Personally Identifiable Information, or PII, floats around on the Internet and even within your home. The public, and sometimes companies, provide this information freely without fully considering the consequences or without first determining that adequate protection measures are in place. Businesses and consumers alike need to understand the risks and recommended safeguards before releasing or storing private information. Is your private information safe? Discover our best practices for protecting PII with this complete guide.
What Is PII?
PII refers to any information that identifies an individual. This ranges from names and addresses to Social Security Numbers (SSN) and passport documents. Electronic Health Records (EHRs) also contain a wealth of personal information. Other examples of PII include:
- Photographs – social media, in particular, can be an easy way for a threat actor to obtain photos of an individual.
- Log-in credentials
- Mailing addresses
The bottom line is that when a single piece of PII is coupled with other PII, a threat actor can create a complete profile on an individual, leading to severe consequences. The more pieces of PII a threat actor obtains, the higher the risk to a company or an individual.
Who Uses PII?
The industries using PII the most are exactly what you would expect. They are the industries that enable connection, like social media companies and financial data, or companies dealing with personal well-being, such as healthcare entities. Consequently, these industries become high-priority targets for hackers. For example, educational institutions, which hold a wealth of student PII and high-level research, are seeing an increase in attacks. Other industries dealing with more attacks include the financial sector and retail market (as more retail stores turn to social media and electronic shopping methods).
Best Practices for Protecting PII
In 2010, the National Institute of Standards and Technology (NIST) released Special Publication 800-122, otherwise known as a Guide to Protecting the Confidentiality of Personally Identifiable Information. While the report is several years old, many of the recommendations serve as the foundation for PII protection plans today. Below are the top recommendations by NIST and other industry experts for maintaining the integrity and security of PII.
- Collect only what you need – In many cases, PII may be used only in the verification process. For example, an SSN may be used to verify the identity of an individual, but afterward, the SSN is not necessary. In such cases, companies should not store the SSN because it would only increase the risk for the company. NIST recommends that companies conduct periodic reviews throughout the year to ensure that data being collected is necessary for daily operations.
- Develop a scale for PII sensitivity and impact level. Companies collecting and storing PII must review what types of PII they have. Do you collect mostly SSNs or addresses or both? Knowing what you have is important because each type of PII if compromised, can have a different impact on individuals and companies. NIST suggests using the categories low, moderate, and high for risk levels and determining that risk level via a previously researched list of impact factors.
- Implement safeguards based on the PII confidentiality impact level. – Not all PII requires the same level of protection. For example, a public directory lists phone numbers with the permission of individuals making its protection less critical. Thus, it’s important to implement a variety of safeguards that address the different risk levels. Developing PII protection policies, implementing employee training, using access monitoring software all serve methods of protecting PII. Furthermore, encryption during storage and transit should be emphasized and access controls on mobile devices (if used to access work networks) will also mitigate the risk to PII. Lastly, conducting audits, although time-consuming, will help maximize the effectiveness of controls and identify any weaknesses.
Determining PII Impact Factors
As noted above, NIST recommends developing impact factors to use in determining the impact level assigned to the types of PII collected. Below are a few factors to get you started. Each company will likely have different factors based on the industry or its size.
- Identifiability – This factor refers to how easily a piece of PII can be used to identify the individual. For example, a phone number by itself may not be enough to identify a person, but an SSN can be used by itself to identify an individual.
- Quantity of PII – How much PII was compromised and what would likely be the impact? A few hundred compromised records will need different mitigation tactics compared to a breach of 25 million records.
- Data field sensitivity – Each piece of PII will receive a different sensitivity classification. For example, a ZIP code is not as sensitive as a bank account number and access codes. A sensitivity rating may also vary based on how pieces of data are combined. For example, if a ZIP code and credit card number are combined, what level of impact would that have on an individual?
- Context of use – Consider how sets of PII are used. For example, a list of addresses for subscribers varies significantly in sensitivity to a list of police informant addresses. The impact of revealing undercover individuals could cause severe harm to people versus emails. Thus, the “why” PII is collected and the “how” it is stored or disseminated should be reviewed intermittently to make sure the collection or storage is truly necessary.
- Obligations to protect confidentiality – Understanding what laws, regulations, or other mandates apply to your company will determine the confidentiality impact level. For example, the Office of Management and Budget (OMB) provides guidelines on privacy but the General Data Protection Regulation (GDPR) outlines requirements that, if ignored, will result in fines.
- Access to and location of PII – Access will also have an influence on a breach impact. The more people who access PII and the more systems that utilize PII, the higher the level of risk. Authorization should be determined on a need-to-know basis. In this manner, risk can be mitigated if a breach occurs and lowers the likelihood of a breach.
