Over, Under, or Accurate Notification? Precise PII / PHI

When an information security incident occurs, organizations frequently turn to computer forensics to investigate and understand what happened.

Indeed, forensics is often vital in determining the root cause of an information security incident, and preventing additional exposure. It’s also the first step toward being able to confirm the presence of lost or stolen Personally Identifying Information (PII) or Protected Health Information (PHI) that will trigger notification requirements. But getting from the initial confirmation step to the final mailing list for notification can be a difficult process that contributes to organizations’ tendencies to over- or under-notify.

PII/PHI identification is problematic partly because regulatory guidance is not clear-cut. Decision makers frequently find themselves in the uncomfortable position of making judgment calls based upon incomplete information. For example, the California Office of Privacy Protection’s “Recommended Practices on Notice of Security Breach Involving Personal Information” offers this recommendation, in cases where specific individuals cannot be identified: “If you cannot identify the specific individuals whose notice triggering information was acquired, notify all those in the groups likely to have been affected, such as all whose information is stored in the files involved.”

Read the article