GUIDE TO PROTECTING THE CONFIDENTIALITY OF PERSONALLY IDENTIFIABLE INFORMATION (PII)
Executive Summary
The escalation of security breaches involving personally identifiable information (PII) has contributed to
the loss of millions of records over the past few years.
1
Breaches involving PII are hazardous to both
individuals and organizations. Individual harms
2
may include identity theft, embarrassment, or blackmail.
Organizational harms may include a loss of public trust, legal liability, or remediation costs. To
appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as
McGeorge Bundy
3
once stated, ―If we guard our toothbrushes and diamonds with equal zeal, we will lose
fewer toothbrushes and more diamonds.‖ This document provides guidelines for a risk-based approach to
protecting the confidentiality
4
of PII. The recommendations in this document are intended primarily for
U.S. Federal government agencies and those who conduct business on behalf of the agencies,
5
but other
organizations may find portions of the publication useful. Each organization may be subject to a different
combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal
counsel and privacy officer should be consulted to determine the current obligations for PII protection.
For example, the Office of Management and Budget (OMB) has issued several memoranda with
requirements for how Federal agencies must handle and protect PII. To effectively protect PII,
organizations should implement the following recommendations.
Organizations should identify all PII residing in their environment.
An organization cannot properly protect PII it does not know about. This document uses a broad
definition of PII to identify as many potential sources of PII as possible (e.g., databases, shared network
drives, backup tapes, contractor sites). PII is ―any information about an individual maintained by an
agency, including (1) any information that can be used to distinguish or trace an individual‘s identity,
such as name, social security number, date and place of birth, mother‘s maiden name, or biometric
records; and (2) any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information.‖
6
Examples of PII include, but are not limited to:
Name, such as full name, maiden name, mother‘s maiden name, or alias
Personal identification number, such as social security number (SSN), passport number, driver‘s
license number, taxpayer identification number, or financial account or credit card number
Address information, such as street address or email address
Personal characteristics, including photographic image (especially of face or other identifying
characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature,
facial geometry)
1
Government Accountability Office (GAO) Report 08-343, Protecting Personally Identifiable Information, January 2008,
http://www.gao.gov/new.items/d08343.pdf
2
For the purposes of this document, harm means any adverse effects that would be experienced by an individual whose PII
was the subject of a loss of confidentiality, as well as any adverse effects experienced by the organization that maintains the
PII. See Section 3.1 for additional information.
3
Congressional testimony as quoted by the New York Times, March 5, 1989. McGeorge Bundy was the U.S. National
Security Advisor to Presidents Kennedy and Johnson (1961-1966).
http://query.nytimes.com/gst/fullpage.html?res=950DE2D6123AF936A35750C0A96F948260
4
For the purposes of this document, confidentiality is defined as ―preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary information.‖ 44 U.S.C. § 3542.
http://uscode.house.gov/download/pls/44C35.txt.
5
For the purposes of this publication, both are referred to as ―organizations‖.
6
This definition is the GAO expression of an amalgam of the definitions of PII from OMB
Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally
Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf.