Is your company taking adequate steps to protect your employee and customers’ personally identifiable information (PII)? If not, you need to be.
Enterprise businesses are pressuring their vendors on security measures, seeking to prevent a breach and protect customer information they store or process. If there is a breach companies learn remediation and noncompliance fines are costly, plus notifying customers about a breach is a big hit to a company’s reputation. Security breaches are one of the biggest causes of identity theft in 2020, resulting in harm to many individuals who had information stolen during a breach.
However, businesses that take action to protect PII can avoid a costly breach, while also winning new deals with security-conscious enterprises.
Personally Identifiable Information is any type of information from which a specific individual may be identified. That includes things like names, social security numbers, passport numbers, or physical addresses. It also includes less obvious things like emails and phone numbers. To protect PII:
Begin by performing an inventory of what PII you’re collecting and where it’s being stored. You’ll need to examine whether you’re collecting data correctly and if the storage method contains adequate security measures.
Depending on your industry, you may be subject to legal compliance requirements. These are laws that govern how you collect, handle, store, and transmit certain types of sensitive information. These may vary based on where or who your customers are, rather than your industry or business location. The most common compliance mandates include:
A risk assessment will help you identify possible vulnerabilities or weak points in your security strategy before criminals do. You should identify:
Are you holding onto PII that you no longer need? While you might think it’s best to hoard as much data as you can, PII can be a security risk when it hangs around forgotten. Comb through your organization and identify information that can be deleted. This includes:
PII accumulates over time, so “cleaning house” can reduce your storage costs as well as your risk.
Not all PII is of the same level of sensitivity. For example, email lists must still be protected, but they have a much lower level of confidentiality than customer records containing credit card numbers. By classifying data according to confidentiality and impact if their privacy is compromised, you can gain a sense of what your security program needs.
Review your overall security program to see what safeguards you need to update. Likewise, make sure you’re using up-to-date tools and solutions to protect PII. This includes your:
With the rollout of enhanced data privacy laws, your policies may need a review. Take a moment to review the foundation for protecting PII: your internal security policies. Policies that include best-practice security controls, from trusted frameworks like SOC 2 or CIS, help ensure that the information you store and process stays say. These policies also create a structure for your employee awareness training around the collection, storage, encryption, de-identification, and deletion of PII.
Protecting PII should be central to your infosec program. Your customers expect you to protect their PII no matter what. With these seven steps, you can build a solid security strategy that meets or exceeds their expectation.
Do you need a strategy to protect PII at your company?