disposing of physical copies of last year's grant application forms. These documents contain PII, so you use a cross-cut shredder to render them unrecognizable and beyond reconstruction. Is this compliant with PII safeguarding procedures?

Yes

Identify if a PIA is required:

B and D

Which of the following is NOT included in a breach notification?

Articles and other media reporting the breach.

You are reviewing personnel records containing PII when you notice a record with missing information. You contact the individual to update the personnel record. Is this compliant with PII safeguarding procedures?

Yes

Misuse of PII can result in legal liability of the individual.

True

Which regulation governs the DoD Privacy Program?

False

Using a Social Security Number to track individuals' training requirements is an acceptable use of PII.

False

Misuse of PII can result in legal liability of the organization.

True

Which type of safeguarding measure involves restricting PII access to people with a need-to-know?

Administrative

Study Notes

Personally Identifiable Information (PII) Overview

• A Privacy Impact Assessment (PIA) is mandatory when collecting PII to store in a new information system.
• Physical safeguards to protect PII include various tangible security measures like locked filing cabinets and secure locations.
• A PIA assesses whether the collection of PII is justified against potential risks to individuals.

Identifying PII

• Information that can be combined with other data to identify an individual qualifies as PII.
• Pet's nickname does not qualify as PII, unlike fingerprints, driver’s license numbers, or Social Security numbers.

Legal Framework and Accountability

• OMB Memorandum M-17-12 provides guidance on federal information security controls related to PII breaches.
• The Privacy Act of 1974 establishes the federal government's responsibility to safeguard PII.
• The Freedom of Information Act (FOIA) ensures public access to federal government information.

Risks and Consequences

• Organizations failing to protect PII risk remediation costs, loss of trust, and legal liabilities.
• Individuals may face embarrassment, fraud, and identity theft from PII breaches.

Disclosure Regulations

• Disclosures of PII are not permitted if the purpose isn't specified in the System of Records Notice (SORN).
• Failure to publish required public notice may lead organizations to face both civil and criminal penalties.

Compliance and Safeguarding Practices

• Using Social Security numbers for record identification violates PII safeguarding procedures.
• Proper disposal methods, like cross-cut shredding, comply with PII protection protocols.
• Administrative measures require restricting PII access to only those with a need-to-know basis.

Breach Reporting and Notification

• DoD organizations must report PII breaches to US-CERT within one hour of discovery.
• Breach notifications should include what happened, the date, discovery details, and contact information but exclude media articles.

Legal Implications

• Misuse of PII can lead to legal liability for both individuals and organizations.
• Accurate and relevant data maintenance is crucial to avoid civil penalties against organizations.

PII Management and Training

• Annual security training is critical, but using Social Security numbers for tracking is not compliant with regulations.
• Employees should be trained on proper PII handling and the importance of safeguarding sensitive information.

Description

Test your knowledge on Personally Identifiable Information (PII) and the measures taken to protect it. This quiz covers topics including Privacy Impact Assessments, legal frameworks, and risk management strategies related to PII. Enhance your understanding of how organizations safeguard sensitive data.