I went on the Internet and did a quick check. The data breach is actually worse than first reported.
This is what I found from the General Services Administration, a Federal Agency
Here are their definitions:
Personally Identifiable Information (PII) – information about a person that contains some unique identifier, including but not limited to name or Social Security Number, from which the identity of the person can be determined. OMB Memorandum M-10-23 (June 25, 2010), updated the term “PII”: “The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”Data Breach – Includes the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users with an authorized purpose have access or potential access to Personally Identifiable Information, whether physical or electronic. In the case of this policy, the term “breach” and “incident” mean the same.
The following list contains examples of information that may be considered PII.
• Name, such as full name, maiden name, mother‘s maiden name, or alias
• Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number
• Address information, such as street address or email address
• Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people
• Telephone numbers, including mobile, business, and personal numbers
• Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
• Information identifying personally owned property, such as vehicle registration number or title number and related information
• Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
Guide to Protection the Confidentiality of PII
Organizations should develop an incident response plan to handle breaches involving PII.
Breaches involving PII are hazardous to both individuals and organizations. Harm to individuals and organizations can be contained and minimized through the development of effective incident response plans for breaches involving PII. Organizations should develop plans that include elements such as determining when and how individuals should be notified, how a breach should be reported, and whether to provide remedial services, such as credit monitoring, to affected individuals.
Guide to Protection the Confidentiality of PII
PII is in two types
Linked
Linked information is information about or related to an individual that is logically associated with other information about the individual.Linkable
Linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual.For example, if two databases contain different PII elements, then someone with access to both databases may be able to link the information from the two databases and identify individuals, as well as access additional information about or relating to the individuals. If the secondary information source is present on the same system or a closely-related system and does not have security controls that effectively segregate the information sources, then the data is considered linked. If the secondary information source is maintained more remotely, such as in an unrelated system within the organization, available in public records, or otherwise readily obtainable (e.g., internet search engine), then the data is considered linkable.
Guide to Protection the Confidentiality of PII
The same document quoted above goes on to state, “Federal agencies are required to report all known or suspected breaches involving PII, in any format, to US-CERT within one hour. To meet this obligation, organizations should proactively plan their breach notification response. A breach involving PII may require notification to persons external to the organization, such as law enforcement, financial institutions, affected individuals, the media, and the public.”
CRA on the other hand thinks it is exempt from reporting any release of PII.
The PII article on Wikipedia.org is interesting; especially footnote #19. ”In 2011, the California State Supreme Court ruled that a person’s ZIP code is PII”
Wikipedia Personally Identifiable Information
Under this ruling, not only was the disclosure of bank routing and account numbers a disclosure of PII but also all the member spreadsheets and membership forms that were scanned and posted on the Internet.
Based on the above, the Park brothers appear to have a serious problem.