Several months ago I wrote an article on SharePoint, Data Security and Personally Identifiable Information that talked about PII and Data Security and why it is important that you be aware of these things as a SharePoint Administrator. In this article I have taken a bit deeper dive specifically into the realm of PII since it is my belief that this area will become more and more of an issue as aspects of SharePoint 2010 are implemented. This will be especially true in the area of compliance and I think it will become more evident as the efforts to put better laws in place to protect our personal privacy are put in place at a federal level.
As someone that has supported implementations for SharePoint’s largest customer, the US Federal Government, working around the issues brought on by the collection, management, retention and removal of PII has become almost a daily event for me over the last several years. For most SharePoint Administrators supporting implementations at private or publically held organizations this probably isn’t the case……………………yet.
That’s right, I said “yet”.
As the federal government comes to realize, more and more, that the way our personal information is handled is important to us as citizens and consumers, and as the web becomes even more of the way we handle our day to day lives (paying bills, making online purchases, having health related information made available across networks to doctors across the country and around the world, etc….) the more likely it is that our elected representatives will get off their collective butts and address an issue that they have all but ignored.
Who is collecting what information about you, where are they storing it, how long are they storing it for, who are they sharing it with, how are they securing it, and what processes are in place to both prevent a security breach of the system storing your personal information and what are they going to do if a breach of that system occurs?
That’s a pretty long list of things to address and not something to be undertaken lightly. In this article we are going to talk about what PII is, the “concept” of PII, where you might find instances or examples of PII in your SharePoint implementation, and what steps you can take to mitigate or manage that information.
What is Personally Identifiable Information or PII?
The United States Office of Management and Budget defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”1
Let’s consider a couple of examples that I have seen over time that in most environments wouldn’t be considered an issue but when used in a Federal Government SharePoint implementation are sure to cause administrators a considerable amount of heartburn.
- In MOSS 2007 one of the things that excited a number of groups in my end user community was the ability to easily associate a photograph with someone’s profile. That functionality seems innocent enough until you take the description above by OMB and apply those guidelines. By combining a name with an image you have crossed the line of what constitutes PII.
- In SPS 2003, MOSS 2007 and SP 2010 the contacts list by default includes a field for home phone number. Again, you wouldn’t normally think of this as an issue but when you combine the home phone number with a name or home address you have once again crossed the line into the land of PII.
The Concept of PII
It’s very important to realize that the concept of privacy and its relation to the law is somewhat illusive. Nowhere in the United States Constitution or the Bill of Rights does the word “privacy” appear. There have been numerous court rulings, international agreements, executive orders and laws that form the basis of what we consider to be our right to privacy. In addition to forming the basis of our right to privacy those executive orders and laws were also created to address concerns regarding the protection of personal information held by the federal government. It’s extremely important to realize that these laws deal specifically with federal government entities and do not have any authority over the collection, use and storage of personal information by other public and private entities.
The two most important and broadly scoped of those laws are the Privacy Act of 1974 and the Computer Matching and Privacy Act. The Privacy Act was an extension of the Freedom of Information Act (FOIA) of 1966. The Privacy Act was adopted to protect personal information stored in federal databases as well as to provide individuals with certain rights over the information stored in those databases. Some of the highlights of the Privacy Act include:
- Covers the vast majority of personal records systems maintained by the federal government.
- Was developed to specifically address problems posed by electronic record keeping technologies being introduced.
- Provides individuals with the right to access and challenge contents of records related to them.
- Requires that content may only be exposed with the individual’s consent or for purposes announced in advance.
- Requires that federal agencies publish an annual list of systems maintained by the agency that contain personal information.
The Computer Matching and Privacy Act of 1988 was an amendment to the Privacy Act and specifically addressed the sharing of personal information between agencies for the purpose of determining eligibility for federal benefits programs, recouping payments or recovering debts under those programs.
In addition to these two initial acts there are a large number of more narrowly scoped laws in place that are applicable to privacy and data protection. These laws generally fall into one of two categories: the status of information held by the federal government and the treatment of sensitive personal information held by sources outside the federal government. Some examples of each would include:
- National Education Statistics Act – amended provisions for the National Center for Educational Statistics and the National Assessment of Educational Progress which dramatically revised confidentiality and dissemination practices in place at both Centers.
- Tax Reform Act – put changes in place that limit disclosure of returns and returns information, makes information contained in a tax return confidential, and identifies specific procedures for the disclosure of information, authorizes users that suffer an unauthorized disclosure to bring civil action for damages and costs related to the disclosure.
- The Fair Credit Reporting Act – provides regulation of the personal information and financial information used by the various credit reporting agencies.
