Citizens have a right to know how their personal information collected and used. Information privacy, data privacy, or data protection pertains to the relationship between:
- an entity collecting and disseminating data
- the technology used
- expectations of privacy
- and the legal and political concerns
Strategies used to Gain Access to Networks
There are several strategies attackers use to gain access to private information to include security breaches, ransomware, malware, impersonation of an organization, and denial of service attacks (DDoS). Malicious software such as viruses or spyware are occasionally exploited through email or downloads to gain access to protected networks.
What’s at stake?
These cyber attacks may reveal data such as personally identifiable information (PII), personal non-public personal information (NPI), trade secrets, and intellectual property. Since federal legislation has not successful passed, state legislation provides color for PII and NPI.
Personally Identifiable Information
The California Consumer Privacy Act of 2018 (AB 375) (or CCPA) defines personally identifiable information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of PII include identifies such as but not limited to:
- Real name or alias
- Email address
- Internet Protocol address and/or network activity
- Social Security Number
- Driver’s License or Passport Number
- Biometric information
All 50 states, the District of Columbia, Puerto Rico, and the US Virgin Islands have passed legislation protecting personal identifiable information (PII). If you’re interested, click here to view The California Consumer Privacy Act of 2018.
Non-public Personal Information
The Gramm-Leach-Bailey Act (GLBA) or the Financial Modernization Act of 1999 defines non-public personal information to include data “a consumer provides to a financial institution to obtain a financial product or service from the institution; results from a transaction between the consumer and the institution involving a financial product or services; or a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.” Read the full document here. here. Examples of NPI as referenced by GLBA include but are not limited to:
- Information provided on an application such as: Name, address, income, SSN
- Transactional information such as linking the individual as a customer or consumer, account numbers, payment history, loan or deposit balances and credit or debit card purchases
- Information obtained in conjunction with providing a financial product or service such as non- public court records or consumer reports.
To alleviate the risk of costly incidents, businesses must have critically important discussions around how to protect data. In addition to applying “reasonable security” procedures, business should also consider implementing minimal levels of controls such as:
- continuous vulnerability management,
- inventory of software and hardware,
- security training, and
- penetration testing