Personally Identifiable Information (PII)

The 21st Century Threat

Ronald J. Veazie

Webster University, Los Angeles AFB

Security Administration and Management SECR-5020

Professor Chris Silva

July 12, 2017

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

 The 21st century appears to be fast moving and innovative in various methods such as the

evolution of cryptocurrencies, quantum computing, and new scientific discoveries to name a few.

Regardless of how advanced we get, the threat to obtain/steal our Personally Identifiable

Information (PII), continues to exist and appears to be a threat that is not going away anytime

soon.

PII is information that personally identifies you, i.e., Social Security Account Number (SSAN),

home address, drivers license number, medical data, etc. This paper will review and address the

following topics related to PII:

- How is PII codified in United States law?

- What are the types of Personally Identifiable Information

- What is the threat to PII data?

- How can PII be used against me?

- How can I protect myself?

- What can universities do to help inform and protect students?

- What does the future hold?

United States Code (USC), 2 CFR 200.79 - Personally Identifiable Information (PII), defines PII

as, PII means information that can be used to distinguish or trace an individuals identity, either

alone or when combined with other personal or identifying information that is linked or linkable

to a specific individual. Some information that is considered to be PII is available in public

sources such as telephone books, public Web sites, and university listings. This type of

information is considered to be Public PII and includes, for example, first and last name, address,

work telephone number, email address, home telephone number, and general educational

credentials. The definition of PII is not anchored to any single category of information or

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

technology. Rather, it requires a case-by-case assessment of the specific risk that an individual

can be identified. Non-PII can become PII whenever additional information is made publicly

available, in any medium and from any source, that, when combined with other available

information, could be used to identify an individual.1

The governments definition of PII is a good starting point to understand that PII can be a case-

by-case assessment due to how it is being utilized to ensure no laws are being broken and to

protects its citizens. PII is crucial to maintaining good credit, and being able to identify oneself

at various agencies, especially government agencies where services and benefits are determined

by correctly identifying a person. Its crucial for PII data to be codified so there can be laws

established to ensure citizens have rights and criminals get punished.

That leads to recognizing the different types of PII. Many people are not aware of the

various types of PII data that is kept on them by various agencies. Whether it be the federal

government, city/local government, banks, hospitals, schools/universities, department stores,

online stores/retailers, local shops, gyms, cable companies or your favorite restaurant, PII data is

maintained by probably too many agencies and many Americans freely give their PII data

without questioning the reason an agency needs this data. I remember once trying to get a quote

for DirectTV and they wanted my Social Security Number (SSN); I asked the lady if she really

needed the same number that I will one day use to claim my retirement benefits from the federal

government to get cable TV. She indicated she could use my address instead of my SSN.

Frequently we dont ask for alternatives when were asked for our PII data. Its important to

know what PII data is and when you are required to provide it. Just because an agency ask for

1
https://www.gpo.gov/fdsys/pkg/CFR-2014-title2-vol1/pdf/CFR-2014-title2-vol1-sec200-79.pdf (U.S. Government
Publishing Office (GPO))

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

your data doesnt mean you are required to provide it. Below is a chart that covers some, not all,

of the different types of PII:

Many agencies understand the importance of securing the PII data they maintain on their

customers and take the necessary precautions to properly protect this data. Knowing when to

provide the appropriate PII data and to which agency/organization can aid in preventing PII data

from being misused.

On June 4, 2015, the federal governments Office of Personnel and Management (OPM),

announced it experienced a cybersecurity incident potentially affecting approximately four

million people and leading to the resignation of the OPM director.3 It was later revealed that the

2
PII Chart source: http://www.onlinewebsitesecurity.com/wp-content/uploads/2016/08/PII-chart_FINAL.png

3
https://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

hack had probably been going on for over a year, over five million fingerprints stolen, probably

affected over 21 million people and the hack was the work of the Chinese government. The

threat of misuse of this hacked data cannot be underestimated. When a foreign government is

able to obtain the entire personnel history of a person, it can lead to blackmail and criminal use

of their data. Besides for foreign governments hacking PII data, individuals and criminal entities

are daily trying to obtain PII data for their own financial gain. Frequently there are news articles

indicating a major retailer had their servers hacked that contained the credit card data of their

customers. The threat of misusing PII data is a daily one that can devastate a person if their PII

data is used against them.

Its one thing for a criminal to hack your PII data, its another to actually use your own

data against you. For your PII data to be used against you, your data must be hacked, as in the

OPM data hack where so much critical data is stored in one place, or your PII data can be

obtained through a process called Social Engineering. Symantec defines Social Engineering as,

a hackers clever manipulation of the natural human tendency to trust.4 Oftentimes PII is

obtained through Social Engineering where you participate in giving away your PII.