- Video Privacy Protection Act of 1988 – provides that the disclosure of video rental records containing PII is against the federal criminal code (with certain exceptions), authorizing any person wronged by the release of PII associated with a video rental record to bring a civil action and requires the destruction of PII records within a specific period of time.
Classification of PII
PII is generally classified by an organization’s senior leadership and/or legal counsel and usually results in two groupings: Moderately Sensitive PII and Highly Sensitive PII. Once the classifications have been set information considered to be of a personal nature is grouped under each classification. For example the legal counsel of an organization may decide that a portion of the information they collect from their employees is “less” sensitive than another subset so they might break their information set up as follows:
- Moderately Sensitive PII
- Name – first and last or first initial and last name
- Home address
- Home phone number
- Cell phone number
- Date of birth
- E-mail address or addresses
- Highly Sensitive PII
- Social Security Numbers or individual Tax IDs
- Bank or checking account information
- Credit card information (PCI) (number, CCV, expiration date etc….)
- Debit card information (number, PIN)
- Previous names (maiden, aliases, mother’s maiden name)
- Physical characteristics (eye color, height, weight, scars, tattoos)
- Passport number
- Digital or electronic copies of a personal handwritten signature
- Drivers license number
- Protected Health Information (PHI) – HIPPA related information
Both of these types of personal information must be protected by implementing measures that address storage, transmission, retention and destruction of these information types.
We’ll get to that in just a minute.
For now we’ll cut to the chase and talk about PII and SharePoint in the same context. (I bet you never thought we would get to this did you?)
Where Would I Find PII in my SharePoint Farm?
If you look at the two lists above the answer to at least a portion of this questions should be very obvious. Almost all of the information in the list of Moderately Sensitive PII is part of the default content type for the SharePoint Contacts list. The only item not there is date of birth and I have seen administrators that added that so that teams could easily schedule birthday parties.
The contents of the second list, Highly Sensitive PII, would not be normally found as part of a list or content type. However, take into consideration what your organization or customer may be using SharePoint for and that could very well change. Also keep in mind that PII wouldn’t necessarily be stored as a column in a list or library (although it could be). It is almost a certainty that one of the items listed in either of the lists above will be found in a document in your SharePoint farm. Some areas that this would be likely in:
Human Resources – does your customer or organization use SharePoint for HR purposes? If so this is a location that would be highly susceptible to having PII stored somewhere.
- Emergency Contact Information – home address and phone number as well as the name(s) of people close to you as an emergency contact.
- Resumes – contact information (email addresses, home addresses, phone numbers etc…), or educational history. However, of more concern might be something like salary history if it was included in someone’s resume.
- Direct Deposit information – although normally used by accounting (you’ll see it there also) almost all HR offices will keep copies of this information which includes not only your checking account number, but routing information, contact information and if you elected to have it on your check, your social security number.
- Performance evaluations – salary history, disciplinary actions (if any), possible bonus information, job responsibilities.
- Benefits – this is a highly sensitive area because it could include medical insurance information, names and social security numbers of your family members, 401k or retirement information and contact information again. Health Insurance Portability and Accountability Act (HIPAA) – applies to protected health information (related to treatment, payment and operations activities).
- Personnel records – depending on the guidelines in place at your customer or organization you may find that employee personnel records not only include contact information (name, address and phone number) but social security numbers as well.
Accounting – almost anything connected to financials is going to be considered to be at least moderately sensitive PII. Salary and billing rates, bank account information (from direct deposit), or any corporate credit cards you may hold (account numbers, authorization names, contact information). There are also a several high profile laws that may fall under accounting that would address issues pertaining to PII (among other things):
- Sarbanes-Oxley (SOX) – applies to accounting information stored electronically in spreadsheets.
- Payment Card Industry Data Security Standard (PCI) – applies to credit and debit card information stored, processed or accessed in an Information System (IS), in this case it could be your SharePoint farm.
- Gramm Leach Bliley Act (GLBA) – applies to financial information commonly stored in customer databases and spreadsheets.
In House Travel – storing travel profiles in SharePoint? Then you may see things like passport numbers, credit card information, upcoming travel dates and destinations, or frequent flyer program information.
Legal – it’s LEGAL! Storing contracts, leases, ongoing lawsuits, depositions? Any of those things would likely be considered highly sensitive by corporate counsel.
Contracts – some of the organizations I’ve worked with manage all the documentation associated with a contract competition in SharePoint. Almost all of that information would be considered highly sensitive as a great deal of it is company proprietary or of a personal nature; resumes, billing rates, salaries, contact information, etc….
