Sorting diamonds from toothbrushes: New guide to protecting personal information

Jan 13, 2009

Thefts of personally identifiable information (PII), such as social security and credit card account numbers, are increasing dramatically. Adding to the difficulty of fighting this problem, organizations often disagree on what PII is, and how to protect it. Now, in a first-of-its-kind publication, the National Institute of Standards and Technology has issued a draft guide on protecting PII from unauthorized use and disclosure.

“You can’t protect PII unless you can identify it,” says NIST’s Erika McCallister, a co-author of the new work. The new NIST publication provides practical guidelines for implementing a basic definition of PII established by the government’s Office and Management and Budget (OMB) in a 2007 memo: “information which can be used to distinguish or trace an individual’s identity”* either all by itself—such as fingerprints, which are unique—or in combination with other information, such as date of birth, which can belong to multiple people but can be narrowed down to an individual in connection with other data.

Echoing former national security advisor McGeorge Bundy, who once stated, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds,” McCallister and her co-authors observe that, “All PII is not created equal.” A telephone area code holds less specific information about an individual than a social security number, so “you don’t need to protect things the same way,” McCallister says.

The NIST team recommends tailoring safeguards to the level of risk involved in holding personal information. PII should be graded by “PII confidentiality impact level,” the degree of potential harm that could result from the PII if it is inappropriately revealed. For example, an organization might require appropriate training for all individuals who are granted access to PII, with special emphasis on moderate- and high-impact PII, and might restrict access to high-impact PII from mobile devices, such as laptops and cellphones, which are generally at greater risk of compromise than non-portable devices, such as desktop computers at the organization’s headquarters.

The publication also recommends basic actions that organizations should take: identify all the PII they maintain, minimize the amount of PII they collect to what is strictly necessary to accomplish their mission, and develop incident response plans to handle breaches of PII. Such plans would include elements such as determining when and how individuals should be notified, and whether to provide remedial services, such as credit monitoring, to affected individuals.

The publication is intended primarily for U.S. federal government agencies, which must implement certain requirements on handling and protecting PII, but is intended to be useful to other organizations. The publication, known as Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” is available at the NIST Computer Security Resource Center's draft publication Web page: csrc.nist.gov/publications/PubsDrafts.html#800-122 .

Source: National Institute of Standards and Technology

Explore further: Iliad founder says T-Mobile offer is 'real'

add to favorites email to friend print save as pdf

Related Stories

Production phase for LSST camera sensors nears

Jul 21, 2014

(Phys.org) —A single sensor for the world's largest digital camera detected light making its way through wind, air turbulence, and Earth's atmosphere, successfully converting the light into a glimpse of ...

Media venture creates press litigation fund

Jul 21, 2014

The media venture created by entrepreneur Pierre Omidyar said Monday it was establishing a fund to help defend journalists in cases involving freedom of the press.

Bing offers to 'forget' links in Europe searches

Jul 17, 2014

Microsoft on Wednesday followed in Google's footsteps by letting people in Europe ask to have links related to them 'forgotten' on its search engine Bing, under the auspices of a court ruling.

Recommended for you

Iliad founder says T-Mobile offer is 'real'

6 hours ago

French telecom upstart Iliad's founder said Friday that the company's offer for US-based T-Mobile is "real" and that he is open to working with partners on a deal.

Law changed to allow 'unlocking' cellphones

6 hours ago

President Barack Obama signed a bill into law on Friday making it legal once again to unlock a cellphone without permission from a wireless provider, so long as the service contract has expired.

Social network challenges end in tragedy

6 hours ago

Online challenges daring people to set themselves ablaze or douse themselves in ice water are racking up casualties and fueling wonder regarding idiocy in the Internet age.

Microsoft sues Samsung alleging contract breach

6 hours ago

Microsoft on Friday sued Samsung in federal court claiming the South Korean giant had breached a contract over cross-license technology used in the fiercely competitive smartphone market.

States debate digital currency

7 hours ago

Now that consumers can use digital currencies like bitcoin to buy rugs from Overstock.com, pay for Peruvian pork sandwiches from a food truck in Washington, D.C., and even make donations to political action committees, states ...

User comments : 0