Over the last few years, the rise in data breaches involving personally identifiable information (PII) has resulted in the loss of millions of records.
Accessing PII protect without authorisation poses a significant risk to both individuals and the company itself. Individual harms may include identity theft, fraud, or blackmail, while a company as a whole may suffer harms such as a loss of public trust, legal responsibility, or remediation fines.
Because every business, regardless of its size, may be subject to a combination of PII laws, regulations, and other mandates related to securing PII, it should take the approach of data security and privacy to protect the PII it employs in its environment.
A data governance platform is necessary to be in place before you begin to secure the data. This blog offers practical recommendations for recognising and protecting PII.
The blog also proposes measures that may provide acceptable levels of protection and provides some examples of how to establish methods to protect the usage of proper PII access and storage.
What is PII?
PII stands for Personally Identifiable Information, which refers to the personal data in terms of any identifier used to identify or trace an individual’s identity such as name, address, date of birth etc.
The PII can also refer to any additional information related to or linkable to an individual, such as medical records, educational, financial, and employment and other sensitive data.
Note that there’s no definitive list of what is or isn’t personal data, so it all comes down to correctly interpreting the definition of the European Union’s General Data Protection Regulation:
“Personal data means any information relating to an identified or identifiable natural person (‘data subject’).”
If you can distinguish an individual from other individuals, then that person is ‘identified’ or is ‘identifiable’.
Examples of PII identifiers include, but are not limited to:
- Names, such as full name, mother’ maiden name, father’s name, or an alias.
- Personal identity numbers, such as a social security number, passport number, driver’s license number, taxpayer identification number, financial institutions account or credit card number.
- Address information, such as a street address or an email address.
- Personal traits, such as a photographic image (particularly of the face or other distinguishing feature), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry).
- Personal information about a person that is linked to or linkable to one of the preceding (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
- Online identifiers such as IP address, Cookie information, MAC address, RFID tag, advertising IDs, pixel tags, account handles; and device fingerprints.
What is sensitive PII?
Some of the PII can be more sensitive in nature and therefore requires a higher level of protection. The GDPR refers to this category as sensitive data.
Sensitive PII requires more safeguards than non-sensitive PII. The consequences of exposing sensitive information in a data breach will be catastrophic.
Examples of sensitive PII
This means data about a person’s identity such as race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where this is used for identification purposes), medical history, sex life or, sexual orientation.
How does a combination of PII identify a person?
It should also be noted that when a single piece of PII is combined with other PII identifiers, the threat actors can develop a complete profile on an individual, which can have serious consequences to data privacy.
For example, often an individual’s name together with some other information will be sufficient to identify them. the information like:
‘John Smith, who works at the Cyphere Ltd’
Normally, this is enough information to directly identify a person. However, if it is a common name and more than one John Smith is working at this company, you would need extra information to identify them directly, such as:
‘John Smith, with black hair and green eyes, and a tattoo on his right arm, works at the Cyphere Ltd’
This additional information aids in identifying that specific individual. The more personally identifiable information (PII) a threat actor has, the greater the risk to a company or individual.
How do you protect PII?
The following six best practices can be observed to protect the PII:
1. Identify the PII you are collecting and make a PII inventory
A company cannot properly protect PII it does not know about!
Begin by identifying all of the personally identifiable information (PII) that your company is processing. Identify as many potential sources of PII as possible (e.g., databases, shared network drives, backup tapes, contractor sites). You may need to identify data collected from your website’s contact forms or data collected for research purposes.
For example, if you are a software seller, you may have customer bank information and login credentials that you need to keep secure.
The best way to identify this data is to create a PII inventory.
PII inventory is a record of all personally identifiable information housed within your company and on your website or its affiliates. It provides a centralised platform for all data stored in systems.. However, putting that into effect requires some effort.
What data inventory should contain?
You need to create a centralised PII inventory and add all the relevant details related to it like:
- What PII you are collecting for which purpose?
- What PII identifiers do your systems are containing?
- How much data do you have across all these systems?
- Do the stored PII belong to customer/ lead/ employee/ third-party?
- The geographical location of this data? (UK, US etc)
- Is this PII shared with any third parties? If yes, list all third-party customer names?
- What controls are deployed for protecting PII against a data breach?
2. Classify PII based on their sensitivity
Once this inventory is created, now you have to classify this data based on their sensitivity level.
