Personally Identifiable Information (PII) is a legal term pertaining to information security environments. While PII has several formal definitions, generally speaking, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Show Non-sensitive PII can be transmitted in unsecure form without causing harm to an individual. Sensitive PII must be transmitted and stored in secure form, for example, using encryption, because it could cause harm to an individual, if disclosed. Organizations use the concept of PII to understand which data they store, process and manage that identifies people and may carry additional responsibility, security requirements, and in some cases legal or compliance requirements. Blog: Top Challenges to Implementing Data Privacy: Nailing Down Discovery and Classification First is Key. Personally Identifiable Information (PII) in Privacy LawPII and similar terms exist in the legislation of many countries and territories:
What Qualifies as PII?According to the NIST PII Guide, the following items definitely qualify as PII, because they can unequivocally identify a human being: full name (if not common), face, home address, email, ID number, passport number, vehicle plate number, driver’s license, fingerprints or handwriting, credit card number, digital identity, date of birth, birthplace, genetic information, phone number, login name or screen name. Beyond these clear identifiers, there are “quasi identifiers” or “pseudo identifiers” which, together with other information, can be used to identify a person. For example, according to a US governmental study, 87% of the US population can be uniquely identified by a combination of gender, ZIP code and date of birth. Pseudo identifiers may not be considered PII under United States legislation, but are likely to be considered as PII in Europe. Who is Responsible for Safeguarding PII?From a legal perspective, the responsibility for protecting PII is not solely attributed to organizations; responsibility may be shared with the individual owners of the data. Companies may or may not be legally liable for the PII they hold. However, according to a study by Experian, 42% of consumers believe it is a company’s responsibility to protect their personal data, and 64% of consumers said they would be discouraged from using a company’s services following a data breach. In light of the public perception that organizations are responsible for PII, it is a widely accepted best practice to secure PII. A common and effective way to do this is using a Data Privacy Framework. Creating a Data Privacy FrameworkA Data Privacy Framework is a documented conceptual structure that can help businesses protect sensitive data like payments, personal information, and intellectual property. The framework specifies how to define sensitive data, how to analyze risks affecting the data, and how to implement controls to secure it. While there are established data privacy frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), the ISO 27000 family of standards, and the EU General Data Protection Regulation (GDPR), there are benefits to creating a custom framework for your organization. A custom Data Protection Framework will help you put an emphasis on the most sensitive and valuable data within your organization, and design controls that are suitable for your organizational structure, culture, regulatory requirements, and security budget. Follow the steps below to create a custom Data Privacy Framework. ClassificationDefine, assess and classify PII your organization receives, stores, manages, or transfers. For each type of PII, identify:
AssessmentConduct a Privacy Impact Assessment (PIA) to determine, for each type or classification or PII, how it is collected, where it is stored, and how it is disposed of, as well as the potential security risks for each type of PII. Compliance Environment
PII Security ControlsThe Data Privacy Framework should define which security controls the organization needs to have in place to prevent data loss or data leak:
Solution Spotlight: Sensitive and Personal Data Security.
A wide range of privacy regulations govern how organizations collect, store and use personally identifiable information (PII). In general, companies need to ensure data confidentiality, avoid data breaches and leaks, and make sure data is not destroyed or altered in unauthorized ways. The consequences of lost or leaked PII data are significant. Of course, the individuals involved can be harmed from resulting identity theft and associated costs. But organizations can lose in multiple ways as well: Not only can the costs of investigating the incident and repairing the damage be extensive, the company can be slapped with steep fines for non-compliance with a relevant privacy law, and customers can lose trust and leave forever. This article explains what PII protection is and how to protect PII effectively with a data-centric security strategy. What is PII?PII is any type of information that can identify an individual. According to the National Institute of Standards and Technology (NIST), all of the following kinds of data could be considered PII:
Source: Braze It’s also important to distinguish between sensitive and non-sensitive PII, so you can create different storage and sharing plans for each type:
While there are currently no federal PII protection laws in the United States, U.S. organizations are required to follow a host of other privacy laws that govern specific types of PII, including:
These regulations can be complex, so some organizations engage legal professionals to help them navigate compliance. However, it is often the responsibility of IT staff to ensure that protection practices are in place within company systems and processes. PII protection best practicesNow that you know what PII is, let’s look at best practices for protecting it. Consider these best practices for protecting PII: 1. Discover and classify your PII. Make sure you classify your personal data into sensitive and non-sensitive categories. Where does this sensitive information currently live? Is any sensitive PII currently being stored in an insecure manner? Make sure you know exactly what data you have and where it is stored so you can implement the right security strategies for different types of data. 2. Perform risk assessments. A risk assessment helps you identify and prioritize your vulnerabilities, so you can correct the most important issues first. To perform a risk assessment, ask these key questions: Where are the gaps in your current security strategy? How do your current risks impact the sensitive data you have? What would the impact be if certain files were leaked or lost? 3. Create the right access and privilege model. Implement the least-privilege model, so that employees can access only the data they need to perform their work. A role-based access model enables you to assign certain access levels to sensitive data to protect against improper data loss or alteration.
Source: Citrix 4. Use encryption. Encrypting PII helps keep it safe even if it falls into the wrong hands. 5. Don’t store PII you don’t need. Create a policy for destroying records securely when they are no longer needed. This should be a controlled process to avoid the accidental deletion of important data or leaving traces of sensitive data in unsecured locations. 6. Document your policies and procedures for handling sensitive data. Your policy should include the types of data you store, which PII is sensitive versus non-sensitive, and how different types of data must be stored and protected. Be sure to educate your users about those policies and procedures. ConclusionOrganizations everywhere need to know what PII is and how its loss or leakage could impact their business. The data protection techniques listed above will help you identify and protect your PII. Consider investing in data security software that will help you efficiently and effectively protect your PII and monitor for security threats. |