Presentation on theme: "Office of Health, Safety and Security"— Presentation transcript:
1Office of Health, Safety and Security HSSOffice of Health, Safety and SecurityOverview of Personally Identifiable Information (PII) Protection Requirements May 7, Ray Holmer, Director Office of Information Management Office of Resource Management Office of Health, Safety, and Security U.S. Department of Energy
2Office of Health, Safety and Security AgendaHSSOffice of Health, Safety and SecurityPolicies and RegulationsDefinition of PIIApplicabilityReporting RequirementsInternal Actions / RequirementsLiabilitiesQuestions
3Policies and Regulations HSSOffice of Health, Safety and SecurityPrivacy Act of 1974Federal Information Security Management Act (FISMA) of 2002Health Insurance Portability and Accountability Act (HIPAA)Office of Management and Budget (OMB) Memorandum (M) 07-16, “Safeguarding Against and Responding to Breaches of Personally Identifiable Information.”DOE O “Department of Energy Privacy Program”DOE M “Cyber Security Incident Management Manual”
4Policies and Regulations HSSOffice of Health, Safety and SecurityAll DOE systems (paper based and IT based) and data collections / repositories required to have a:Privacy Impact Assessment that details the data collection and the measures and controls governing the protection and release of that dataSystem of Records Notice (SORN) that defines the data collection and details the uses of the data and the purposes and to whom the data can be released. Some examples of SORNs covering PII are:DOE-43, “Personal Security Clearance Files”DOE-51, “Employee and Visitor Access Control Records” covers access control records and badge systems (paper and IT)DOE–63, ‘‘Personal Identity Verification (PIV) Files’’ covers records generated or used in conjunction with HSPD-12
5Office of Health, Safety and Security Definition of PIIHSSOffice of Health, Safety and SecurityAny information maintained by the Department about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as his/her name, social security number, date and place of birth, mother’s maiden name, biometric data, etc., and including any other personal information that is linked or linkable to a specific individual.
6Office of Health, Safety and Security Definition of PIIHSSOffice of Health, Safety and SecurityExamples of PII When associated with an Individual:Social Security NumberDate and Place of BirthCredit Card NumbersBank AccountsMothers Maiden NameBiometric DataMedical History / Work Exposure HistoryCriminal and Employment HistorySocial Security Number by itself
7Office of Health, Safety and Security ApplicabilityHSSOffice of Health, Safety and SecurityThis concerns actions to address data breaches of personally identifiable information (PII) that is collected, processed or maintained by DOE.Data includes but is not limited to PII that is stored on paper records, stored and/or transmitted through DOE computer systems, and sensitive data owned by DOE that is properly stored on non-DOE computer systems.Applies to DOE and DOE contractors, to include HSS Cooperative Agreement Organizations
8Reporting Requirements HSSOffice of Health, Safety and SecurityTypes of breaches that must be reported include, but are not limited to the following:loss of control of employee information consisting of names and social security numbers (including temporary loss of control);loss of control of Department credit card holder information;loss of control of PII pertaining to the public;loss of control of security information (e.g., logons, passwords, etc.);incorrect delivery of sensitive PII;theft of PII; andunauthorized access to PII stored on Department operated web sites.
9Reporting Requirements HSSOffice of Health, Safety and SecurityPII Breaches must be reported within immediately upon of discovery – Applies to all media including paper, computer and electronic mediaReports of PII breaches will be transmitted via the DOE Cyber Incident Response Capability (DOE-CIRC) in accordance with applicable Deputy Secretary or Under Secretary policies and procedures.Immediate notifications are required to the HSS Federal Program lead and to the HSS Office of Resource Management / Office of Information ManagementWithin one hour of receiving the PII breach report, the DOE-CIRC will notify the U.S. Computer Emergency Response Team (US CERT) of the breach, as set forth in OMB Directive and in accordance with current incident reporting processes. Additionally, the DOE-CIRC will notify the Department’s Senior Agency Official for Privacy and other senior officials in accordance with current proceduresAdditional Notifications by HSS will includeDOE Senior ManagementOffice of Management and BudgetHouse and Senate CommitteesOther Government Agencies with an equity
10Internal Actions Requirements HSSOffice of Health, Safety and SecurityProgram Offices are responsible for compiling a report that contains:a brief description of what happened, including the dates of the data breach and of its discovery, if known;a description of the personnel information that was involved (e.g., full name, social security number, date of birth, home address, account numbers, etc.);a brief description of actions taken by the Department to investigate, mitigate losses and protect against any further breach of data;contact procedures to ask further questions or learn additional information, including a toll-free telephone number, address, web site, and/or postal address;steps that individuals should take to protect themselves from the risk of identity theft, including steps to obtain fraud alerts, if appropriate, and instructions for obtaining other credit protection services (NOTE: Alerts may include key changes to fraud reports and on-demand personal access to credit reports and scores); anda statement of whether the information was encrypted or protected by other means, when it is determined such information would be beneficial and would not compromise the security of any Departmental systems.
