As a society we have always relied on personal identifiers, commonly known as personally identifiable information (PII). Defining and protecting PII has recently become much more important as a component of personal privacy now that advances in computing and communications technology, including the internet, have made it easier to collect and process vast amounts of information.
The protection of PII and overall privacy of information are concerns both for individuals whose personal information is at stake and for organizations that may be liable or have their reputations damaged should such PII be inappropriately accessed, used, or disclosed. Without question, 2019 has been an eventful year for organizations across the different industries, with massive data breaches that have had major impacts to organizations as well as consumers. A number of these breaches have exposed PII and heightened the awareness around privacy regulations such as GDPR.
PII data security best practices
Here are some foundational steps to get started with an information protection framework that helps think of the key dimensions associated with protecting PII.
- Understand the data: identify and classify it by source, type, sensitivity and criticality to the business.
- Understand the threats they are exposed to: due to the constantly changing nature of the threat landscape, a review of the threat exposure should be performed on a regular basis.
- Provide that the data’s protection is commensurate with the threat: this means that the controls that composed the Security Framework need to be adapted to each case so the risks are adequately mitigated.
Identify your PII
Due to the wide range of definitions of what exactly comprises PII, each organization is responsible for determining what defines PII in its jurisdiction and which statutes, industry standards, etc., are in scope for compliance. One of the most important steps in protecting PII involves the identification of PII. The types of information that should be considered PII are well known.
Once the types of information considered PII are understood, there remains the challenge of determining where this information is located and stored. The information generally resides in either structured data sources such as databases, or in unstructured information such as electronic documents, emails and other file types.
Unstructured information poses the greater challenge as it can travel anywhere – from desktop computer to tablet to server to mobile phone. Organizations must determine how to identify which unstructured information contains PII, and how to make their employees, contractors, and partners aware that certain files contain PII.
- PII is typically stored in a myriad of locations, both in electronic and hard copy form. Perform a review to identify PII and focus on:
- Policies and procedures to protect PII and other private data in any of its forms and storage locations, including the deployment and effectiveness of an organization-wide data classification scheme
- Policies and procedures relating to action needed after a breach of PII confidentiality
- Training and awareness of employees in the handling and processing of PII and data privacy
Educate and build awareness of PII
Organizations should develop comprehensive policies and procedures for handling PII at the organization level, the program or component level, and where appropriate, at the system level.
Well-crafted PII handling policies and procedures are unlikely to succeed if the organization does not involve its information creators in the protection of PII as part of their standard way of doing business.
Awareness and training for end users – whether through standalone educational programs, or through real-time notification of policy violations by way of the technical solutions which are deployed – helps not only to create a general awareness of security and compliance for sensitive PII, but also to foster a greater accountability for the data creators to see that information is properly protected.
Select the appropriate controls to protect Your PII
Don’t forget about these controls, when creating your business PII security policy:
- Access Enforcement
- Separation of Duties
- Remote Access Controls
- Access Control for Mobile Devices
- Audit Review, Analysis, and Reporting
- Identification and Authentication
- Transmission Confidentiality via Encryption
- Protection of Information at Rest
- Information System Monitoring via Automated Tools
Conclusion: Be preemptive about your PII security
It is important to note that the vast majority of PII security breaches are preventable. Systems can be strengthened to help prevent unauthorized access. Employee screening and training can be improved to help prevent PII data leakage due to theft, loss or improper handling. However, very often it is not until after an incident has occurred that an organization makes a thorough review and necessary changes to practices regarding PII security. To help reduce the number of PII data security breaches, organizations must embrace the concept of auditing for regulatory compliance and security for PII so that issues can be addressed preemptively.