Privacy Incidents: A Privacy Incident is any potential or actual compromise of personally identifiable information (PII) in a form that could be accessed by an unauthorized person. The Government has characterized privacy incidents to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. Personally identifiable information refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Examples of privacy incidents include: Hacker obtains information from 1836 Technologies laptops which includes Name, SSN, Date of Birth Lost or stolen thumb drive or portable hard drive of PII Shipper loses a package of employee applications Unauthorized access to personnel files File left on community printer with names, addresses and account numbers A file folder containing prospective employee resumes is missing Employee roster posted on 1836 Technologies portal, disclosing name, personal cell phone number, and home address E-mail containing salaries and raises transmitted from a 1836 Technologies e-mail account to a personal e-mail account Key logger gains access to a computer and its accounts Note: 1836 Technologies personnel should identify whether the PII involved in the incident originated from 1836 Technologies or from a client. Continue normally through this guide if the information originated from 1836 Technologies. If the information originated from a client, notify the Privacy Division immediately for coordination and action with the client privacy personnel. This process will occur concurrently to 1836 Technologies privacy incident response. DO NOT CONTACT THE CLIENT DIRECTLY. This is the information we would want to capture on an Initial Privacy Incident Report: The Initial Privacy Incident Report is used to report information initially gathered about a Privacy Incident. This form is found on the 1836 Technologies Privacy Incident Reporting Portal. Examples of information gathered in this report include: Name, Employee ID#, 1836 Technologies phone number, and 1836 Technologies email address of the 1836 Technologies personnel who discovered the incident (if they are willing to provide this information); Date and time of the incident; and A general description of the incident and the PII that is involved (i.e., the category of PII that was compromised, but not the actual PII in the report). Important: Do not report the actual PII from the initial incident, because by doing so you will create another Privacy Incident. To whom it was disclosed, to the extent known; The risk of the PII being misused expressed in terms of impact and likelihood; Security controls known to protect the information (e.g., password-protection, encryption); Steps that have already been taken to reduce the risk of harm; and Any additional steps that may be taken to mitigate the situation. Is the incident suspected or confirmed? * Date Incident Occurred Date Incident Detected * Location Incident Occurred Does the incident involve Paper, Electronic Records, or both? * Electronic Record Type(s), if applicable (Choose all that apply): CD/DVD Desktop computer Lap top computer e-mail electronic file (other than e-mail) External hard drive Flash drive/thumb drive/USB key Other: ____________________ Paper Record Type(s), if applicable (Choose all that apply): Fax Mailing Printer/Scanner Other: _________ Was personally identifiable information involved in the incident? * Yes No Was personally identifiable information exposed? Yes No If yes, how was the personally identifiable information exposed? Identify the type(s) of personally identifiable information (but not the actual information disclosed or lost): Name Date of Birth Mailing Address Telephone Number Social Security Number E-mail Address ZIP Code Financial Account Number Certificate/License Number Vehicle Identifiers Immigration Identification Numbers Biometric Identifiers IP Addresses/URLs Health or Medical Information Driver's License/Passport/State ID Number Employee Identification Number What type of information was compromised? 1836 Technologies Internal Data Client Data Other If Client Data, what Client and/or what contract? Was the information password protected? Yes No Unknown Was the information encrypted? Yes No Unknown Describe the physical security measures: Number of records affected (approximate if unsure) Number of individuals affected (approximate if unsure)