For example, if you sell items on line, be careful when responding using your personal email

address. Scammers will offer above your asking price when you respond via email and will then

ask for your address to mail a cashiers check to you or they might ask for your PAYPAL account

information. The scammer can take your email address and assume you have a PAYPAL account

and contact PAYPAL to reset your account based on the PII data they obtained from you and

empty your PAYPAL account. Once that type of information is provided, the criminal will then

try to get your bank account or PAYPAL account information and drain your accounts based on

information you initially provided. One solution you can utilize is to create an email account
4
https://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

you only use to sell items online that is not connected to any of your accounts that are linked to

your financial data. Another approach is to always have your antennae up for the, if it sounds

too good to be true, it probably is syndrome. While we never like to consider ourselves as

greedy, sometimes we can be vulnerable to successful Social Engineering attempts due to

greed. Our PII data is crucial and can be used against us to destroy our credit while taking

months or years to recover. Our Protected Health Information (PHI)5, can also be used against us

by someone utilizing our medical benefits without our knowledge or authorization, thus

endangering our ability to use our own medical benefits in a timely manner. An organization

should ensure it is protecting PHI data in accordance with HIPAA privacy rules to protect its

patients.6 PII/PHI data can be used against a person to steal their financial and/or health data and

any other nefarious purposes the mind can imagine. The key is to protect oneself with preventive

actions prior to being hacked or deceived via Social Engineering.

There are various preventative methods to protect oneself in the case your PII data is

hacked or obtained through other methods. One of the best methods to employ is a monitoring

service that also provides repair/resolution services in case your PII is stolen. Companies such

Legal Shield, CSID, Experian and LifeLock provide constant monitoring and repair services for

these types of incidents. When OPM was hacked in 2015, my data was included in that hack.

OPM provided approximately 15-18 months of free monitoring by CSID. While these services

are not free, they are low-cost and provide excellent protection. In the case of Legal Shield,

below is a chart reflecting the types of benefits they provide:

5
http://ora.research.ucla.edu/OHRPP/Documents/Policy/6/PHI_PII.pdf
6
https://www.healthit.gov/providers-professionals/ehr-privacy-security/practice-integration

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

 Individual Family
Legal Shield Product Features
$9.95 $19.95
Members
Covers Spouse/Partner
Covers up to 8 Children
Consultation
Unlimited Counseling w/ Licensed Investigator
SSN Fraud Detection
Monthly ID Theft Updates
Emergency Assistance 24/7/365
Data Breach Notifications
Identity Alert System
Lost & Stolen Wallet Assistance
Reduced Pre-Approved Card Offers
Sex Offender Registry Reports
Identity Restoration
Licensed Investigators
$5MM Service Guarantee
Complete Identity Recovery*
Privacy Monitoring
File Sharing Network Searches
Name Monitoring
Passport Number Monitoring
Black Market Website Surveillance
DOB Monitoring
SSN Monitoring
Email Monitoring

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

 Individual Family
Legal Shield Product Features
$9.95 $19.95
Phone Number Monitoring
Drivers License Number Monitoring
Medical ID Number Monitoring
Address Change Verification
Security Monitoring
Quarterly Score Tracker
Credit Inquiry Alerts
Credit Card Number Monitoring
Bank Account Number Monitoring
Court Records Monitoring
Credit Monitoring
Payday Loan Monitoring
Minor Identity Protection
7

There are also free services provided by the three major credit monitoring bureaus, TransUnion,

Equifax and Experian. The federal government also provides a wealth of resources for citizens

to combat PII/identity theft; some of the resources are:

- USA.GOV Identity Theft (https://www.usa.gov/identity-theft)

- Federal Trade Commission Identity Theft (https://www.identitytheft.gov/)

- Federal Bureau of Investigation (https://www.fbi.gov/investigate/white-collar-

crime/identity-theft)

The most important thing to remember is to have a preventative action plan in place in case you

are the victim of misuse/criminal activity of your PII data. Besides for individuals taking action,

agencies such as universities can play a crucial role in assisting to inform and protect its students.
7
http://www.lawshieldnow.com/

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

 The first role any university can take is to ensure it takes its IT department seriously by

providing the proper funding and give that department the tools it needs to protect the PII data

under its care and ensure all laws and regulations are implemented. Universities can also play a

role by implementing the following:

- Non-credit courses/educational meetings to teach the PII/identity theft and social

engineering threat and provide information on school websites such as the examples

below:

o UCLA - https://police.ucla.edu/prevention-education/identity-theft

o USC - https://ois.usc.edu/living-in-la/money/ssn/identity-theft-and-ssn/

- Partner with companies that provide monitoring services to offer low cost preventative

plans for their faculty, staff and students (bulk memberships usually result in decreased

costs)

The theft of PII data is a growing threat. It is imperative that universities recognize the

magnitude of this threat and take a leading role to help combat it. Because of research being

conducted at universities and other organizations, there is a glimmer of hope to combat this

threat.

