Personally Identifiable Information (PII) Breach
Primary reference(s)
ITU, 2018. . Accessed 4 October 2020.
Additional scientific description
The International Telecommunication Union (ITU) 2018 Security framework for the Internet of things based on the gateway model ITU-X 1361 (09/18) includes additional agreed information for a personally identifiable information (PII) breach as follows:
Any information that (i) can be used to identify the PII principal to whom such information relates, or (ii) is or might be directly or indirectly linked to a PII principal (ITU, 2018).
To determine whether a PII principal is identifiable, account should be taken of all means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.
It also addresses malicious code execution and defines this as any part of a software system or script, which is intended to cause undesired effects, security or PII breaches, or damage to a system. Typical examples includes viruses, worms, and Trojan horses (ITU, 2018).
Metrics and numeric limits
The ITU established ITU-T X. 1058 (ITU, 2017), a code of practice for PII protection. This document establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII. The document specifies guidelines based on ISO/IEC 27002 taking into consideration the requirements for processing PII which may be applicable within the context of an organisation’s information security risk environments (ISO, 2013).
Key relevant UN convention / multilateral treaty
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg 1981.
The Council of Europe (CoE) convention on cybercrime also known as the Budapest Convention is the only binding international treaty on this issue. At the time of writing, the total number of countries that had ratified the convention was 64 and includes both members and non-members of the CoE (CoE, 1981).
Examples of drivers, outcomes and risk management
The number of organisations and amount of online personal information being processed is increasing. In turn, users expect higher levels of security relating to PII and individual data (ITU, 2017). PII can include birth dates, names of under-age individuals, addresses, passport numbers, health care information, social security numbers, driving licence numbers and bank account numbers (Zeiger and Rojas, 2016). Government ministries, departments and agencies are also exposed to PII breaches (McCallister et al., 2010).
Examples of a PII breach include: data breaches (unauthorised disclosure of personal information); security incidents (malicious attacks directed at a company); privacy violations (alleged violation of consumer privacy); and phishing/skimming incidents (individual financial crimes) (Ramanosky, 2016).
An example of a PII breach occurred in 2017. Equifax had a corporate data breach and the unauthorised personal information of 140 million customers including sensitive personal and financial information was disclosed, violating the confidentiality of protected data assets thus breaching PII (Wang and Johnson, 2018).
The International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) has developed a high high-level framework for the protection of PII within information and communication technology (ICT) systems, initially agreed in 2011 and since reviewed and retained in 2017 (ISO/IEC, 2017). The privacy framework is intended to help organisations define their privacy safeguarding requirements related to PII within an ICT environment by: specifying a common privacy terminology; defining the actors and their roles in processing PII; describing privacy safeguarding requirements; and referencing known privacy principles (ISO/IEC, 2017).
The privacy framework provided within this International Standard can serve as a basis for additional privacy standardisation initiatives, such as for: a technical reference architecture; the implementation and use of specific privacy technologies and overall privacy management; privacy controls for outsourced data processes; privacy risk assessments; or specific engineering specifications (ISO/IEC, 2017).
Some jurisdictions might require compliance with one or more of the documents referenced in ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents references with other applicable laws and regulations, but this International Standard is not intended to be a global model policy, nor a legislative framework (ISO/IEC, 2017; ISO, 2020).
References
CoE, 1981. . Accessed 20 November 2019.
ISO, 2013. . Accessed 21 November 2019.
ISO, 2020. . Accessed 30 April 2021.
ISO/IEC, 2017. . Accessed 4 October 2020.
ITU, 2017. . Accessed 21 November 2019.
ITU, 2018. . Accessed 4 October 2020.
McCallister, E., T. Grance and T. Scarfone, 2010. . Accessed 21 November 2019.
Ramanosky, S., 2016. Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2:121-135.
Wang, P. and C. Johnson, 2018. .
Zeiger, A.D. and E.F. Rojas, 2016. .