08 Jul 2013

Ensure Personally Identifiable Information (PII) is Protected

0 Comment

Trustee Tip:

Ensure Personally Identifiable Information (PII) is Protected

DOJNew requirements surrounding the protection of Personally Identifiable Information (PII) were introduced in the Handbook in May 2010. With the everyday use of smart phones, tablets, flash drives and portable computers for work, and the ability to access debtor and estate information from any of these devices becoming more common, measures must be put in place to protect PII. This is not to say that you can’t work on your smart phone or download files to a flash drive but rather ensures that all devices are secured, including devices that access email or cloud-based file storage services such as dropbox.

Emails provide a wealth of PII, whether it is correspondence with another party or debtor or a combination of website addresses and passwords. If this information were to fall into the hands of someone outside of your office, then a PII violation will have occurred.

Not all situations regarding PII are this black and white. Say, for example, while searching online for assets you come across a people searching site with access to more potential information. It looks legitimate and, with a free trial, you figure you have nothing to lose. You begin by entering some basic information: name, gender, age, city, state – nothing out of the ordinary.  Then you are prompted for additional information: employer, spouse’s name and education. The more information you add, the more specific the search window gets. With this many unique identifiers now available, the information provided could now be considered PII. This search company has now captured your debtor’s PII. They could use this information as “dummy” data or they could keep it for themselves to use maliciously. With these vendors, you have no idea what they will do with the information collected. The same applies to any vendor wanting your secure data for demonstration purposes. Once that information is captured, you and your data will have been compromised, putting you at at risk for potential violations with the UST. Don’t let unscrupulous vendors compromise you! Make them use their own data.

Another way to view PII protection is to look at how the Health Insurance Portability and Accountability Act (HIPPA) is structured. With HIPPA, unless you sign a disclosure agreement releasing your medical records, your personal medical information remains protected. This identifiable health care information is maintained and covered by your healthcare provider and protected under HIPPA law. HIPPA provides these protection guidelines to safeguard and secure your health information in the same manner that UST offices provide similar PII protection for debtors and estates. As a trustee, you are entrusted with personal information of debtors and estates. If your information is compromised, then by default, so is the information regarding estates you oversee. Unless you have a contract with a trusted provider, do not under any circumstances, give out any personal information. You should not give anyone, outside your staff, access to your data.

Remember to always password-protect all electronic information and secure all devices because, at the end of the day, you are the one who will be held responsible. Should you have a breach of PII, the EOUST has put in place a plan of action that you must follow such as contacting all affected parties of the compromise to setting up a website to provide each victim with free credit checks. As one trustee learned, maintenance on his website went on for 3 years, all at his own expense.

What steps does your office take to protect PII? Post a comment below.