It’s difficult in the current technological environment to determine what falls under private or personal information, especially considering how many social media platforms exist. People post a plethora of information about themselves causing the concept of privacy to become skewed. All of this information provides companies with a window into the consumers’ minds and consequently their wallets. But, with information collection comes the responsibility to protect personal data from malicious individuals.
Learn about the top challenges of managing PII under GDPR with our comprehensive guide. Check out our blog for more information.
What is PII?
Personally Identifiable Information refers to any information that can be used to identify a particular individual. A more formal definition provided by the Office of Management and Budget (OMB) is:
“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
So What Information Is Actually PII?
A full name, social security number (SSN), driver’s license, passport number, bank account, and email address are the typical examples of PII; however, there are other lesser-known bits of information that are also PII including health records and biometric data. For a more comprehensive list of PII varieties, check out the University of Pittsburgh’s Guide to Identifying PII.
PII Threat Categories
PII can be broken down further into categories of sensitivity. Some PII is more sensitive. For example, a name isn’t necessarily unique but an SSN uniquely identifies you. An SSN card is a primary form of PII whereas a credit card is a secondary form of PII. A new trend shows that threat actors are targeting new accounts, such as car loans, mortgages, and student loans, to gather PII. Consequently, this information has a higher threat rating.
What Do Hackers Do with PII?
Jeopardized secondary PII, like a stolen credit card, is a concern and a nuisance. However, the concern increases as threat actors pieces together more PII on a single individual. Often, a threat actor may start by obtaining an individual’s email. Then he/she may use a phishing scam to acquire more critical PII. With some basic social media investigation, a threat actor can penetrate a person’s circle of friends, identify residences, and view preferences. Through these progressive steps, hackers compile files on an individual, and, with multiple pieces of a person’s PII, threat actors can then impersonate the individual, use them as a scapegoat for another crime, or sell the information on the dark web.
PII Threats By The Numbers
- A 2018 FICO report found that 44 percent of consumers consider identity theft and banking fraud as their top concern
- Consumers’ fear most the disclosure of their SSN above all, followed by their bank account information
- A Javelin Strategy & Research study published in 2019 found that identify theft decreased from 16.7 million in 2017 to 14.4 million in 2018.
Challenges of Managing PII
Managing PII and protecting it isn’t just about maintaining a good reputation. It is also about complying with regional and national cybersecurity regulations. Below are a few problems that companies face on a daily basis in dealing with PII.
Too Much Information! – One common issue companies deal with is the sheer amount of PII they collect and understand how to handle it. In many cases, companies collect too much PII rather than only what is absolutely necessary for operations.
Covering the whole threat landscape – It’s difficult for companies to keep track of everywhere PII goes. PII usually exists both in a digital format and sometimes in a physical format. Thus, it’s important that businesses map where data goes during its time at a company. Knowing where the data is going enables companies to maximize the security protecting it, and comply with GDPR requirements.
Human Error – Employees make mistakes, but that shouldn’t happen from a lack of training. Employees who are uninformed on cybersecurity best practices tend to use weak passwords, delete data incorrectly, or fall prey to phishing scams. The list goes on, but the problem with these mistakes is that they are fixable if companies invest in educating employees and implement a disciplinary process for breaking security protocols.
Unsecured IoT Devices – Many companies now offer a Bring Your Own Device (BYOD) option. However, not everyone has adequate security safeguards in place on these devices to handle company data.
How to Manage PII
So how can you address the challenges listed above?
Only collect/store what you need – minimize data risks by reviewing what data is required and then compare that with how much data your company is collecting. The safest option is to store as little PII as possible. Then, for each type of PII, identify any legal requirements or compliance regulations that apply to that type of PII. Determine what PII is needed for short-term use and what is needed for long term use. For short-term data, make sure to establish deletion procedures.
Maximize data security – Use proper authentication methods for anyone accessing PII. Research what technology is recommended for protecting PII and stay abreast of new technology as it becomes available. Limit data transfers, implement firewalls and fix vulnerabilities as soon as possible. If a system needs to update, do it as soon as the update is available, as updates typically include security patches. For physical security, use locks and secure rooms that hold PII.
Monitor and Train Employees – Training employees on best practices and how to access and exit systems safely will help mitigate the risk involved with PII. Likewise, keeping a log of who accesses what data is important, both for physical and digital access.
Create a BYOD Security Policy – To protect against device vulnerability, create a plan for introducing new devices onto a company network. For example, if a new employee wants to bring their devices to work and use it for work-related tasks, they have security prerequisites that must be met prior to allowing the device network access. To learn more about BYOD policies, check out this article on Security Strategies for BYOD in the Workplace.