The future of how PII will be protected and how to approach Social Engineering

problems appears to be bright. One of the threats mentioned previously is Social Engineering.

This is not only an online threat because many people are fooled into meeting a stranger in

person to sell an item via Craigslist. The Los Angeles Police Department (LAPD), has taken a

leading role by offering safe exchange zones8 for online sellers and buyers to meet and avoid a

harmful situation. So far the LAPD has established nine police stations for the purchase of

meeting to exchange money for property. Hopefully this approach will get adopted by other
8
http://abc7.com/news/lapd-sets-up-safe-zones-for-online-buyers-sellers/2156129/

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

police departments throughout the nation to help protect citizens wanting to safely participate in

e-commerce. On the technology front in the distant future, quantum computing might be able to

solve the ills of the theft of PII data. Quantum computing is a complex topic, but to keep it

simple, many scientists believe it will solve the problem of computer hacking. Some believe that

quantum computer will be 100 million times faster9 than current computers, making it virtually

impossible to hack a quantum computer. According to a recent article in Space.com, Chinese

scientist have recently made a breakthrough in quantum computing by setting a new teleportation

distance which reflects that quantum computers will be impossible to hack: Not only did the

team set a record for quantum teleportation distance, they also showed that one can build a

practical system for long-distance quantum communications. Such a communication system

would be impossible to eavesdrop on without alerting the users, which would make online

communications much more secure.10 While quantum computing in everyday use is a long way

off, the promise it holds is astounding.

The PII threat is real and dangerous. According to the Bureau of Justice Statistics, over

17 million residents experienced some form of identity theft in 2014.11 That number represents

approximately seven percent of the United States was affected by identity theft. While we await

the promise quantum computing holds, practical applications available today can aid in

protecting PII data. Being careful of what websites are visited, questioning who PII data is

provided to and utilizing a fee or free monitoring service goes a long way to protect oneself from

being a victim of PII/PHI data theft.

9
http://www.securityweek.com/quantum-computings-threat-public-key-cryptosystems
10
https://www.space.com/37506-quantum-teleportation-record-shattered.html
11
https://www.bjs.gov/content/pub/press/vit14pr.cfm

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

 REFERENCES

https://www.gpo.gov/fdsys/pkg/CFR-2014-title2-vol1/pdf/CFR-2014-title2-vol1-sec200-79.pdf
(U.S. Government Publishing Office (GPO)

Your PII Chart source:

http://www.onlinewebsitesecurity.com/wp-content/uploads/2016/08/PII-chart_FINAL.png

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017

Kevin Bonsor & Jonathan Strickland "How Quantum Computers Work" 8 December 2000.
HowStuffWorks.com. http://computer.howstuffworks.com/quantum-computer.htm 12 July 2017

OPM data breach notice to employees: https://www.opm.gov/news/releases/2015/06/opm-to-

notify-employees-of-cybersecurity-incident/
Symantec definition of Social Engineering: https://www.symantec.com/connect/articles/social-
engineering-fundamentals-part-i-hacker-tactics
Protected Health Information:
http://ora.research.ucla.edu/OHRPP/Documents/Policy/6/PHI_PII.pdf
Integrating Privacy and Security Into Your Practice: https://www.healthit.gov/providers-
professionals/ehr-privacy-security/practice-integration
Legal Shield Identity Theft benefits: http://www.lawshieldnow.com/
LAPD Safe Zones: http://abc7.com/news/lapd-sets-up-safe-zones-for-online-buyers-
sellers/2156129/
Quantum Computings Threat to Public-Key Cryptosystems:
http://www.securityweek.com/quantum-computings-threat-public-key-cryptosystems
Chinese Scientists Just Set the Record for the Farthest Quantum Teleportation:
https://www.space.com/37506-quantum-teleportation-record-shattered.html

Bureau of Justice Statistics: https://www.bjs.gov/content/pub/press/vit14pr.cfm

Full disclosure: I am a Legal Shield Independent Associate.

Webster University-Los Angeles AFB Campus Ronald J. Veazie 12 July 2017