In light of the Equifax data breach, it is extremely important for organizations to protect their personally identifiable information (PII). Governments are ramping up regulations and fines (see our recent blog post) for organizations that don’t take the real steps to ensure that their citizen’s data is safe from the corrupt intent of cyber criminals.
Breaches involving PII are both harmful to the individuals and the organizations involved. In addition to the obvious individual harms, such as identity theft, organizations face potential harms that can include the loss of public support and legal liability. As well as the costs associated with containment, remediation, and notification.
What is PII?
PII is any information that can be used to distinguish or trace to an individual’s identity. Examples include, but are not limited to:
- Social Security number, passport number, driver’s license number, financial account number or any other personal identification numbers
- Street or email address
- Phone number(s)
- Any associated data – data that, when alone, may not be able to identify you but when associated with other data leads to identification (e.g. IP addresses).
Any personal information could potentially be used for malicious activity as a result of a data breach. By committing to these seven steps, organizations can decrease the likelihood of a breach and protect their PII.
1. Identify All PII and Know Where it Resides
Organizations cannot commit to protect data that they do not know exists. Organizations should get into the habit of periodically reviewing and auditing their environment for PII. This includes both internal PII (e.g. employee PII) as well as any PII they create, receive, maintain, or transmit on behalf of their customers and business partners.
2. Identify Laws and Contractual Obligation Requirements for Protecting PII Data
It’s very important for organizations to be aware of any laws or contractual obligations that are required to protect PII. Commonly known laws include but are not limited to:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach Bliley Act (GLBA)
- General Data Protection Regulation (GDPR)
- Personal Information Protection and Electronic Documents Act(PIPEDA)
Don’t forget that applicable State, Provincial, and Local laws are to be equally considered for the management of PII.
3. Perform a PII Risk Assessment
A central component of many privacy compliance standards and regulations is the performance of a risk assessment. This not only serves as the basis for compliance with various compliance and reporting efforts, but is also essential for good corporate governance. This risk assessment should provide specific coverage of at least the following:
- Identification of regulated personally identifiable information
- Identification of other sensitive data that may or may not be regulated but may pose other types of risks (reputational risk, competitive risk, etc.)
- Assessment of the likelihood of the identified threats
- Risk management strategies including avoidance, sharing, mitigation, and acceptance. This commonly involves the implementation of control procedures and safeguards based on the risk management strategy.
A key aspect of the risk assessment process is ensuring the participation of the various stakeholders, and subject matter experts (including outside auditors, when appropriate.) Risk assessments should also be performed on an annual basis.
4. Only Collect and Retain PII That is Necessary to Perform the Related Business Function
In today’s world of “big data” it’s very tempting for an organization to take the approach of collecting as much data as it can. However, this approach introduces risk to the organization as it relates to use, notice, and collection of regulated PII.
5. Categorize PII by Confidentiality and Privacy Impact
Some forms of PII may be less risky to collect and retain than others. For instance, a customer list containing opted-in names and email addresses is likely to have a much lower confidentiality and privacy impact and associated risk than a listing of social security or credit card numbers. Each organization is different and it is their decision how to categorize PII; an effective risk assessment can significantly assist with this effort.
6. Create Safeguards for Protecting PII According to Confidentiality and Privacy Impact
Organizations should create safeguards according the risk assessment (as described earlier) and confidentiality and privacy impact associated with the PII data. These safeguards should be evaluated on a periodic basis for design and effectiveness and be revised as needed. Here are a few safeguards that organizations can utilize:
- Create policies and procedures – organizations should have policies for the collection, use, retention, disclosure and destruction of PII. These policies should be adopted organization wide and communicated to employees.
- Training – organizations should train their employees how to protect and handle PII to reduce the likelihood of a breach.
- De-identification – organizations can protect PII by removing it where it may no longer be needed.
- Encryption – organizations can encrypt databases and areas where PII is stored
This blog is meant to provide a starting point to implementing cyber security practices within your company. Due to the rapid progression of technology this is an ongoing and ever-evolving subject!