CSR Frequently Asked Questions


What is personally identifiable information or PII?

The simple answer is that it’s anything that can be used to identify you. The loss of this information leads to identity theft.

Types of personal information include: name, address, phone, email, birth date, Social Security number, driver’s license, bank account and credit card information. The list continues to grow with new and revised legislation and court rulings.

Other personal information includes health information, medical records, vehicle identification numbers, license plate numbers, login credentials and passwords, school records, and even voice recognition files. Fingerprints, retina scans, and handprints are also considered personal information.

What is the difference between PCI and PII?

PCI data is just one type of personally identifiable information. The PCI Data Security Standard protects credit cardholder data such as debit or credit card number, expiration date and card security code.

What is a breach of PII?

The unauthorized access, loss, use or disclosure of information by either accident or criminal intent which can identify an individual is a breach of PII.

What is data breach reporting?

When a breach occurs, the clock starts ticking to comply with federal, state and other laws. Reporting involves the where, when and how of the incident.

What is consumer notification?

Almost every state has enacted a data breach notification statute. These laws generally require businesses that have personal information about residents within a state to notify those residents when that data is compromised. For further information, email admin@shred2you.com.

Is this insurance?

No. The CSR Breach Reporting Service reports to authorities and notifies consumers, as required In the event of the actual or suspected breach of PII, and this can reduce your liability; but the service is not insurance to cover loss or legal costs.

What are some examples of a breach?

A breach can occur in many ways, including through lost laptops or smart phones, loss or improper disposal of paper records, intrusion into your network or PC by hackers, and theft. The definition continues to expand.

Requirements to Protect Data

Who do I need to report a breach to?

Who you need to report to in the event of a particular breach depends on many factors, including where you are located, what kind of PII was involved in the breach, and the location of the individuals whose PII may have been compromised. Over 100 countries have data protection laws, as well as 300+ federal, state, provincial and local authorities in the U.S. and Canada.

Does CSR determine whether a breach occurred?

No. Based upon our interview with you, our Privacy Professionals determine whether reporting to authorities or notification to consumers is necessary. If reporting is required, our Privacy Professionals will do so on your behalf. If consumer notification is necessary, we will work with you to do so.

What laws govern PII?

Here are a few examples of the hundreds of laws and regulations that relate to the protection of personally identifiable information (PII) and requirements to report suspected or real loss.

  • Gramm-Leach-Bliley Act (GLBA)
  • Fair Credit Reporting Act (FCRA)
  • Drivers Privacy Protection Act (DPPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic Clinical Health (HITECH) Act
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Family Educational Rights and Privacy Act (FERPA)
  • 50 state data breach laws
  • Data security laws requiring comprehensive information security programs to safeguard personal information, i.e. Massachusetts’ 201 CMR 17.00

Who are the enforcement agencies and others who might be involved after a breach?

  • Enforcement officials include various federal and state agencies as well as attorneys general, commissioners and others. Here are a few examples:
  • Federal Trade Commission (FTC)
  • Consumer Financial Protection Bureau (CFPB)
  • Card brands like Visa and MasterCard
  • State Attorneys General
  • Federal Bureau of Investigation (FBI)
  • US Secret Service
  • of Health and Human Services/Office of Civil Rights

What if PII shared and/or received from another organization is compromised?

If your business is a third-party provider with PII of customers, employees, or vendors of another business, then, depending upon circumstances, you very likely are required to protect a breach of that data.

What if PII under my care is encrypted, redacted, or masked?

Even if the material is encrypted, redacted or masked, various regulations still require its protection.  For example, encryption keys must be secured.

How can I limit the threat of a data breach?

Almost everyone can do more to protect PII. CSR Readiness helps you assess your risk in handling PII, remediate your processes, implement policies, train staff and continue to monitor and audit, as required by laws and regulations.

About CSR

Who is CSR?

CSR Privacy Solutions, Inc. is a leading provider of award-winning data life cycle management and expert services, including the patented, award-winning CSR Breach Reporting Service™, for businesses domestically and around the globe.

CSR enables compliance with PII requirements, while facilitating best practices to reduce business risk and financial liability associated with the acquisition, handling, storage, sharing and disposal of data.

How many companies use this service?

Hundreds of thousands of businesses have enrolled in CSR data management and breach services.

Can you help me with other privacy services?

Other services include PII business analysis, remediation, audit, forensic, education, certification, special projects and Stand-In Privacy Officer provision.  For further information, email: admin@shred2you.com.

Can you send me some information?

Go to https://shred2you.csrreadiness.com/ to read more about protecting personal information.