On September 8th 2017 FTC (Federal Trade Commission) reported that the Equifax data breach exposed sensitive personal information. This is just another BIG data breach that has affected information security of hundreds of millions of people. Before we move forward, a good question is: security of which information? Of course, security concerns are for information that are somewhere in the cyberspace and that may be exploited by cyber-criminals to jeopardize our life, living, and assets.
Information Security is for Protecting Sensitive Information
Not all personal information are equally valuable to cyber-criminals. Security of PII (Personally Indefinable Information) and PSI (Personally Sensitive Information) are of critical importance in the context of information security, because of their potential value to cybercriminals. Thus, cybersecurity professionals are concerned about protection of PII and PSI. But it should be of concern to you and me, because if my PII or PSI is compromised, it may be used now or anytime in the future.
So what are PII and PSI? How are they created? We will address those issues in this section.
Six types of Information
Any attribute associated with an entity or organization or a person is personal information. Six different types of information and their relationships are shown in the diagram above. Each type is created by linking several pieces of information. Let us consider name of a person, which is a personal information. It is a personal information because it is an attribute that is associated with the person. To qualify as a personal information, it need not be unique to the person. As more pieces of personal information is added (or linked), fewer people are likely to have that combination of attribute values. For example, more people have the same first name (or the same last name) than the full name that includes both first and last names.
Personal information, such as place of birth and date of birth are static in nature; they do not change with time. These are called static information. On the other hand, there are information attributes, such as weight of a person (and most physical attributes of a person) or address of a person, may change with time. They are dynamic information. Attributes from both static and dynamic categories are combined to create private information and public information.
Information Security is for Protecting Private Information
Any private information requires protection to maintain its confidentiality, but any public information is openly available and does not need any protection for confidentiality. However, public information must have protection to maintain its integrity, that is, public information systems must ensure that information in the system is not altered by unauthorized people.
All PII (personally identifiable information) cards are created linking full name with other static and dynamic personal information. In USA, a social security card that contains social security number (SSN) is issued by US government, and it is a PII card. An application for obtaining a social security number (and the card) requires a minimum of 9 personal information and as many as 12 personal information. Each individual in USA has a unique SSN issued by the government.
Any organization can create a unique PII for each person who is part of the organization or who has business relation with the organization. For creating PII card of its own, non-governmental entities most often requires some from of government issued PII information. The PII issued by an organization may not have much universal acceptance, but the information collected from individuals to create it has one or more PII and PSI. Thus, the organization must protect the information it has collected with the highest level of protection. For this purpose, organizations must have information security policies and procedures in place.
Most often one of the information attributes that is used to create and issue PSI (personally sensitive information) cards, such as diver’s license, requires a government issued PII. For example, in USA to receive a driver’s license from a department of motor vehicle (DMV) office of a state, one have to enter SSN on the application form. Thus, information collected at the DMV office requires very high level of security.
Different country have different rules for privacy of information. In USA education records and health information are private information. One must know and observe the rules of the countries of her interest.
Who is responsible for security of your PII and PSI?
As discussed the above, all entities that have any of your private information, PII, and PSI are responsible for protecting its privacy and integrity. And when they stored them in a digital form in a computer and/or on an online system, it is their responsibility to manage its cybersecurity against cyberspace invaders and attackers. In this post I will not discuss how organizations manage security of their information systems. Let us discuss what individuals can and should do.
Every individual has critical role, not only because it is his private information, but also because it is important for him to understand how, where, when, and to whom he is disclosing his private information. First question an individual must ask before disclosing any PII and PSI, Is it absolutely necessary to provide the information (for the service I am requesting)? If the answer to the first question is a resounding yes, the next question is how the information is disclosed. Is it given over the phone, written on a paper, emailed, faxed, or an online form is filled? Each of these have different level of cybersecurity implications. For all online communication, it is extremely important to ensure that the communication is over a secure link and using secure communication using SSL (secure socket layer) or TLS (transport layer security).