Summit 7 Team Blogs

What You Should Know About Personally Identifiable Information PII and SharePoint

According to the Identity Theft Resource Center (ITRC) since 2005 there have been approximately 2,342 data security breaches affecting 479,550,937 records. I bet you’re sitting there asking yourself either; “What difference does this make to me?” or “Why should I care?” Well friends and neighbors that’s what we’re going to talk about today. These breaches took both paper and electronic form and were the result of a broad range of actions including hacking, physical theft, disgruntled employees, and accidental exposure just to name a few. In just 5 months this year there have been 264 breaches exposing 7,004,405 records. Scary, but also interesting.

First of all let’s start out by defining what a data breach is. According to the ITRC a breach is defined as an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or financial information/credit/debit card is potentially put at risk in either electronic or paper format. (ref - ITRC - Data Breaches) The information I have just listed is often known as Personal Information (PI) or in the environment I support Personally Identifiable Information (PII).

Ok, we know what a data breach is now, but so what? If you look at the list of breaches you don’t see SharePoint mentioned anywhere so why should this matter to me?

Here’s why…

On 01 March of this year the new Massachusetts data security law went into effect and the client, customer or company you support could be held financially responsible if your SharePoint farm is compromised. The gist of the new law is that if you are storing any type of PI/PII on an individual that resides in the state of Massachusetts within your system, regardless of where the databases are located, you are required to follow the guidelines as they have been set forth in 201 CMR 17.00. Fail to do so and suffer a breach where the POTENTIAL for that information to be exposed exists and your client, customer or company risks being fined $5,000 per violation and record lost. Suppose you have 100 employees working for you in an office in Boston and your database server in Reston, VA gets hacked and you find that PI/PII related to those employees was potentially exposed, that’s only $500,000. You might want to touch up that resume!

What steps does this new Massachusetts law require of you? Let’s take a quick look at a few of the stipulations as I understand them:

  • Companies must maintain a comprehensive Written Information Security Program (WISP) that includes technical, administrative and physical safeguards to protect any stored PI/PII.
  • The WISP must be appropriate to the size of the business. Obviously the construction company down the road that has 20 guys working for it is going to have a WISP that is vastly different from the financial management company that has several thousand people working for it in downtown Boston.
  • The law mandates encryption of all data in motion and at rest including on laptops, hard drives, smartphones, MP3 players, USB drives etc…
    • Data in motion – traveling across the network in case you were wondering.
    • Data at rest – stored on some form of storage media.
  • There must be an individual or team that functions as the official data security coordinator.
  • You are required to take normally accepted steps to secure your data; password protection, up to date anti-virus protection, firewalls, keep patches up to date on your server etc…

“So what!” you say, “We don’t have anyone in Massachusetts!” Maybe not, but as of this writing there are approximately 46 states that have data security breach related laws in place. Most of those revolve around what to do after the fact or after a data breach has been discovered. The new Massachusetts law is among the first to be proactive and address prevention as opposed to reaction. Conventional wisdom should lead us to believe that PREVENTING a breach would be considered a best practice as opposed to reacting to a breach after one has occurred. That being said it’s only a matter of time before states and/or the federal government wake up and see this fact for what it is and begin to move in that direction. I don’t know about you but I would like to be way ahead of that curve when it starts rolling down the road towards us.

Lo and behold there are currently at least 3 bills on the floor of the Senate or House that cover the topic:

What has all of this got to do with SharePoint? Well, think about how your client, customer or company is using SharePoint. Are they doing any of the following?

  • Using SharePoint to manage internal job openings, applications and referrals.
    • Resumes and job applications are going to store personal contact information such as home address and phone numbers. These would be considered PI/PII
  • Using SharePoint for “Open Enrollment” and managing health or retirement benefits
    • Managing health and/or retirement benefits would generally require social security numbers of not only the employee but perhaps family members as well.
  • Managing Continuity of Operations efforts (COOP)
    • Contacts lists used in managing COOP efforts would generally require home phone numbers and/or addresses.
  • Allowing photographs to be associated with an individual’s profile
    • Photographs are considered PI/PII because they associate a piece of information (the picture) with an individual’s name.
  • Managing travel requests or maintaining travel profiles for employees.
    • Managing travel requests may require that credit card numbers, hotel rewards cards and frequent flyer miles be tracked. All of these would most likely include names, billing addresses, home phone numbers etc…
  • Human Resources functions
    • HR could possibly be your largest focal point of concern if you manage employee records, resumes, external recruiting, onboarding documents, etc…
  • Accounting
    • Payroll activities will include every piece of PI/PII you can imagine.
  • Contractor verification
    • If your client, customer or company does any kind of bidding on work you may have a system in place to evaluate potential partners and/or contractors. It’s a pretty good bet that the system will include resumes of people being considered for potential positions on the contract being bid on.

This list could go on and on... and on.

In reality this should all be part of your governance policy but it’s probably not something a lot of SharePoint Administrators think about because it either doesn’t occur to them, the organization they support hasn’t put a governance plan in place or they aren’t fully aware of what their SharePoint farm is being used for. Another thing to think about is this……….how many SharePoint Administrators are COMPLETELY up to speed on how their SQL servers are configured, what the backup schedules/plans are, are the drives encrypted?

Looking at how individual states are reacting as more and more data breaches occur and how it appears that the federal government is beginning to get involved and I think that it’s safe to say that it’s just a matter of time before we have laws in place at both the state and federal level that address data security from a prevention stand point as opposed to being reactionary as most current laws are now. As you move forward with planning your migration to SharePoint 2010 or are going through the yearly review, assessment and update of your policies (or lack thereof) this might be something you want to take into consideration.

Some fast facts regarding data breaches between 2005 and 2009 (there were not a lot of statistics before 2007):

  • In 2009 74% of all data security breaches were electronic, 26% were paper.
  • In 2009 of 498 reported breaches only 6 reported that they had encryption or other strong security features protecting the exposed data.
  • In 2008 reports of breaches jumped almost 46%
  • Financial, banking and credit sectors were the most proactive in terms of data.
  • In the government/military sector breaches have dropped almost 50% between 2007 and 2009.
  • In 2008 only 2.4% of all breaches had encryption or other strong security measures in place

In 2008 only 8.5% of all breaches involved password protected systems.

Year # of Breaches Effected Records
2010 264 7,004,405
2009 498 223,146,989
2008 656 35,691,255
2007 446 127,717,243
2006 321 19,137,844
2005 157 66,853,201
Totals 2342 479,550,937


Breach Type % by category 2005 2006 2007 2008 2009 2010
Govt/Military 13.40% 30% 24.50% 16.80% 18.10% N/A
Educational Institutions 47.80% 28% 24.70% 20% 15.70% N/A
General Businesses 15.90% 21% 29.30% 36.50% 41.10% N/A
Health Care Facilities 10.20% 13% 14.50% 14.80% 13.60% N/A
Banking/Financial 12.70% 8% 7% 11.90% 11.40% N/A


Also, be sure to check out my follow up article on

About Jay Simcox

Jay Simcox is a respected IT Professional, and educator with 10 years of Information Technology experience. Jay is a Senior Consultant with Summit 7 Systems where his background in network and systems administration, SharePoint architecture and Administration and end user support and training are utilized by government agencies seeking to make better use of the tools they are provided.