PII Breaches and the Consequences
When threat actors obtain PII, they use it for identity theft, damaging a company’s reputation, or for making a profit on the dark web. A basic definition of a breach, although it varies by industry and impact, is
The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.
A cybersecurity breach involving PII damages a company’s reputation and more importantly weakens the trust consumers have in an enterprise. Without that trust, consumer retention and acquisition becomes much more difficult. Additionally, legal repercussions become a real possibility when a breach occurs. For example, if a breach occurs and it is discovered that the PII was not encrypted (as is required by many states and countries) a company will likely face fines. Iron Mountain, an information protection company, further notes that companies may face other repercussions including litigation fees, eDiscovery, legal fees, costs of notification, brand depreciation and shareholder equity issues.
PII Protection Legislation
Over the last few years, most states and the federal government have issued PII protection laws. This makes compliance difficult for companies, as they must continuously monitor for any changes in such legislation. For small companies operating in one state, the compliance process will be far less complex than larger entities operating nationally or internationally.
State PII regulations typically require entities to notify all individuals in a timely manner when a breach occurs. The timeline for how quickly notification must occur varies by state and by law. Notification may not just apply to consumers, it may also apply to companies or third parties that work with the affected entity. Another requirement focuses on the proper destruction of PII. PII stored in electronic format should be removed/deleted from all systems when no longer necessary. In order to successfully destroy PII, companies must know where data is stored at all times and what systems use that information. Similarly, if companies utilize hard copies of PII, such as passport scans or health records, they must destroy them completely through approved methods. Incineration and shredding are two generally accepted destruction practices.
In 2017, the Data Security and Breach Notification Act was introduced. It would require companies to report breaches within 30 days of discovery. The act imposes penalties if companies intentionally cover-up breaches or delay notification. Other more common legislation with privacy clauses include the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). The GLBA focuses on financial institutions and includes the right-to-opt-out, in addition to notification requirements. HIPAA covers healthcare providers, doctors’ offices, and any institution that handles patient information.
The European Union’s (EU’s) General Data Protection Regulation (GDPR) is the primary comprehensive international regulation for dealing with privacy and PII breaches. Under the GDPR, non-compliance or data breaches can result in fines as high as four percent of a company’s yearly revenue. The legislation also enforces a strict 72-reporting window for when a breach occurs. The GDPR not only affects European companies but also any country that conducts business (involving PII) with any resident or company within the 28 member states or the European Economic Area (EEA). Notably, the GDPR avoids dictating exact technical specifications for companies, as it is difficult to create guidelines that address every company’s needs. Rather, it offers suggestions based on the risks companies face. For more information on how to approach GDPR PII compliance, read RSI Security’s blog on Which Industries Are Most Affected by the GDPR.
How Can You Become PII Compliant
For the most part, all PII laws overlap on the basic regulatory points and recommended best practices. However, for a more comprehensive guide to each state’s guidelines, check out Foley’s chart on State Data Breach Notification Laws. Use the following two steps as a foundation and then tailor your PII protection plan based on the needs of your company.
- Choose an individual to oversee PII compliance. It’s important to find a person who can work with various departments and see things from different perspectives. PII rarely stays within one department, so it’s important to have inter-department communication when developing a PII protection plan.
- Develop a plan of action for when a breach occurs. It’s just a matter of time until you face a data breach, and it is better to be prepared than caught unaware.
How to React When a Breach Occurs
The OMB outlines how to deal with a breach in its memorandum entitled Preparing for and responding to a Breach of Personally Identifiable Information (M-17-12). The first reaction should be to isolate the attack. Typically, a breach response team handles this, with each individual having a different responsibility to tackle when a breach occurs. Next, identify who needs to be notified and how quickly. A company’s response plan should delegate a contact point person for contacting and subsequently which officials, departments, or senior employees need to be made aware of the situation. After following reporting requirements, a company needs to identify the attack scope — what was compromised and what impact will it have on consumers or investors. Lastly, a company should implement a more permanent fix to address the lapse in security (e.g., a patch). These are just suggestions and will vary based on a company’s size, the industry it operates in, and the extent of the breach. These steps will likely happen simultaneously, but breaking them down into a step by step process helps in the early stages of developing a response plan. To learn more about remediation, explore the FTC’s Data Breach Response: A Guide for Business.
The very name and definition of PII describes why it needs to be protected — it’s personal. People do not want their information floating around without consent, despite the dichotomy of social media. When it comes to protecting PII, companies need to have awareness, an action plan, and a reviewal process. For assistance developing a well-rounded PII protection plan or for determining your compliance level, contact RSI Security today for a consultation.