Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (DRAFT) [open pdf - 395KB]
"Breaches of personally identifiable information (PII) have increased dramatically over the past few years and have resulted in the loss of millions of records. Breaches of PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or high costs to handle the breach. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, 'If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.' This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies, but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization's legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII."
NIST Special Publication 800-122
National Institute of Standards and Technology: http://www.nist.gov/