Use monitoring systems – Since the GDPR requires that companies notify affected parties of a breach 72 hours after it occurs, it’s vital to monitor PII access. Having a reliable chain of communication enables timely remediation and more effective decision making.
PII and the GDPR
The General Data Protection Regulation (GDPR) applies to EU countries, the European Economic Area (EEA), and those companies doing business with European citizens. The GDPR focuses on privacy and, more specifically, giving consumers greater control over how their data is used. In order to comply with GDPR requirements, companies need to know what data they are collecting, where that data is being stored, and how the data is being used. This is important because the GDPR explicitly grants consumers the right to:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure/to be forgotten
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling.
GDPR Technical Security for PII
Although the GDPR doesn’t specifically require encryption, it highly recommends both encryption and pseudonymization. In other words, companies would appear negligent if they didn’t implement some form of encryption to safeguard PII. Encryption can be applied to both data at rest and data in transit. By transforming plaintext data into ciphertext, encryption makes it much more difficult for hackers to obtain valuable consumer information. Other technical considerations, although not always required, include de-identification, anonymization, tokenization, network/data segmentation, access control lists, and application security.
Protecting PII under the GDPR means companies should conduct a data flow map and a risk assessment (including vulnerability scans and penetration tests). Vulnerability scans can be either internal or external After finishing these assessments, companies will have a better idea of what threatens the protection of their stored/in-transit PII.
Not complying with GDPR rules can have a serious monetary impact on a company. Article 83 of the GDPR explains the ten criteria for determining the level of penalty given. On the low end, a fine may be €10 million or two percent of the violator’s worldwide annual revenue, and on the high end, fines may be €20 million, or four percent of the violator’s annual revenue. Below are the ten criteria for determining penalties:
- Nature of infringement – What was compromised, who was affected, etc.?
- Intention – Did the company intentionally overlook the violation?
- Mitigation – Did the company take action as soon as the violation was discovered and to what extent?
- Preventative measures – Did the company previously implement measures to avoid violations of the GDPR rules?
- History – Is there a pattern of non-compliance?
- Cooperation – Did the company cooperate with the compliance review or did it try and hinder the process?
- Data type – What type of data was impacted by the violation?
- Notification – Was the violation proactively reported to the supervisory authority by the firm itself or a third party?
- Certification – Did the company receive previous certification?
- Other – Other relevant factors to the case against a company
PII Cloud Security
A 2019 Cloud Data Security Report by Netwrix noted that 46 percent of respondents were considering moving stored PII from the cloud to back on-premise. Reverting to old procedures is not the answer and won’t work for every company, especially large entities.
Retailers, manufacturers, and many other enterprises use not just one cloud service, but many. This complicates the matter of monitoring security threats significantly because the encryption key levels are not uniform across all platforms. When dealing with cloud encryption keys, it’s a best practice to store the data in a separate location to the encryption keys. This means a cloud service should not hold the keys as well as the data.
Prior to migrating data to a cloud service, a company should review the security measures that service offers. Store data in a cloud service that matches its threat rating (which should have been noted in a risk/data assessment). Cloud agile solutions lowers the complexity of storing encryption keys while still maintaining a secure environment for data.
PII Security for Migrating to the Cloud
Part of managing PII involves knowing how to properly transfer it when new systems are brought online. Bulk importing allows companies to load user information into a cloud platform prior to it going live. This enables IT/cybersecurity teams to clarify the migration was successful (and that there are security protocols in place) before adding the risk of online vulnerabilities.
Another concern with migration is that a compliance violation may occur during the process. Migration software/processes don’t always keep track of where data goes in the process, which is an issue since GDPR guidelines mandate that companies know where PII is at all times. For more detailed information on how to migrate PII to the cloud in a compliant manner, read this article on GDPR compliant migration.
PII protection for the Consumer
Although much of the responsibility for protecting PII falls on companies who collect and store it, consumers can take steps to better protect their information as well. First, protect the answers to your security questions. If you use the name of your dog for the answer to an account security question, don’t post that name on Facebook where hackers can easily glean information. Second, shared physical documents that contain PII. While threat actors increasingly use online scams to steal information, physical theft is still a concern. Third, be very, very wary about revealing your social security number, especially over the phone. Lastly, keep your social security card in a safe location, like a safety deposit box; do not carry it around with you in your wallet.
Compliance underlies a company’s reputation both within its industry and by consumers. Moreover, non-compliance can significantly impact a company’s bottom line. To make sure your PII security protocols satisfy GDPR requirements, contact RSI Security today for compliance advisory services.