Begin Main Content Area

 Content Editor

EBR, Office of Information Technology Policy SEC-002


Name: Personally Identifiable Information Storage and Transfer
Effective Date: January 2019
Category: Security
Version: 1.0

1. Purpose

This policy defines the data elements that are considered personally identifiable information (PII) for the agencies of the Employment Banking and Revenue (EBR) delivery center. This policy will identify guidelines for the transfer and storage of PII by EBR.

This policy establishes documentation requirements for systems housing PII that do not comply with this policy.

This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls: AC-1, AC-21 & SC-4 Per SP 800-53 R4.

2. Background

This policy is published under the general authority of the Governor’s Office of Administration / Office of Information Technology (OA/OIT), and identifies key roles and responsibilities in support of ITPs.

While the Office of Information Technology (OIT) are the custodians of the data, the data owners determine the security controls that must be implemented on their data. System owners (SO) are responsible for ensuring their systems are compliant with data owner’s requirements, e.g. IRS Publication 1075, or SSA technical systems security requirements (TSSR), federal or state statutes, regulations, and laws governing the receipt, processing, and storage of PII.

Failure to correctly identify and protect PII could result in the loss of service, loss of state or federal funding, or place EBR agencies at risk of legal and financial repercussions.

Violations of OA enterprise or delivery center policies may result in disciplinary action up to and including termination of employment or contractor sanctions (including loss of e-mail, Internet, or computer access privileges).

3. Scope

This policy applies to all employees within all bureaus, divisions, boards, commissions, councils, and agencies supported by the EBR delivery center. This includes any contracted employees in the service of EBR (hereinafter referred to collectively as “EBR Users”).

4. Policy

For the purposes of this EBR policy, PII is any information that can be used to uniquely identify an individual’s identity or information that is linkable to an individual. This includes:

  • Name
    • Full name
    • Maiden name
    • Mother’s maiden name
    • Alias
  • Date of Birth
  • Personal identification numbers
    • Social Security number (SSN)
    • Passport number
    • Driver’s license number
    • State identification card number
    • Taxpayer identification number
    • Federal Employer Identification Number (FEIN) or Employer Identification Number (EIN)
      • In cases where SSN could be used as FEIN or EIN.
  • Financial account or credit card numbers
  • Address information
    • Street address
    • Mailing address
    • Physical address
  • Personal characteristics
    • Fingerprints
    • Other biometric data (e.g., retina scan, palm scan, voice signature, facial geometry)

All PII must be encrypted at rest and in transit in accordance with ITP-SEC020 and ITP-SEC031. This applies to the storage of PII on all devices and systems including servers, databases, application files, workstations/laptops, removable media, and network drives.

PII may not be stored on a workstation, laptop, or removable media device, unless there is an approved detailed business requirement, and the risk(s) are identified, categorized, classified and assessed in the agency risk register.

All exception business cases must be documented with an acknowledgement of risk document.

All PII or protected data within a database, must be encrypted at the data level via the application. If this is not feasible, the entire database shall be encrypted. Any individual data elements that constitute PII or can be aggregated to constitute PII are protected data and must be secured per ITP-SEC019. If PII or protected data is stored on separate tables of the same database or separate databases and there is a key field or identifier that links the data; it must be encrypted.

All PII data elements must be encrypted with an algorithm that complies with Federal Information Processing Standard (FIPS) 140-2; e.g. at least a 256-bit encryption. This applies to all means of electronic transmission of PII including; e-mail, web-based applications, web-based forms, fax, file transfer protocol (FTP), and server/on-line document sharing and storage systems.

EBR OIT shall take all necessary steps to protect the PII of all EBR Users and constituents by minimizing or eliminating the use of PII.

All business processes that require the collection of PII, must be documented by the SO, in the System Security Plan (SSP) per SEC-000.

All SO shall determine and document if PII must be transmitted and stored based on business requirements.

All SO shall identify and classify data in the system to ensure all PII data is encrypted at rest and in transit, per SEC-000, ITP-SEC020 and ITP-SEC031.

All SO shall annually review systems and data classifications to determine if any new data types have been added, what controls must be implemented and if any constitutes PII.

All SO shall create a corrective action plan (CAP) for all data that is categorized as PII but is not properly encrypted. The plan will be reviewed by the OIT operations staff, and approved by the delivery center chief information security officer (CISO) and chief information officer (CIO). Where applicable the CAP shall be submitted to the data owner for review and approval.

Legacy systems will not be grandfathered in.

All CAP efforts that exceed timelines shall be documented with an acknowledgement of risk document.

EBR shall follow all required OA, state, and federal laws and mandates related to remediation and notification to the public, if a breach defined by the Breach of Personal Information Notification Act is declared.

5. Responsibilities

  1. EBR User responsibilities:

    • Comply with all EBR policies, OA ITPS, management directives, executive orders and laws; and

    • Report any violations of policies promptly to the Information Security Officer at LI, OIT-DLICISO.

  2. EBR management responsibilities:

    • Comply with all EBR policies, OA ITPS, management directives, executive orders and laws; and

    • Ensure EBR users comply with the policies; and

    • Adhere to this policy and any published procedures regarding PII.

6. References

EBR Policy Definitions Document
SEC-000 - Security Planning Policy
ITP-SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data
ITP-SEC020 - Encryption Standards for Data at Rest
ITP-SEC024 - IT Security Incident Reporting Policy
ITP-SEC025 - Proper Use and Disclosure of Personally Identifiable Information
ITP-SEC031 - Encryption Standards for Data in Transit
Breach of Personal Information Notification Act, December 22, 2005, P.L. 474, No. 94
NIST SP 800-122 - Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Federal Information Processing Standard (FIPS) 140-2

7. Version Control

Version: Date: Purpose:
0.1 02/2009 Base Document
1.0 12/2018 Format and Content Revision for EBR