To the best of my knowledge, no current state or federal regulation specifically lists passport numbers as personally identifiable information (PII) for businesses. However, as part of FISMA (the Federal Information Security Management Act of 2002), which affects federal agencies (and, by various state laws, many state agencies as well), NIST has released a draft publication, SP800-122, which is the Guide to Protecting the Confidentiality of Personally Identifiable Information, which does specifically list passport numbers as PII.
Additionally, the Office of Management and Budget recently released the OMB M-07-16, which requires agencies to implement a breach notification process for the loss of personal information. For the purposed of M-07-16, OMB defined PII as such: "The term 'personally identifiable information' refers to information that can be used to distinguish or trace an individual's identity, such as their name, Social Security number, biometric records, etc. alone, or when combined with other personal or identifying information, which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
It seems pretty clear that this would include passport numbers as well. The OMB memorandum also references the Privacy Act of 1974, which itself requires that the government maintain control over assorted PII, which should also include passport numbers.
For more information:
- Check out these data protection tips for corporate compliance leaders.
- Also learn about using DLP to prevent identity theft.
Dig Deeper on Data security and privacy
Related Q&A from David Mortman
Many companies are moving to a system of paperless paystubs. Learn how to protect the information contained in these email paystubs with the use of ... Continue Reading
It can be difficult to decipher what a HIPAA Social Security number violation is. In this information security management expert response, David ... Continue Reading
Security consulting is a job in which privacy is paramount. Leaking security strategies to the wrong people -- especially a company's competition -- ... Continue Reading