Data classification is the process of organising data by relevant classification labels so that it may be used and protected more efficiently. The classification process makes data easier to locate and retrieve by involving tagging the classification labels i.e. Confidential, Sensitive and Public data.
– Confidential data
It is a highly restricted sensitive PII that include identifiers such as name, social security, bank accounts or credit/debit card number, home address, compensation & benefits, medical history etc.
– Sensitive data
This category has a moderate level of sensitivity that may include educational data of employees, dependents or beneficiary data, personally identifiable financial information related to revenue generation, marketing promotion development, system configuration settings, privileged user accounts information, service provider account numbers etc.
– Public data
It is non-sensitive low-risk data that can be company-wide policies, internet-facing websites, blogs, social media, promotions related data, news or press releases etc.
Confidential data requires more protection, whereas sensitive data requires less protection than confidential data but more than public data. Data that is available to the general public is less secure.
3. Ensure purpose limitation and retention
If your company uses, gathers, and maintains as little PII as possible, the chances of a PII breach causing harm are considerably decreased.
A company should assess its holdings of current and previously gathered PII regularly to see if the information is still relevant and essential for the business purpose and objective.
The PII should only be collected for a legitimate purpose aligned with the applicable privacy laws like GDPR. The company should also establish a plan to eliminate the unnecessary collection and use of PII.
Any older, useless PII should be deleted to make it inaccessible to any possible attackers. Make careful steps to securely remove PII, and keep an eye on old files in your data backups that may include PII.
4. Apply encryption to PII and sensitive data
Encrypting your PII in transit and at rest is an unavoidable part of PII security. Use robust encryption algorithms with key management, and always encrypt PII before sending it over an insecure network or uploading it to the cloud.
To ensure that PII is encrypted, you’ll need the correct set of technological controls in place however, there are several solutions available today that can automate the encryption process depending on data classification.
5. Apply the principle of least privilege
Companies that lose track of their access privileges leave their PII vulnerable to attackers. Mergers and acquisitions can also cause confusion and errors in access restrictions.
As a result, businesses must implement and enforce the principle of least privilege when allowing access to other sensitive data.
The principle of least privilege concerns access control, emphasising that an individual will only have the access privileges required to execute a specified job or activity.
6. PII protect awareness training for employees
Employee education is a simple, yet critical, step while securing PII.
The security and privacy awareness programs for your company can be an important feature for protecting the PII. Employee training sessions on the proper manner to access and store PII are another technique to ensure PII security.
Role-based customise training
Designing customised training to meet the specific role-based requirement is also helpful for example:
- Healthcare providers handling health records should receive training on applicable laws like the health insurance portability and accountability act (HIPAA).
- Human Resources involved in the employee onboarding process should know the requirements for applicable laws like UK-GDPR to carefully handle PII.
- IT Managers need the training to influence information security by deploying proper access controls, ensuring PII protection with two-factor authentication and securing employee laptops and mobile devices through an acceptable usage policy.
- The IT team is likely to be trained for the actual deletion of data under consumer inquiries or creating reports when consumers request access to their personal information.
- Customer service representatives who handle calls to their toll-free lines as well as those who handle responding to digital requests that come in via email or another online process.
- Marketing will need to inform the person in charge of the company’s policies of the new method of data collection.
- Employees will need to be informed on how they can report a PII data breach incident.
Example scenario of how to protect PII
Assume that a human resources manager is required to deliver sensitive documents of employees to a pension organisation. These documents contain compensation and benefits data, salary data and other data identifiers that are sensitive PII in nature.
The person before sending out these documents must ensure the following points:
- Encrypting documents files at the rest to ensure PII protection if employee laptop is lost or stolen.
- Employing threat protection to keep his computer safe from viruses, phishing, and other threats.
- Using data loss protection software that will alert him if he is going to submit a file containing personally identifiable information (PII) in plain text.
- Following company acceptable usage policy will prevent him from using a browser with a known security flaw or storing PII on an unencrypted USB stick.
- Blocking anonymous proxies for web searches because they allow proxy server admins to access PII.
- Avoiding public wifi while sending out sensitive information.
The PII stored by your company is quite appealing to malicious attackers who can sell PII on the black market for a good price. Data breaches caused by Identity theft, fraud, and social engineering attacks are all examples of how PII can be exploited for illegal purposes.
Businesses must be protecting PII data to avoid the consequences of non-compliance. As failure to protect PII exposes your company to highly focused social engineering attacks, significant regulatory fines, and a loss of customer confidence and loyalty.