01 Jul 2015

Review Your Procedures for Keeping Personally Identifiable Information (PII) Secure

0 Comment

A breach of Personally Identifiable Information (PII) can be costly for a trustee. Penalties for a breach are set by EOUST and can include provisions that last as long as three years. That’s why it’s important to periodically review and update your procedures for keeping PII secure.

In May 2010, the Chapter 7 Handbook introduced new requirements for protecting PII. You may have put new procedures in place to protect PII at that time. However, the rules around the protection of PII are not of the “set-and-forget” variety. To stay in compliance, you need to develop a mindset to help you identify potential PII breach situations on a continuous basis.

It’s true that some ways of protecting PII are straightforward, and simple rules to cover those situations should be part of the procedures you already have in place, or put in place now. We’ve addressed some of those issues, such as not letting anyone use your data for demonstration purposes, in a previous newsletter article.

We’ve also previously written about less obvious breach situations relating to email and shared passwords. If you haven’t already created rules and procedures around these examples, now is a good time to do so. But while you’re updating your PII procedures, take some time to review, either for yourself or with your staff, the principles behind the PII protection guidelines.

There are two principles that will help you develop a mindset for identifying potential PII breach situations during your day-to-day activities:

  1. You are entrusted to protect the personal information of debtors and estates.
  2. Any breach of trust or security that occurs online or offline can put PII at risk.

As you work, remember that any time you are handing over personal information of debtors and estates—in print, in person, electronically, or over the phone—you need to consider if that situation is completely secure or trusted—or even warranted.

To help you put this concept into practice, we’ve identified some practical situations where PII might be risk. You may wish to think about your own policies and procedures around these situations and identify if there are any changes you could make in order to protect PII in the future.

Lost or stolen equipment. Electronic equipment such as a laptop or smartphone may be a more obvious target for thieves, but a briefcase, backpack or piece of luggage that has been taken can also lead to a loss of data and PII breach.

Misplaced papers. Leaving files or papers at the courthouse and in meeting areas is a potential problem, since most 341(a) paperwork will contain PII. Back at the office, clients or non-approved staff could access papers containing PII if files have been left in common areas.

Abandoned debtor records. Many types of debtor records contain PII and are stored with the Trustee for the life of the case. Some types include payroll records, tax returns, and bank statements. To ensure no PII loss, these records must be officially abandoned by court order and destroyed or returned to the debtor.

Unsecured electronic equipment. One of the common and easily avoidable risks to PII comes from leaving computers running and unattended without lock features activated. Email containing sensitive data, such as tax returns or payroll information, may result in PII being compromised. This is why it is vital to use a password and encryption on any and all devices that receive email.

Natural disasters. Tornados that destroy buildings can spread paper documents for miles. Consider what natural events in your area might put paperwork at risk. You may also wish to read our earlier newsletter article on using cloud-based backup for disaster recovery.

Have you encountered a unique situation where you discovered a potential risk to PII? Please share with other Trustees by leaving a comment below.