Page 36 - CITP Review
P. 36
Number of records stolen. The more records lost, the higher the cost of a data breach. Strong data
classification methodologies are essential for cataloging and thus understanding what sensitive
information is most vulnerable and, in turn, reducing the quantity of this information.
Length of time to detect and contain a breach. The sooner a data breach can be identified and
contained, the lower the costs.
Management of detection and escalation costs. An organization’s ability to detect and escalate a data
breach can be improved by investments in governance, risk management, and compliance (GRC)
programs that establish an internal framework for satisfying governance requirements, evaluating
risk across the enterprise, and tracking compliance with governance requirements.
Management of post data breach costs. Insurance protection helps to mitigate and reduce the cost of
a data breach, as does business continuity management (BCM). Conversely, notifying victims without
knowing the full breadth of the breach increases post data breach costs, as does hiring consultants
to assist with remediation. Expenditures to resolve lawsuits also increase post data breach costs.
Personally identifiable information
The Office of Management and Budget (OMB) Memorandum M-10-23, defines PII as “information that
can be used to distinguish or trace an individual’s identity, either alone or when combined with other
personal or identifying information that is linked or linkable to a specific individual. The definition of PII is
not anchored to any single category of information or technology. Rather, it requires a case-by-case
assessment of the specific risk that an individual can be identified. In performing this assessment, it is
important for an agency to recognize that non-PII can become PII whenever additional information is
made publicly available — in any medium and from any source — that, when combined with other
32
available information, could be used to identify an individual.”
Linked information is any piece of personal information that can be used to identify an individual; it
includes, but is not limited to, the following:
Full name
Home address
Email address
Social Security number
Passport number
Driver’s license number
Credit card numbers
Date of birth
Telephone number
Log in details
Linkable information is personal information that, on its own, cannot necessarily be used to identify an
individual, but could do so when linked with another piece of information. Some examples of linkable
information:
First or last name (if common)
Country, state, city, postcode
32
See https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf,
accessed July 23, 2019.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 1-28