FAQ's

There are many different definitions of PII, and the applicable definition depends on which state laws apply to a particular situation. Most definitions, however, include some variation of a person’s name or initials IN COMBINATION WITH other pieces of information that can be used to identify the person, including social security numbers, driver’s license numbers and financial account numbers. Some state laws further include date of birth, mother’s maiden name, biometric records, and certain medical, educational or employment information.
 

The definition of a breach or a “breach of the security of the system” varies from state to state. In many states, a “breach of the security of the system,” arises from any “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by business.” In some states, however, the unauthorized disclosure or acquisition of hard copy records (in addition to computerized data) may also constitute a breach. A breach can occur in many ways, including through lost laptops or PDAs, improper disposal of paper records, or intrusion into your network or PC by hackers.

Occurrences of lost or stolen PII occur every day and the financial penalties for these data breaches can be significant. More serious breaches involving PII, especially those involving highly sensitive forms of PII, can result in criminal penalties. Also, your business reputation can be severely damaged. Consumer surveys cited by Visa USA indicate that approximately 79 percent of customers lose trust in a company that experiences a breach involving their PII, and approximately 74 percent say they will not continue to shop at a place where they feel their PII may be at risk. Other studies show that a data breach costs companies, on average, about $214 per compromised record.

PCI stands for Payment Card Industry. The PCI data security standards protect payment card data such as debit or credit card number, expiration date and card security code. PII, or Personally Identifiable Information, is a broader category of data that encompasses both payment card information and various pieces of information that uniquely identifies, or can be used to so identify, an individual.

The differences between PCI and a PII breach chiefly stem from the different types of information compromised in each. The particular data elements involved can significantly impact the long- and short-term consequences of a breach in a variety of ways. For example, a payment card information breach often results in card fraud (e.g., unauthorized transactions) and a fine to merchants from MasterCard, Visa or American Express. A PII breach can be more damaging in that a person’s identity could be stolen as a result of the unauthorized acquisition of personal details about affected individuals. Perpetrators can sometimes open new credit cards, apply for loans and establish new credit accounts with the stolen information.

Almost everyone can do more to protect PII. CSR’s consulting services, in particular, are designed to help do just that. We offer a comprehensive suite of breach defense, preparedness and response services for businesses, merchants, employers, and various other entities who want us to be very involved in the process from start to finish. Our clients can take advantage of our consulting services concerning appropriate safeguards for PII, forensic evaluation of particular breach incidents, and/or responding to affected individuals and other necessary parties beyond card brands and government agencies when PII is compromised.

The agencies that must be notified of a breach involving PII depend on applicable laws and particular breach circumstances. You may be required to report a breach or multiple agencies or none at all. 

Forty-nine states in addition to various other jurisdictions currently have laws in place that may require notification of affected individuals and potentially others in the event that PII is lost, stolen or otherwise compromised. The ramifications of such breaches can be substantial. They can take many forms, including costs and expenses associated with managing a breach, private lawsuits or government investigations arising from a breach, as well as lost consumer trust and diminished brand reputation.

The financial consequences of failing to properly report a breach can also be substantial, possibly even more so than those associated with the breach itself. As just one example, Visa can assess fines of up to $100,000 per breach incident against merchants that fail to promptly and appropriately report the incident to them. Risk can be mitigated by positioning your organization to be able to act quickly in the face of a breach.

Many merchants do not realize that the cardholder’s name is included in the magnetic stripe of some cards and is captured when the card is swiped at a point-of-sale terminal (this is how merchants can print the cardholder’s name is printed on their copy of the receipt). As such, merchants may be collecting and storing information that constitutes PII through your point-of-sale terminal even if customers are not expressly asked to provide it. This means that if a point-of-sale terminal is breached, merchants could be required to notify individuals as well as other entities of the breach.

Information security and breach preparedness are not just for customer-facing businesses. The forty-nine plus security breach notification laws already in existence generally apply to any person’s PII. This means employees, subcontractors, service providers, job applicants and others would need to be notified if PII about them that is in your care is compromised. In addition, if a business acts as a service provider for other companies, it may be required to notify these other companies if PII about their customers, employees, or contractors is compromised while in the business’ care.

The answer is sometimes depending on circumstances of the breach. There are provisions in most of the state security breach notification laws regarding reporting breaches to CRAs like Equifax, Experian, and TransUnion. CSR Breach Reporting ToolKit determines if CRAs must be informed of a data breach. If reporting is required, our consulting services group can be engaged to help notify CRAs as necessary.

While the risk may be difficult or impossible to quantify, unauthorized acquisition of sensitive PII by a third party potentially increases the risk that an individual will be victimized by fraud or some form of identity theft. Telling individuals that their PII has been, or may be, exposed to an unauthorized third party allows them to take proactive steps to protect themselves from identity theft and other forms of fraud. Such precautions can include canceling compromised credit or debit cards, placing a fraud alert on consumer credit reports or simply reviewing financial account statements more carefully. Regardless of whether consumers elect to take any precautions, they will be in a better position to make informed decisions if they receive notice of a breach. Consumer notifications can also be an opportunity to let affected individuals know that their privacy is cared about and to help them understand what happened and how their PII was exposed.

Virtually all jurisdictions have mirrored California’s exemption from breach reporting and notification when PII is encrypted or otherwise rendered secure. Affected individuals and others may not need notification if PII under care was encrypted. While encryption is not defined in some of the state security breach notification laws, it generally requires that PII be transformed into a form in which there is a low probability of assigning meaning to it without use of a confidential process or key. Some states, however, require that PII be encrypted or secured using particular technologies or processes in order for this notification exemption to apply.

If PII belonging to another organization is compromised while under your care, you may be required to notify that organization of the compromise. Most state laws place the ultimate responsibility for notifying consumers of a breach on the owner or licensee of PII. However, others who receive or maintain this information are typically required to promptly or immediately notify the owner or licensee after discovering a breach of PII so that the owner or licensee can take action accordingly. Cooperation with the data owner or licensee by may be required to providing relevant details about the breach incident and about any remedial measures being taken. Even where notice to the owner or licensee is not legally required, it may be appropriate depending the relationship.

As a general rule, the various state attorneys general and other state regulatory bodies are responsible for enforcing and overseeing compliance with state security breach notification laws. In some states, consumers who are harmed by a violation of the state’s notification law may bring a private lawsuit to enforce the law and recover damages for a violation. At the federal level, this responsibility is principally vested in the Federal Trade Commission, the Consumer Financial Protection Board and the Department of Health and Human Services for healthcare-related entities. The consequences of failing to comply with applicable breach notification obligations can be significant, and will likely only result in additional frustration in the wake of a breach.