Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (Draft), Recommendations of the National Institute of Standards and Technology, January 13, 2009.
"Breaches of personally identifiable information (PII) have increased dramatically over the past few years and have resulted in the loss of millions of records.1 Breaches of PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or high costs to handle the breach. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy2 once stated, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.” This document provides guidelines for a risk-based approach to protecting the confidentiality3 of PII..."