U.S. government agencies should take a number of precautions when dealing with personal information residing in their organizations, according to the NIST document. The recommendations are intended to be for U.S. federal government agencies, and companies with which they work, but NIST said that other verticals may also find value in it.
The report states that organizations should store only PII necessary to conduct business, develop an incident response plan for the event of a breach and encourage coordination for data-loss incidents among CIOs, information security officers and legal counsel.
Scott Larson, executive managing director of computer forensic consulting firm Stroz Friedberg, told SCMagazineUS.com on Thursday that he thinks the guidelines are timely and that there will be an increased focus on privacy protection once President-elect Obama takes office next week.
“I think with a change in administration, a lot of these data privacy issues will be re-examined,” Larson said.
There has been increased concern how federal agencies are storing, accessing and mining for data, he said.
PII can include things such as names, personal identification numbers (Social Security number, passport number, driver's license number, credit card number), address information, and other personal characteristics (photos, fingerprints, retina scans).
The report also recommends that organizations create policies for handling PII, with clearly defined consequences if they are not followed. Entities should provide education, training, and awareness to employees on protecting PII. The document contains exercises with scenarios involving PII and questions to build skills and teach employees how to handle it.
Larson said organizations may struggle with one of the recommendations, which asks them to categorize data based on its level of confidentiality. Agencies simply may be unable to accomplish this because they don't have enough employees.
“Sometimes it comes down to resources,” Larson said.
Larson said encryption or obfuscation are the most effective ways to protect data.
The draft report is open to public comment until March 13. The final version will be released after the authors have reviewed the public feedback and made changes to the report based on the number and type of comments received, Erika McCallister, a computer scientist at NIST who co-authored the report, said in an email to SCMagazineUS.com Thursday.