Table of Contents: Chapter 8

[+]

813 PERSONALLY IDENTIFIABLE INFORMATION (PII) BREACH RESPONSE POLICY (01/10/2020)

813.1 Purpose

The City of Lee’s Summit (LS) understands the importance of safeguarding customer information. LS is responsible for managing the information it stores, processes, and transmits in support of its business functions in accordance with federal laws and regulations. They are also responsible for the security of the information that the public has entrusted to it, including PII, that can be used to distinguish or trace an individual’s identity such as a name or social security number (SSN). LS must, therefore, mitigate the risks associated with the inadvertent loss or unapproved disclosure of PII.

813.2 OBJECTIVES

The standard objectives are to:

  • Ensure the security and confidentiality of a customer’s personally identifiable information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of customer’s personally identifiable information that could result in substantial harm or inconvenience to any customer.

813.3 TERMS 

Personally Identifiable Information (PII)

Information within an IT system, online collection, or physical documents: (1) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.), or (2) by which an agency intends to identify specific individuals in conjunction with other data elements (i.e., indirect identification). (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.)

Breach

The compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or loss of control of personally identifiable information (PII). Any similar term referring to situations in which unauthorized persons, or authorized persons with unauthorized privileges, gain access or potential access to either physical or electronic PII.

Responsibility

Any employee that suspect or knows that a breach of PII has occurred shall immediately notify their supervisor and a member of the PII Breach Response Team. Notification must also be provided to the City’s Grant Coordinator (Assistant Finance Director-Controller) within the Finance Department. In the Assistant Finance Director-Controller’s absence notification should be provided to the Finance Director and/or Assistance Finance Director-Cash and Debt.

Federal laws apply to recipients of financial assistance through grants from the U.S. Department of Justice which requires the Grants Coordinator to report actual or imminent breach of PII to various agencies no later than 24 hours after an occurrence of an actual breach or the detection of an imminent breach. All employees shall comply with such requirements and report all actual or imminent breaches of PII pursuant to the Breach Response Plan outlined below no later than 24 hours after an occurrence of an actual breach or the detection of an imminent breach.

Additionally, all employees are required to take the general privacy awareness training, which highlights the importance of protecting PII, reviews privacy and security violations, and explains where to report such violations.

813.4 PII Breach Response Team

The City’s PII Breach Response Team is comprised of the Director of Administration, Chief Technology Officer, IT Operations Supervisor, IT Network Administrator, an investigator from the City of Lee’s Summit Police Department, Director of Finance, a representative from Communications and Public Relations and Legal Counsel. The Breach Response Plan is as follows:

1. Each department must report a confirmed or suspected breach of PII data immediately to a member of the PII Breach Response Team. That member of the team receiving the report will advise the full Response Team of the incident.

2. The Response Team will investigate the incident and assist the potentially compromised department in limiting the exposure of PII data and in mitigating the risks associated with the incident.

3. The Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred, or for the City.

813.5 PII Breach Response Team Contact Information:

City Administration Office City Management 816-969-1020

Chief Technology Officer Steve Marsh 816-969-1250 steve.marsh@cityofls.net

IT Operations Supervisor Michael Boles 816-969-1263 michael.boles@cityofls.net

IT Network Administrator Tim Scharf 816-969-1234 Contact

Director of Finance Bette Wordelman 816-969-1103 bette.wordelman@cityofls.net

Police Department Mark Phillips 816-969-1726 mark.phillips@cityofls.net

Communications Public Relations 816-969-1000

Law Department 816-969-1400

813.6 Other Responsible Parties

Asst Finance Director-Controller Darlene Pickett 816-969-1102 darlene.pickett@cityofls.net (Grant Coordinator)

Asst Finance Director-Cash and Debt Robin Blum 816-969-1101 robin.blum@cityofls.net