To meet personally identifiable information (PII) compliance requirements, your team must:
- Understand what PII you have to protect
- Determine which regulations apply to it
- Install framework controls, as necessary
- Conduct formal assessments to ensure compliance
Step 1: Identify PII in Your Networks
Safeguarding PII starts with understanding what it is, if it exists in your system, and where. In most cases, PII is defined as any information that could be used to identify an individual. It’s any biographical, historical, financial, or other information related to their person or accounts.
Examples of information that is almost always considered PII include the following:
- Names of the person or their associates, including former names and aliases
- Addresses and contact information about a person’s present or past residences
- Account numbers for a person’s license, social security number, banks, etc.
- Medical history, including conditions, treatments, and payments for them
- Criminal and legal history, including charges raised, convictions, etc.
These kinds of data can be used to do more than just identify someone. They can lead to the direct theft of assets, extortion, or fraudulent schemes like identity theft or impersonation. For these reasons, organizations need to be cognizant of any PII that exists on their systems.
Step 2: Identify PII Compliance Requirements
Once you have a handle on what kind of PII your organization has to account for, you’ll need to determine which regulations and standards apply to it.
Some of the most common types include:
- Financial PII – If you process credit card transactions, cardholder data (CHD) related to them is regulated by the Payment Card Industry’s (PCI) Security Standards Council (SSC). CHD comprises PII on or about consumers, their cards, and their transactions, which you’ll need to meet the Data Security Standard (DSS) Requirements to protect.
- Medical PII – If you come into contact with protected health information (PHI), you are likely subject to the Health Insurance Portability and Availability Act (HIPAA), governed by the Department of Health and Human Services (HHS). PHI includes any identifiable information about patients’ past or present health conditions, treatments received, and payments for healthcare treatments, and you need to ensure its privacy and security.
- Governmental PII – If you come into contact with Controlled Unclassified Information (CUI) as part of government contract work, you are subject to the National Institute of Standards and Technology (NIST) Special Publication 800-171. CUI includes technical information critical to agencies’ operations. If you work with the US Military specifically, you are also likely subject to Cybersecurity Maturity Model Certification (CMMC).
- General PII – If you process PII without other sensitive factors, the individuals identified by it may have their rights protected by a state, nation, or international government. For example, the European Union (EU) General Data Protection Regulation (GDPR) applies to PII concerning EU residents. In the US, the California Consumer Privacy Act (CCPA) protects CA residents, and similar bills exist or are forthcoming in many other states.
Note that many of these frameworks apply irrespective of your industry or location. For example, although HIPAA primarily concerns Covered Entities such as healthcare providers, plans, and clearinghouses, it also applies to business associates outside the field. And, although GDPR and CCPA protections are designed to protect Europeans and Californians, respectively, they apply to any organization that processes their PII, no matter where it conducts its business.
Step 3: Install Controls to Safeguard PII
The most pivotal step in PII data compliance is implementing the specific controls required by applicable regulations or frameworks that keep PII safe. In most cases, it starts with identifying gaps in your current cybersecurity infrastructure and architecture that are not up to spec. Then, you’ll need to modify or install new controls to meet the requirements and objectives.
For example, consider the following requirements of widely-applicable compliance frameworks:
- HIPAA – Covered Entities need to abide by the following prescriptive rules:
- The Privacy Rule, which prohibits any disclosures of PHI, unless it is to the subject of the PII and select use cases defined as “Permitted Uses and Disclosures.”
- The Security Rule, which requires installing Administrative, Physical, and Technical Safeguards to ensure PHI’s confidentiality, integrity, and availability.
- The Breach Notification Rule, which requires Covered Entities to provide notice of a breach to the individuals impacted, the HHS, and the media (in some cases).
- PCI – Eligible organizations need to meet the 12 Requirements of the DSS:
- Install and maintain network security controls
- Apply secure configurations across all components
- Protect account data where it exists at rest in storage
- Protect CHD with encryption for transmission over networks
- Protect all components against malicious software
- Develop and maintain secure systems and software
- Restrict access by business need to know
- Identify users and authenticate access to CHD
- Restrict physical access to CHD
- Monitor and log all access to systems
- Test efficacy of network security regularly
- Support information security with policies and programs
Working with a compliance partner or security program advisor will help you select, implement, and optimize controls for any frameworks that apply to you. Mapping protections across various mandated requirements reduces overlap and improves efficiency, streamlining PII compliance.
Step 4: Conduct Formal Assessments
Finally, once all your required controls are installed, the only thing left to do is conduct a formal assessment to prove your compliance. Depending on which frameworks apply to you, there might be options to self-assess. However, generally speaking, the more PII you process, the more likely it is that you will have to work with a certified external assessor to achieve compliance.
For example, consider the following assessment criteria for two of the regulations above:
- PCI – There are four levels of compliance assessment and documentation:
- PCI Level 4 requires completing a Self Assessment Questionnaire (SAQ)
- PCI Level 3 requires an SAQ and Attestation of Compliance (AOC)
- PCI Level 2 requires validation by an Approved Scanning Vendor (ASV)
- PCI Level 1 requires an externally validated Report on Compliance (ROC)
- CMMC – There are three levels of certification, with unique assessment needs:
- CMMC Level 1 requires annual self-assessments and affirmations for all entities
- CMMC Level 2 requires triennial assessments, third-party for most entities
- CMMC Level 3 requires triennial government assessments for all entities
In both cases, some exceptions apply. Not all PCI stakeholders recognize the same requirements (JCB International does not recognize Level 3). And most organizations at CMMC Level 2 need third-party assessments. In these cases, working with a security advisor is always recommended.
If your organization is subject to several, overlapping compliance frameworks, you may consider streamlining your approach with a single omnibus installation. The HITRUST CSF framework, for example, includes hundreds of controls that account for requirements across all the frameworks named above, along with several others. It allows organizations to “assess once, report many.”
Optimize Your PII Compliance Today
Meeting PII compliance requirements starts with understanding what PII you process and which standards apply to it. Once that’s accounted for, you’ll need to install controls to meet those standards’ requirements, then assess your implementation to verify your compliance.
This all might sound complicated, but RSI Security can help simplify it. We’re dedicated to serving you above all else, and we’ll work with you to develop and execute an efficient plan.
To get started streamlining your PII compliance, contact RSI Security today!