UC Santa CruzInformation Technology Services
  Home About ITS Services ITS News Policies Governance ITS Staff Site Jobs Find An Answer Feedback

Security Awareness Training: Personal Identity Information (PII)

Home > IT Security Awareness > Security Awareness Training: Personal Identity Information (PII)


| Background | Definitions | Responsibilities for Protecting PII | Contact Information |

 

BACKGROUND

California State Law requires that Personal Identity Information (PII) is appropriately protected and that affected individuals must be notified of any reasonable suspicion of a compromise of that protection. The University is responsible for complying with these legal requirements and for providing employees with information about requirements and responsibilities relating to PII.

The UCSC Implementation Plan for Protection of Electronic Restricted Data, provides campus procedures regarding PII, and is referenced throughout this document.

 

 

DEFINITIONS

Personal Identity Information (PII): Personal Identity Information, or PII, is a specific category of particularly sensitive restricted data defined as,

Unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:

  1. Social Security number (SSN)
  2. Drivers license number or State-issued Identification Card number
  3. Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account
  4. Medical information: any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
  5. Health insurance information: an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records

Special note about credit card information:
Credit card number in conjunction with name is a form of PII. Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard.

Restricted Data: Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. 

At UCSC, restricted data includes, but is not necessarily limited to

  • Personal Identity Information (PII) (see definition above),
  • Electronic protected health information (ePHI) protected by Federal HIPAA legislation,
  • Credit card data regulated by the Payment Card Industry (PCI),
  • Records of students with a "Non-Release of Public Information" (NRI) flag in UCSC's Academic Information System (AIS) ,
  • Information relating to an ongoing criminal investigation,
  • Court-ordered settlement agreements requiring non-disclosure,
  • Information specifically identified by contract as restricted,
  • Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.

Service Provider: The department or individual responsible for regular operational support, backup, and system maintenance of a system with electronic restricted data.

System Steward (also known as the Electronic Information Resource Proprietor, Data or Resource Proprietor, Data Steward, or Data Owner): The individual with ultimate responsibility for a defined set of University electronic information, including determining who should have access to it, and ensuring that the information is protected adequately and is used in ways consistent with the mission of the University as a whole. This can be, but is not limited to, the operating head of a unit or a designee.

 

 

RESPONSIBILITIES FOR PROTECTING PII - WHAT THIS MEANS FOR YOU

  1. Identify what PII you have
  2. Get rid of any PII you do not need to keep
  3. Protect all PII that you must keep
  4. Initiate the incident response process for suspected data breaches

1. Identify PII.
  • Identify, to the best of your ability, any PII that resides on your individual devices. This includes portable devices, e.g. PDAs, disks, CDs, flash drives, cell phones, etc., as well as old and archival data and backups.
  • Inform your Manager of all PII contained in and accessed by your systems.

2. Remove all unnecessary PII from all systems and electronic media.
The best way to protect PII is not to have it in the first place.
  • Work with ITS to securely delete PII when there is no longer a business need for its retention.
  • Work with ITS to completely and securely remove all PII from electronic media before disposal or re-use. Always shred or otherwise destroy restricted data before disposing of it.

  • Additional responsibilities of Managers: Managers should implement and document procedures that govern the receipt and removal of hardware and electronic media containing PII, including equipment reassignment, and final disposition of equipment.

3. Protect all PII that you must keep.
All members of the University community are responsible for appropriate access, use and protection of PII to which they have access or over which they have jurisdiction or control. This includes storage and distribution of PII. Individuals are responsible for working in partnership with Service Providers to ensure appropriate awareness and protection of PII.

System Stewards are responsible for ensuring appropriate measures and checks are in place for protection of PII under their control, including any downloading or transmission of such information. If there is any question about the adequacy of current controls, a review by UCSC IT Security (security@ucsc.edu) or UCSC Internal Audit staff should be requested.

Service Providers are responsible for providing ongoing protection of PII within standard support parameters.

UCSC has developed general guidelines for the protection of all restricted data, including PII. See General Practices for Protecting Electronic Restricted Data, a quick-reference for non-technical employees, and Computer Security Self-Paced Tutorial, including the Protecting PII and other Restricted Data module.


