In light of the Equifax data breach, it is extremely important for organizations to protect their personally identifiable information (PII). Governments are ramping up regulations and fines (see our recent blog post) for organizations that don’t take the real steps to ensure that their citizen’s data is safe from the corrupt intent of cybercriminals.
Breaches involving PII are both harmful to the individuals and the organizations involved. In addition to the obvious individual harms, such as identity theft, organizations face potential harms that can include the loss of public support and legal liability. As well as the costs associated with containment, remediation, and notification.
What is Personally Identifiable Information?
PII is any information that you can use to distinguish or trace to an individual’s identity. Examples include, but are not limited to:
- Social Security number, passport number, driver’s license number, financial account number or any other personal identification numbers
- Street or email address
- Phone number(s)
- Any associated data – data that, when alone, may not be able to identify you but when associated with other data leads to identification (e.g. IP addresses).
Any personal information could potentially be used for malicious activity as a result of a data breach. By committing to these seven steps, organizations can decrease the likelihood of a breach and protect their PII.
1. Identify All PII and Know Where it Resides
Organizations cannot commit to protecting data that they do not know exists. Organizations should get into the habit of periodically reviewing and auditing their environment for PII. This includes both internal PII (e.g. employee PII) as well as any PII they create, receive, maintain, or transmit on behalf of their customers and business partners.
2. Identify Laws and Contractual Obligation Requirements for Protecting PII Data
It’s very important for companies to know any laws or contractual obligations that require you to protect PII. These are some of the most common laws:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach Bliley Act (GLBA)
- General Data Protection Regulation (GDPR)
- Personal Information Protection and Electronic Documents Act(PIPEDA)
Don’t forget that applicable State, Provincial, and Local laws are to be equally considered for the management of PII.
3. Perform a PII Risk Assessment
A central component of many privacy compliance standards and regulations is the performance of a risk assessment. This not only serves as the basis for compliance with various compliance and reporting efforts, but is also essential for good corporate governance. This risk assessment should provide specific coverage of at least the following:
- Identification of regulated personally identifiable information
- Identification of other sensitive data that may or may not be regulated but may pose other types of risks (reputational risk, competitive risk, etc.)
- Assessment of the likelihood of the identified threats
- Risk management strategies including avoidance, sharing, mitigation, and acceptance. This commonly involves the implementation of control procedures and safeguards based on the risk management strategy.
A key aspect of the risk assessment process is ensuring the participation of the various stakeholders, and subject matter experts (including outside auditors, when appropriate.) Risk assessments should also be performed on an annual basis.
4. Only Collect and Retain PII That is Necessary to Perform the Related Business Function
In today’s world of “big data” it’s very tempting for an organization to take the approach of collecting as much data as it can. However, this approach introduces risk to the organization as it relates to use, notice, and collection of regulated PII.
5. Categorize PII by Confidentiality and Privacy Impact
Some forms of PII may be less risky to collect and retain than others. For instance, a customer list containing opted-in names and email addresses is likely to have a much lower confidentiality and privacy impact and associated risk than a listing of social security or credit card numbers. Each organization is different and it is their decision how to categorize PII; an effective risk assessment can significantly assist with this effort.
6. Create Safeguards for Protecting PII According to Confidentiality and Privacy Impact
Organizations should create safeguards according to the risk assessment (as described earlier) and confidentiality and privacy impact associated with the PII data. These safeguards should be evaluated on a periodic basis for design and effectiveness and be revised as needed. Here are a few safeguards that organizations can utilize:
- Create policies and procedures – organizations should have policies for the collection, use, retention, disclosure and destruction of PII. You should adopt these policies organization-wide and communicate them to employees.
- Training – organizations should train their employees on how to protect and handle PII to reduce the likelihood of a breach.
- De-identification – organizations can protect PII by removing it where it may no longer be needed.
- Encryption – organizations can encrypt databases and areas where PII is stored.
Protecting PII is a critical goal for information security policies and procedures at every company. It is a central foundation of your InfoSec program. It’s also a component that business customers may ask about during vendor security assessments, audits, or questionnaires.
Ultimately, with these seven steps, you can protect all the PII you hold.