Obviously this is a short list of where you might find PII in your SharePoint farm. If you take a few minutes to give it some thought you can probably come up with some others. One other thing that you may have noticed is that in addition to PII you see several instances that could be considered compliance related (as in being compliant with a legal statute or law) or related to data security. I think that over time you will find that all 3 (PII, compliance and data security) are closely tied together.
Addressing PII in your Organization
Time for the $64,000 question, how do I handle PII in my organization? The short answer is, tread lightly and write well. The longer, more complicated answer is, make sure that when you write your governance plan you address the issues of PII and compliance clearly and completely. My personal opinion is that it is crucial that you keep your governance plan as short as possible while covering as many of the bases as possible. If you fail to do this and end up with a governance plan that is 30 pages long there is a good chance that nobody will ever read it, much less know it and adhere to it.
I think you would be much better served by creating a separate policy to address issues surrounding PII, compliance and data security and referencing that policy from your governance plan. How that policy is structured and what it actually contains is obviously up to you, but a few areas I feel it is imperative to address:
- Education and awareness are keys in any effort to manage and maintain PII in your SharePoint farm. If your end users and administrators don’t know and understand what PII is, what pieces of information constitute PII, and why it is important to know where PII exists and who put it there then they won’t ever make the effort to follow any guidelines you put in place.
- There should be a process or procedure in place to identify areas within your SharePoint farm where PII or sensitive information/data exists. This might be something as simple as a checkbox in a list used to track new site creation requests that asks “Will this site be used to store, manage or maintain any kind of PII related information?”
- Implement a process or procedure that identifies and tracks the criteria that must be met before a SharePoint site, or applications within your SharePoint farm, that will contain PII or sensitive data may be created as well as the identity of the approval authority for that request.
- Implementation of a process or procedure that tracks the individuals responsible for the management of SharePoint sites, or applications within your SharePoint farm, that contains PII or sensitive information.
- Tracking who has access to sites, applications, lists or libraries where PII related information is stored is essential. This should also be combined with the auditing and logging of those areas where PII is stored or maintained.
- Set retention policies for PII related information or data. Bearing in mind that this is mandated for certain kinds of PII by various laws (for example The Video Privacy Protection Act of 1988 mentioned above) you should have a procedure in place that not only addresses how long PII related information is retained but what happens when that retention period is reached.
- Address data encryption – where possible encrypt any PII sent out side of your organizations corporate network. The encryption of data at rest or in transmission is quickly becoming a requirement of the numerous laws, regulations, contractual requirements and industry standards that govern data security. Additionally, when you consider it is more than likely that you have a large number of users that are “mobile” via laptop, tablet or smartphone when you encrypt data sent outside the network, both in transit and in storage, the likelihood of a privacy breach will be reduced significantly.
- Consider establishing a process or procedure that manages how access is granted, removed and access requests are tracked. It is critical that you know how and when users are added and removed, who added or removed a user, and what was the business justification for granting a user access to a specific resource. In the event of a privacy or data breach this information will be a key in identifying who had access to the compromised resource.
- Consider establishing a process or procedure for the periodic review and assessment of the information stored in your SharePoint farm paying particular attention to those sites where privacy information was NOT previously stored. There are a number of 3rd party tools that do this automatically.
The following list of resources will provide you with links to 3rd party tools specific to SharePoint for doing compliance scans of your farm content and links to websites that while not necessarily SharePoint specific will provide you with a wealth of knowledge regarding privacy, PII and data security.
Information Shield – United States Privacy Laws
Information Shield – International Privacy Laws
LawBrain – US Privacy Law
TechPolicy.com – Data Privacy Law: The Basics
NYMITY – Privacy Breach Analysis
InformationWeek – States’ Rights Come to Security Forefront
Links to the following applications are not intended as endorsements of those applications
HiSoft – Compliance Sheriff for Microsoft SharePoint Server 2007/2010
AvePoint – Compliance Products
CipherPoint – SP Enterprise
Do you remember when I said that “For most SharePoint Administrators supporting implementations at private or publically held organizations this probably isn’t the case……………………yet.”?
The main reason I said that is there is a growing momentum for the regulation of online data and privacy. With continued stories about the never ending issues surrounding privacy and Facebook and/or Google in the news, what seems like daily, our elected representatives are finally waking up and may look at doing something about the problem. There are currently at least 3 congressional initiatives regarding legislation to address privacy concerns. The one very large problem is that within the United States there are probably too many privacy laws so there is no single overarching law that addresses concerns at the state and federal level.
Eventually we, as a country, will get there. It’s just a question of when and who will be driving the bus. If rumors are to be believed the entity that ends up with oversight of online privacy and data security may well be the Federal Trade Commission (FTC).
Regardless it’s better to be ahead of the curve than behind it!