1. Home
  2. Understanding disaster risk
  3. Sendai Framework Terminology on Disaster Risk Reduction
  4. Hazard Information Profiles (HIPs)

Personally Identifiable Information (PII) Breach

Unique identifier / Notation
TL0024
Synonyms
General Data Protection Regulation (GDPR),
Information risk management,
Personal data breach,
Privacy breach,
Identity theft,
Personal information breach.
Upload your content
A personally identifiable information (PII) breach is a situation where PII is processed in violation of one or more relevant PII protection requirements (ITU, 2018).

Primary reference(s)

ITU, 2018. Security framework for the Internet of things based on the gateway model ITU-X 1361 (09/18). Series X: Data Networks, Open System Communications and Security: Secure applications and services (2) – Internet of things (IoT) security. International Telecommunication Union (ITU). Accessed 4 October 2020.

Additional scientific description

The International Telecommunication Union (ITU) 2018 Security framework for the Internet of things based on the gateway model ITU-X 1361 (09/18) includes additional agreed information for a personally identifiable information (PII) breach as follows:

Any information that (i) can be used to identify the PII principal to whom such information relates, or (ii) is or might be directly or indirectly linked to a PII principal (ITU, 2018).

To determine whether a PII principal is identifiable, account should be taken of all means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.

It also addresses malicious code execution and defines this as any part of a software system or script, which is intended to cause undesired effects, security or PII breaches, or damage to a system. Typical examples includes viruses, worms, and Trojan horses (ITU, 2018).

Metrics and numeric limits

The ITU established ITU-T X. 1058 (ITU, 2017), a code of practice for PII protection. This document establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII. The document specifies guidelines based on ISO/IEC 27002 taking into consideration the requirements for processing PII which may be applicable within the context of an organisation’s information security risk environments (ISO, 2013).

Key relevant UN convention / multilateral treaty

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg 1981.

The Council of Europe (CoE) convention on cybercrime also known as the Budapest Convention is the only binding international treaty on this issue. At the time of writing, the total number of countries that had ratified the convention was 64 and includes both members and non-members of the CoE (CoE, 1981).

Examples of drivers, outcomes and risk management

The number of organisations and amount of online personal information being processed is increasing. In turn, users expect higher levels of security relating to PII and individual data (ITU, 2017). PII can include birth dates, names of under-age individuals, addresses, passport numbers, health care information, social security numbers, driving licence numbers and bank account numbers (Zeiger and Rojas, 2016). Government ministries, departments and agencies are also exposed to PII breaches (McCallister et al., 2010).

Examples of a PII breach include: data breaches (unauthorised disclosure of personal information); security incidents (malicious attacks directed at a company); privacy violations (alleged violation of consumer privacy); and phishing/skimming incidents (individual financial crimes) (Ramanosky, 2016).

An example of a PII breach occurred in 2017. Equifax had a corporate data breach and the unauthorised personal information of 140 million customers including sensitive personal and financial information was disclosed, violating the confidentiality of protected data assets thus breaching PII (Wang and Johnson, 2018).

The International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) has developed a high high-level framework for the protection of PII within information and communication technology (ICT) systems, initially agreed in 2011 and since reviewed and retained in 2017 (ISO/IEC, 2017). The privacy framework is intended to help organisations define their privacy safeguarding requirements related to PII within an ICT environment by: specifying a common privacy terminology; defining the actors and their roles in processing PII; describing privacy safeguarding requirements; and referencing known privacy principles (ISO/IEC, 2017).

The privacy framework provided within this International Standard can serve as a basis for additional privacy standardisation initiatives, such as for: a technical reference architecture; the implementation and use of specific privacy technologies and overall privacy management; privacy controls for outsourced data processes; privacy risk assessments; or specific engineering specifications (ISO/IEC, 2017).

Some jurisdictions might require compliance with one or more of the documents referenced in ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents references with other applicable laws and regulations, but this International Standard is not intended to be a global model policy, nor a legislative framework (ISO/IEC, 2017; ISO, 2020).

References

CoE, 1981. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Strasbourg Convention). European Treaty Series - No. 108. Council of Europe (CoE). Accessed 20 November 2019.

ISO, 2013. ISO/IEC 27002:2013 Information technology: Security techniques: Code of practice for information security controls. International Organization for Standardization (ISO). Accessed 21 November 2019.

ISO, 2020. IEC JTC 1/SC 27/WG 5 Identity management and privacy technologies. Accessed 30 April 2021.

ISO/IEC, 2017. ISO/IEC 29100:2011 Information Technology – Security Techniques – Privacy Framework. International Organization for Standardization / International Electrotechnical Commission (ISO/IEC). Accessed 4 October 2020.

ITU, 2017. ITU-T X.1058 Information technology: Security techniques: Code of practice for personally identifiable information protection. International Telecommunication Union (ITU). Accessed 21 November 2019.

ITU, 2018. Security framework for the Internet of things based on the gateway model ITU-X 1361 (09/18). Series X: Data Networks, Open System Communications and Security: Secure applications and services (2) – Internet of things (IoT) security. International Telecommunication Union (ITU). Accessed 4 October 2020.

McCallister, E., T. Grance and T. Scarfone, 2010. NIST Special Publication 800-122: Guide to protecting the confidentiality of personally identifiable information. Recommendations of the National Institute of Standards and Technology. Accessed 21 November 2019.

Ramanosky, S., 2016. Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2:121-135.

Wang, P. and C. Johnson, 2018. Cybersecurity incident handling: a case study of the Equifax data breach. Issues in Information Systems, 19:150-159.

Zeiger, A.D. and E.F. Rojas, 2016. Teamwork prep for data management. In: Zeiger, A.D. and E.F. Rojas (eds.), Preserving Electronic Evidence for Trial. Syngress, pp. 79-88.

Type
Technological
Cluster
Cyber Hazard
Coordinating agency or organisation
International Telecommunication Union (ITU)

Is this page useful?

Yes No
Report an issue on this page

Thank you. If you have 2 minutes, we would benefit from additional feedback (link opens in a new window).