To the best of my knowledge, no current state or federal regulation specifically lists passport numbers as personally identifiable information (PII) for businesses. However, as part of FISMA (the Federal Information Security Management Act of 2002), which affects federal agencies (and, by various state laws, many state agencies as well), NIST has released a draft publication, SP800-122, which is the Guide to Protecting the Confidentiality of Personally Identifiable Information, which does specifically list passport numbers as PII.
Additionally, the Office of Management and Budget recently released the OMB M-07-16, which requires agencies to implement a breach notification process for the loss of personal information. For the purposed of M-07-16, OMB defined PII as such: "The term 'personally identifiable information' refers to information that can be used to distinguish or trace an individual's identity, such as their name, Social Security number, biometric records, etc. alone, or when combined with other personal or identifying information, which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
It seems pretty clear that this would include passport numbers as well. The OMB memorandum also references the Privacy Act of 1974, which itself requires that the government maintain control over assorted PII, which should also include passport numbers.
For more information:
- Check out these data protection tips for corporate compliance leaders.
- Also learn about using DLP to prevent identity theft.
Dig Deeper on Data security breaches
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading