The individual whose PII was the subject of the misuse and the organization that maintained the PII may experience some degree of adverse effects. Depending on the type of information involved, an individual may suffer social, economic or physical harm. If the information lost is sufficient to be exploited by an identity thief, for instance, the person may suffer from a loss of money, damage to credit, a compromise of medical records, threats, or harassment. The individual may also suffer from significant losses of time and money to address the damage. Other potential harms include embarrassment, improper denial of government benefits and discrimination.
Organizations may experience harm as a result of a loss of PII maintained by the organization. Harm may include remediation costs, financial losses, loss of public reputation and public trust, and legal liability.
In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity and availability of the information. Most security controls used for other types of data are also applicable to the protection of PII. For PII, there are several privacy-specific safeguards, such as anonymization, minimization of PII collection and de-identification.
In addition to protection requirements for PII, there are other requirements for handling PII. The Fair Information Practices – established by the Privacy Act – advance best practice guidelines, such as purpose specification, use limitation, accountability and data quality.
Breaches to the confidentiality of PII have the potential to harm both the organization and the individual. Harm to individuals is of increased concern because of the magnitude of potential harm, such as identity theft, embarrassment and denial of benefits.