11Internal Actions Requirements HSSOffice of Health, Safety and SecurityRisk Analysis / DOE Privacy Impact Response Team (PIRT)the nature and content of the data (e.g., the data elements involved, such as name, social security number and/or date of birth, etc.);the ability of an unauthorized party to use the data, either by itself or in conjunction with other data or applications generally available, to commit identity theft or otherwise misuse the data to the disadvantage of the record subjects;ease of logical data access to the data given the degree of protection for the data (e.g., unencrypted, plain text, etc.);ease of physical access to the data (e.g., the degree to which the data is readily available to unauthorized access);evidence indicating that the data may have been the target of unlawful acquisition;evidence that the same or similar data had been acquired from other sources improperly and used for identity theft;whether notification to affected individuals through the most expeditious means available is warranted; andwhether further review and identification of systematic vulnerabilities or weaknesses and preventive measures are warranted.
12Office of Health, Safety and Security LiabilitiesHSSOffice of Health, Safety and SecurityThe Department or Program Office may be responsible for:Providing credit monitoring service for 1 yearLegal fees of individuals whose PII was lost / stolenCivil Law SuitsCriminal Prosecution (negligence)
13Office of Health, Safety and Security HIPAAHSSOffice of Health, Safety and SecurityRequirements for the Protection of PHI similar to PII:Health and Human Services (HHS) drafting additional regulation as a result of recent update to HIPAANew regulations expands coverage beyond medical community (lawyers, accountants / billers)Protection of information from unauthorized access or disclosureRecommend the use of encryption to protect data at rest and data in transitLook for HIPAA compliant software or FIPS compliant softwareOnly release data when appropriate for the individual to do their job.
14Understanding & Safeguarding PII HSSOffice of Health, Safety and SecurityLoss of PII:Can lead to identity theft (which is costly to the individual and to the Government);Can result in adverse actions being taken against the employee who loses PII;Can erode confidence in the Government’s ability to protect personal information.
15Safeguarding & Handling PII – The Do’s HSSOffice of Health, Safety and SecuritySafeguarding & Handling PII – The Do’sDO make sure all personal data is marked “FOR OFFICIAL USE ONLY” or “PRIVACY DATA”DO report any loss or unauthorized disclosure of personal data to your supervisor, program manager, Information System Security Manager, or Privacy Act OfficerDo report any suspected security violation or poor security practices relating to personal dataDO lock up all notes, documents, removable media, laptops and other materials containing personal data when not in use
16Safeguarding & Handling PII – The Do’s HSSOffice of Health, Safety and SecuritySafeguarding & Handling PII – The Do’sDO log off, turn off, or lock your computer whenever you leave your deskDO protect personal data from unauthorized useDO encrypt personal data sent viaDO destroy personal data via shredder when no longer needed and retention is not requiredDO be conscious of your surroundings when discussing personal data—protecting verbal communication with the same heightened awareness as you would paper or electronic data
17Safeguarding & Handling PII – The Don’ts HSSOffice of Health, Safety and SecuritySafeguarding & Handling PII – The Don’tsDON’T leave personal data unattendedDON’T take personal data home, in either paper or electronic format, without written permission of your manager or other official, as requiredDON’T discuss or entrust personal data to individuals who do not have a need to knowDON’T discuss personal data on wireless or cordless phones (unless absolutely necessary)DON’T put personal data in the body of an , rather password-protect it as an attachmentDON’T dispose of personal data in recycling bins or regular trash unless it has first been shredded
18Safeguarding & Handling PII HSSOffice of Health, Safety and SecuritySafeguarding & Handling PIIReview business and programmatic processes within your areas and eliminate all unnecessary collection of PIIIf you aren’t going to use it, don’t collect itReport all mishandling of PII, i.e. unencrypted , unencrypted filesUse software or hardware encryption methodsLook for FIPS compliance and / or HIPAA complianceThere is no conflict between the Privacy Act and HIPAA
19Office of Health, Safety and Security QuestionsHSSOffice of Health, Safety and SecurityQuestions ??Contact InformationTelephone