- Slides: 19
Washington County Schools GUIDE TO PERSONALLY IDENTIFIABLE INFORMATION
WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII)? • House Bill 5 states "Personal Information" means an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements: • An account number, credit card number, or debit • A passport number or other identification number card number that, in combination with any required issued by the United States government security code, access code, or password, would • Individually identifiable health information as permit access to an account defined in 45 C. F. R. sec. 160. 103 except for education records covered by the Family Educational Rights • A Social Security number and Privacy Act (FERPA), as amended 20 U. S. C. sec. • A taxpayer identification number that incorporates a 1232 g. Social Security number • A driver's license number, state identification card, or other individual identification number issued by any agency.
Is A Student ID (State Student Identifier - SSID) Confidential PII? • The Family Policy Compliance Office, which is responsible for administering FERPA, states that a student identification number can be considered directory information (not PII), “but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student or authorized user. ”
WHAT IS A DATA BREACH? • According to KRS 61. 931, a data breach is the unauthorized (whether stolen or lost) release of PII that can be reasonably believed to jeopardize the security, confidentiality, or integrity of the PII and cause harm to 1 or more individuals. A data breach harms the victims because their information is lost and a crook can sell the information multiple times to other crooks who then steal the victim’s money, identity, open fraudulent bank accounts or credit cards, or even obtain healthcare. It can leave the victims, which can include children, thousands or even hundreds of thousands of dollars in debt, depending on how long it goes on undetected.
THE MOST COMMON DATA BREACHES, AND HOW TO PREVENT THEM Human error is the most common enabler of a data breach. While hackers get most of the spotlight, they wouldn’t be so successful (by a WIIIIIDE margin) if, frankly, all of us weren’t making it so easy for them. Here are the four most common types of data breaches in Kentucky’s K 12 environment, and how to prevent them.
LOSS OR THEFT OF A USB THUMBDRIVE, LAPTOP, TABLET, OR SMARTPHONE CONTAINING PII How to prevent this breach: • DO NOT save or store PII on these devices in the first place • DO NOT leave these devices in your car unattended. • Encrypt the device, or the PII on your device. Encrypted PII, if lost or stolen, does not cause a data breach as long as the password isn’t available. Example: PII is downloaded to a laptop and then the laptop is lost or stolen from your car or at a school function, it won’t matter that the thief was only looking to sell the laptop; If there’s PII on the device, that’s a breach.
POOR OR SHARED/STOLEN PASSWORDS How to prevent this breach: • DO NOT use passwords based on “password” or the names of the seasons, months, family members, pets, or sports teams. Everyone uses them so they are VERY predictable and the first ones a hacker will try • Use long AND memorable passwords or pass PHRASES like “ 4 s. CORE&5 evn. Yrs” (four score and seven years) which is easy to remember, but cannot be easily guessed HINT: No one enjoys using passwords. Most people create poor, easy to remember passwords or keep them taped to monitors or “hidden” under the keyboard. Out of the possible billions of passwords, 90% of people use the same 50 passwords or styles of passwords. This makes the password memorable, but also very easy to predict.
ACCIDENTAL SHARING OF PII How to prevent this breach: • DO NOT send or forward emails or documents without first checking for PII. Once sent, that email and everything in it is YOUR responsibility, even if you are just forwarding it along. Examples: Student reports, timesheets, job applications, screenshots for trainings or hidden columns and tabs in a spreadsheet are very common ways PII are accidentally shared.
PHISHING ATTACKS How to prevent the breach: • DO NOT share your password with anyone. No reputable company will ask for your password • DO NOT click on links or documents you aren’t expecting - Be savvy • DO NOT respond to e-mail messages asking for personal information or money. (You’ve just won…) • DO NOT use school e-mail address to sign up for any personal accounts, including bank accounts, credit card accounts, personal shopping/online shopping accounts or notification lists. Definition: Phishing attacks are communications like emails or phone calls designed to trick people into giving up PII, or installing malware allowing hackers to steal PII from computers or other devices. The most common attacks arrive via email. Clicking on a link or document in a phishing email may install malware or open a webpage that attempts to trick you into sharing PII, such as your username and password.
SCHOOL & CLASSROOM SECURITY • DO NOT print PII to local student classroom printers unless you retrieve the paperwork immediately. • DO NOT print PII to a network copier/printer in another location unless print on demand security has been setup for each user. DO NOT send students to retrieve print jobs containing PII. • DO NOT leave printed PII on your desk. Store student lists in a secure drawer. Destroy as soon as possible. • DO NOT allow students to use your teacher/staff computer while logged in as yourself. • DO NOT allow students on your Infinite Campus account FOR ANY REASON. • DO always lock your computer before you leave your room. • DO put a passcode on i. Phones, i. Pads, etc. . . that have your school email setup on them.
SCHOOL & CLASSROOM SECURITY • NEVER leave ANY passwords in lesson plans for substitute teachers. If you have resources for subs to use share it with them in email or through One. Drive/Google Drive. They have individual accounts. • Use caution when allowing students to give presentations from your computer. Make sure nothing is open on your screen such as email, Infinite campus, etc. . . Make sure you know what is happening on your computer. Open the student’s presentation yourself and get them to the point to where they can take over presenting or better yet have them sign in under their username.
HOW DOES PII APPLY AT HOME? • If you take your computer or work home with you make sure to follow the same procedures at home that you would at school. The information that you have access too may be privileged and meant for your eyes only and not for the members of your family. Allowing children and family members to have access to your work computer could potentially become a data breach. Remember to use caution and be vigilant to protect the data you have been entrusted.
DATA BREACH PROCEDURES
WHO TO CONTACT WHEN THERE IS A SUSPECTED DATA SECURITY BREACH • Immediately upon a suspected data breach, contact your school principal or immediate supervisor. • Supervisor will immediately contact the Superintendent • Superintendent will contact the District Security Team • Immediately upon notification, DST will begin a reasonable and prompt internal investigation on whether the security breach has resulted in or is likely to result in the misuse of personal information. The investigation length is not set and will vary with each instance. • Within 72 hours of suspected or confirmed breach, send notification via FAC-001 Form to KDEData. Breach. [email protected] ky. gov
“YES” A BREACH HAS OCCURRED. INVESTIGATION FINDS THE MISUSE OF PII HAS OCCURRED OR IS LIKELY TO OCCUR. • Notify appropriate state agencies within 48 hours of completion of investigation. KDEData. Breach. [email protected] ky. gov • Develop an interim containment action plan if possible • Notify all individuals impacted by the confirmed breach within 35 days KRS 61. 933 • Document all actions, evidence and decisions. • Define root cause • Design and implement Permanent Corrective Action Plan • Prevent Recurrence
“NO” It has been determined that no breach occurred. • Determine why a breach was suspected • If the investigation determines that misuse of personal information has not occurred or is not likely to occur, notification of the impacted individuals is not required, but records of the decision and evidence must be kept. Notification of the agency contacts, above, is still required noting that misuse of personal information has NOT occurred.
IS IT PII? Find the intersection to see if two pieces of info are PII. Just because they aren’t PII, doesn’t mean the info shouldn’t be kept confidential. Name Phone # Address Stu. ID SSN Grades Health Info Name Not PII Confidential PII Phone # Confidential Not PII Confidential PII Not PII Address Confidential Not PII Confidential PII Not PII Stu. ID PII Confidential Not PII Confidential PII SSN PII PII Grades Confidential Not PII Confidential PII Not PII Health Info PII Confidential PII Not PII
YOU MIGHT BE A SECURITY RISK IF… Yes, it’s quiz time.
• Click here to take the quiz.