Sorting diamonds from toothbrushes: New guide to protecting personal information

Jan 13, 2009

Thefts of personally identifiable information (PII), such as social security and credit card account numbers, are increasing dramatically. Adding to the difficulty of fighting this problem, organizations often disagree on what PII is, and how to protect it. Now, in a first-of-its-kind publication, the National Institute of Standards and Technology has issued a draft guide on protecting PII from unauthorized use and disclosure.

“You can’t protect PII unless you can identify it,” says NIST’s Erika McCallister, a co-author of the new work. The new NIST publication provides practical guidelines for implementing a basic definition of PII established by the government’s Office and Management and Budget (OMB) in a 2007 memo: “information which can be used to distinguish or trace an individual’s identity”* either all by itself—such as fingerprints, which are unique—or in combination with other information, such as date of birth, which can belong to multiple people but can be narrowed down to an individual in connection with other data.

Echoing former national security advisor McGeorge Bundy, who once stated, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds,” McCallister and her co-authors observe that, “All PII is not created equal.” A telephone area code holds less specific information about an individual than a social security number, so “you don’t need to protect things the same way,” McCallister says.

The NIST team recommends tailoring safeguards to the level of risk involved in holding personal information. PII should be graded by “PII confidentiality impact level,” the degree of potential harm that could result from the PII if it is inappropriately revealed. For example, an organization might require appropriate training for all individuals who are granted access to PII, with special emphasis on moderate- and high-impact PII, and might restrict access to high-impact PII from mobile devices, such as laptops and cellphones, which are generally at greater risk of compromise than non-portable devices, such as desktop computers at the organization’s headquarters.

The publication also recommends basic actions that organizations should take: identify all the PII they maintain, minimize the amount of PII they collect to what is strictly necessary to accomplish their mission, and develop incident response plans to handle breaches of PII. Such plans would include elements such as determining when and how individuals should be notified, and whether to provide remedial services, such as credit monitoring, to affected individuals.

The publication is intended primarily for U.S. federal government agencies, which must implement certain requirements on handling and protecting PII, but is intended to be useful to other organizations. The publication, known as Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” is available at the NIST Computer Security Resource Center's draft publication Web page: csrc.nist.gov/publications/PubsDrafts.html#800-122 .

Source: National Institute of Standards and Technology

Explore further: Report: FBI's anthrax investigation was flawed

add to favorites email to friend print save as pdf

Related Stories

Sony hack adds to security pressure on companies

Dec 19, 2014

Faced with rising cybercrime like the attack on Sony Pictures Entertainment, companies worldwide are under pressure to tighten security but are hampered by cost and, for some, reluctance to believe they are ...

Digital dilemma: How will US respond to Sony hack?

Dec 18, 2014

The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial, The Associated Press has learned. The dramatic conclusion of a Korean role is based on subtle ...

Timeline of the Sony Pictures Entertainment hack

Dec 18, 2014

It's been four weeks since hackers calling themselves Guardians of Peace began their cyberterrorism campaign against Sony Pictures Entertainment. In that time thousands of executive emails and other documents ...

North Korea linked to Sony hacking (Update)

Dec 17, 2014

Federal investigators have now connected the hacking of Sony Pictures Entertainment Inc. to North Korea, a U.S. official said Wednesday, though it remained unclear how the federal government would respond ...

Carnegie hosts crater-naming contest

Dec 16, 2014

The MESSENGER Education and Public Outreach (EPO) Team is launching a competition this week to name five impact craters on Mercury. The contest is open to all Earthlings, except for members of the mission's EPO team. ...

Recommended for you

Report: FBI's anthrax investigation was flawed

Dec 19, 2014

The FBI used flawed scientific methods to investigate the 2001 anthrax attacks that killed five people and sickened 17 others, federal auditors said Friday in a report sure to fuel skepticism over the FBI's ...

Study reveals mature motorists worse at texting and driving

Dec 18, 2014

A Wayne State University interdisciplinary research team in the Eugene Applebaum College of Pharmacy and Health Sciences has made a surprising discovery: older, more mature motorists—who typically are better drivers in ...

Napster co-founder to invest in allergy research

Dec 17, 2014

(AP)—Napster co-founder Sean Parker missed most of his final year in high school and has ended up in the emergency room countless times because of his deadly allergy to nuts, shellfish and other foods.

LA mayor plans 7,000 police body cameras in 2015

Dec 16, 2014

Mayor Eric Garcetti announced a plan Tuesday to equip 7,000 Los Angeles police officers with on-body cameras by next summer, making LA's police department the nation's largest law enforcement agency to move ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.