In light of the Equifax data breach, it is extremely important for organizations to protect their personally identifiable information (PII). Governments are ramping up regulations and fines (see our recent blog post) for organizations that don’t take the real steps to ensure that their citizen’s data is safe from the corrupt intent of cybercriminals.
Breaches involving PII are both harmful to the individuals and the organizations involved. In addition to the obvious individual harms, such as identity theft, organizations face potential harms that can include the loss of public support and legal liability. As well as the costs associated with containment, remediation, and notification.
PII is any information that you can use to distinguish or trace to an individual’s identity. Examples include, but are not limited to:
Any personal information could potentially be used for malicious activity as a result of a data breach. By committing to these seven steps, organizations can decrease the likelihood of a breach and protect their PII.
Organizations cannot commit to protecting data that they do not know exists. Organizations should get into the habit of periodically reviewing and auditing their environment for PII. This includes both internal PII (e.g. employee PII) as well as any PII they create, receive, maintain, or transmit on behalf of their customers and business partners.
It’s very important for companies to know any laws or contractual obligations that require you to protect PII. These are some of the most common laws:
Don’t forget that applicable State, Provincial, and Local laws are to be equally considered for the management of PII.
A central component of many privacy compliance standards and regulations is the performance of a risk assessment. This not only serves as the basis for compliance with various compliance and reporting efforts, but is also essential for good corporate governance. This risk assessment should provide specific coverage of at least the following:
A key aspect of the risk assessment process is ensuring the participation of the various stakeholders, and subject matter experts (including outside auditors, when appropriate.) Risk assessments should also be performed on an annual basis.
In today’s world of “big data” it’s very tempting for an organization to take the approach of collecting as much data as it can. However, this approach introduces risk to the organization as it relates to use, notice, and collection of regulated PII.
Some forms of PII may be less risky to collect and retain than others. For instance, a customer list containing opted-in names and email addresses is likely to have a much lower confidentiality and privacy impact and associated risk than a listing of social security or credit card numbers. Each organization is different and it is their decision how to categorize PII; an effective risk assessment can significantly assist with this effort.
Organizations should create safeguards according to the risk assessment (as described earlier) and confidentiality and privacy impact associated with the PII data. These safeguards should be evaluated on a periodic basis for design and effectiveness and be revised as needed. Here are a few safeguards that organizations can utilize:
Protecting PII is a critical goal for information security policies and procedures at every company. It is a central foundation of your InfoSec program. It’s also a component that business customers may ask about during vendor security assessments, audits, or questionnaires.
Ultimately, with these seven steps, you can protect all the PII you hold.