4. Incident Response Procedures for Suspected Data Breaches.
The UCSC Implementation Plan for Protection of Electronic Restricted Data outlines campus incident response procedures for suspected and confirmed breaches of PII, as summarized below. These procedures also apply to security breaches or suspected security breaches involving other types of restricted data, including electronic protected health information (ePHI), credit card information (PCI), and student record data, though notification procedures may differ.

System Stewards are responsible for ensuring that these procedures are followed for all breaches of electronic restricted data, or systems containing electronic restricted data, under their management.

Procedures:
  1. Report Suspected Data Breaches
    Any suspected breach of a system containing PII, or any suspected inappropriate disclosure of PII must be reported to the ITS Support Center, 459-4357, help@ucsc.edu or https://itrequest.ucsc.edu/, regardless of how the suspicion arose. The Support Center will notify UCSC IT Security. If no one is available to receive your report, you may contact UCSC IT Security at security@ucsc.edu
    • Employees are also to report suspected incidents to their supervisor in addition to the ITS Support Center. If no one is available to receive your report, you may contact UCSC IT Security directly: security@ucsc.edu.
    • Service Providers, System Stewards, Unit/Departmental Managers, and ITS staff are also to report suspected incidents to affected Unit/Departmental Managers and System Stewards.
    • Any suspected theft of UCSC-related computing equipment should be reported to the UCSC Police Department. Be sure to let them know if the stolen equipment contains any sensitive information. Local authorities should also be contacted if the incident occurs away from campus.

    The System Steward or designee must complete an Initial Incident Report (UCSC Implementation Plan for Protection of Electronic Restricted Data, Appendix A), and submit this to IT Security, as soon as possible, but no later than 24 hours after the identification of a suspected PII data breach. The System Steward or designee should file a police report with the UCSC Police Department if criminal activity is suspected.

    The IT Security in partnership with the Service Provider will confirm the security breach.

  2. Incident Response Process
    The incident response process is initiated with a suspected security breach of unencrypted electronic PII. Based on the Initial Incident Report, the VC IT will convene the Campus Incident Response Team to determine whether criteria for notification have been met (see Notification Procedures, below).

    IT Security and Service Provider work together to restore the service and integrity of the system with appropriate documentation and preservation of evidence. 

    Upon resolution of the breach, IT Security and the IT Policy Office will coordinate to ensure completion of the Incident Closure Report (UCSC Implementation Plan for Protection of Electronic Restricted Data, Appendix C), and submit this to the VC IT as soon as possible.

  3. Notification Procedures
    If unencrypted electronic PII is reasonably believed to have been acquired by an unauthorized person, state law requires notification to affected subjects.

    If the criteria for notification has been met, the VC IT along with the Campus Incident Response Team determines the notification plan, including the means and text of notification. The VC IT will work with the System Steward or designee and Service Provider to determine the availability of contact information for notification. Upon approval of the notification plan by Campus Counsel, the VC IT works with the Public Information Office (PIO) to deliver the notification.  The VC IT will work with the System Steward or designee and Service Provider as required for additional advice or assistance to affected subjects.

  4. Release of Information
    Requests for information regarding a security incident from University employees without a clearly defined business need to know, or from any individuals or entities outside the University must be directed to the Operations Director in the Office of the Campus Provost/Executive Vice Chancellor.

    Note: Written correspondence, such as email, created during the discovery or investigation phase of a security incident may be considered a public record subject to release under the California Public Records Act and/or Information Practices Act. Therefore, information that is not appropriate for release based on the protection of privacy interests or security considerations (e.g., names of individuals or other identifying information or technical information that could enable another breach) should not be included in this correspondence. This is especially important to take into consideration where notification may be required.

 

 

CONTACT INFORMATION

For questions or feedback about the information in this training, contact the ITS Service Manager for Community and Compliance at itpolicy@ucsc.edu or (831) 459-2779.

For technical questions about implementing or enforcing these practices, contact:

 

Rev. 5/27/09