PROTECTING CONFIDENTIAL CLIENT DATA BEST PRACTICES Confidentiality Requirements

PROTECTING CONFIDENTIAL CLIENT DATA BEST PRACTICES

Confidentiality Requirements for WIOA Partners • Statute and Regulations • Workforce Innovation and Opportunity Act of 2014, § 185(a)(4) • Prohibits disclosure “…which would constitute a clearly unwarranted invasion of personal privacy: • Training and Employment Guidance Letter (TEGL 39 -11), June 28, 2012 “Guidance on Handling and Protection of Personal Identifiable Information (PII)” https: //wdr. doleta. gov/directives/corr_doc. cfm? DOCN=7872

What is Confidential Client Data? • Workforce Partners must protect two types of Confidential Client Data (CCD): • Personal Identifiable Information (PII) The Office of Management and Budget (OMB) defines PII as information that can be used to distinguish or trace an individual’s identity, either alone or when combined in other personal or identifying information that is linked to or linkable to a specific individual

What is Confidential Client Data? • Examples of PII (from TEGL 39 -11): • Social security numbers • Unlisted telephone numbers, includes cellular telephone numbers • Financial account numbers (e. g. credit/debit cards, checking accounts, etc. ) • Age and Date of Birth • Marital Status

What is Confidential Client Data? • Examples of Data which is NOT by itself PII, but if used in combination with other data, may be used to compromise an identity: • • First and Last Name Email Address Business Address Gender “Risk of Harm Analysis”

What is Confidential Client Data? • Data which by law is confidential and must be protected: • Unemployment Insurance (UI) • USDOL Regulations, 20 CFR part 603 • State Employment Security Law, Includes UI and Wagner-Peyser • O. C. G. A. § 34 -8 -120, et. seq. • Education • Family Education Rights and Privacy Act “FERPA” • Vocational Rehabilitation • Health Insurance Portability and Accountability Act “HIPAA”

With all that Data, What Can Go Wrong? Hacking or Malware Breach However, only 25% of breaches between 2005 -2015 were the result of hacking

With all that Data, What Can Go Wrong? Device Loss 41% of breaches due to loss of a laptop, thumb drive, etc.

With all that Data, What Can Go Wrong? Phishing!! IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2 s The following are some of the details contained in the e-mails: • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review. • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary). • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap. From an IRS News Release, March 1, 2016

With all that Data, What Can Go Wrong? Carelessness! • Examples of Acts of Carelessness • Email with PII sent to someone other than the intended recipient • Lose hard copy of document with PII • Mistakenly posting picture on social media which includes PII

With all that Data, What Can Go Wrong? Criminal Actions from Employees

There is Value in PII • • • Social Security Numbers: $55. 70 Full Scan of Driver’s License or Other Document: $10 -$35 Home Address: $12. 90 Name and Gender: $2. 90 Marital Status: $8. 30

Consequences of Identity Theft • Fraudulent Accounts • Credit Cards, Cell Phones, Leases, Large Purchases e. g. autos • Fraudulent Tax Returns • Submitting returns for a refund before the real tax payer submits their return • Sale of PII on the “Dark Net” • Victims of Identity Theft have been mistakenly arrested • Victim’s id used to cash a bad check, warrant taken naming victim • Thief used victim’s driver’s license when pulled over and receives ticket in victim’s name and DL number. Victim later pulled over for minor traffic matter and arrested for “failure to appear” regarding ticket cited to identity thief

What Does GDOL Do To Prevent Breaches • Because unemployment insurance (UI) information is subjected to stricter confidentiality provisions of Federal and State law, UI data has certain limitations on its release depending upon who, what and how the information is released. • Our employees are liable for the confidentiality of the UI data information to which he/she has access. Access to UI data is restricted to those employees needing it to perform their job.

What Does GDOL Do To Prevent Breaches • All GDOL staff are required to read, sign and acknowledge at the time of hire and annually thereafter the Personal Identifiable Information (PII) Disclosure policy. (Responsible to properly handle, protect and safeguard UI PII Data) • Access to certain UI data received by Federal agencies (e. g. IRS tax information, OCSE’s New Hire data, and Social Security crossmatch information) requires staff to sign additional non disclosure affidavits.

What We Do To Protect UI Data (Examples) We: • Eliminate the use of full social security numbers (SSN) on UI documents (including letters/emails/faxes). If required: • If full SSN appears on a document, black out the number before mailing, emailing or faxing. • Prohibit sending emails with PII to non-GDOL and GDOL staff email addresses. Before pressing send, verify all email addresses to ensure that only appropriate GDOL emails are listed. • Use the individual‘s last name and truncated the SSN (e. g. display last four digits) to communicate. • Use of email filters (prevents emails with PII from being sent to non GDOL addresses)

What We Do To Protect UI Data (Examples) We: • Check customer’s valid picture identification before providing a customer with requested document(s) which includes their PII (Even if the ID was checked at time of request). • Review each document in a mail packet to ensure that it contains only the information regarding the addressee and does not have another individual’s information “accidentally” included before placing the document(s) in the mail. (Also, all SSNs are redacted).

What We Do To Protect UI Data (Examples) We: • Use appropriate methods for destroying PII (cross-cut shredders, secured locked waste bins) • Lock computer screens when away from desk. • Use encrypted devices for any data transmitted (CD, DVD, Thumb Drives, SFTP & RSA User Authentication Token for VPN Access) • Secure the placement of computer screens and records to prevent visible PII to customers or visitors (away from windows, hallways, walkways etc… use of screen filters)

What We Do To Protect UI Data (Examples) We: • Do not leave files/documents with PII unattended (place in locked desk drawers or cabinets). • Do not remove documents with PII from GDOL property (unless under rare circumstances and Sr. Leadership approval) • Additional Identity Verifications Performed: • SSA & Dept of Homeland Security Crossmatches – UI Applicant identity is verified via an electronic data crossmatch process with SSA & Dept of Homeland Security to verify identity, citizenship and United States work authorization. • UI Applicant Status Affidavit - Georgia law requires all applicants for any type of unemployment benefits who are 18 years of age or older sign an affidavit attesting they are (1) a United States citizen or a legal permanent resident or (2) a non-citizen legally present in the United States.

We Also Advise Job Seekers to Protect PII From the Employ Georgia webpage

What Are The Consequences of Agency Staff If There Is A Breach • Disclosure of confidential UI Data and information may result in civil fines and/or criminal prosecution as a misdemeanor and carries up to one year in prison and/or a $1000 fine. • Improper use or misuse of GDOL computer access to UI Data and information may result in criminal prosecution and up to 15 years in prison and/or a $50, 000 fine for improper use or misuse.

Other Consequences of a Breach • Georgia law requires notice to an individual whose identity may have been compromised • Possible litigation • Loss of trust by the public

Recommendations • First, an agency should establish a policy to protect the PII of customers served • Make sure ALL employees are aware of the policy

Policy Recommendations • Minimize the use of PII when possible • Use alternative numbers of last four digits of the ssn • Limit access to PII to only staff who need such access • • • Include process for retaining and destroying documents with PII Avoid the need to remove documents with PII from secured areas Lock computer screens when not in use Use encrypted devices Password protect files with PII Double check email before sending PII

Questions? Denise Beckwith, UI Policy and Procedures Section Denise. Beckwith@gdol. ga. gov Nancy Meeden, Legal Services Manager Nancy. Meeden@gdol. ga. gov