Personally identifiable information (PII) is one of the central focuses of cybersecurity. Most attacks on IT infrastructure target this kind of information, as cybercriminals use it for extortion, fraud, or direct theft. That’s why most cybersecurity regulations focus on protections for PII. In this PII compliance checklist, we’ll break down everything you need to know to keep this data safe.
Your Comprehensive PII Compliance Checklist for 2023
Protecting PII and ensuring compliance means tailoring your security systems to the kinds of PII you process and any frameworks that govern it. To protect PII, you need to be able to:
- Identify what is or may be considered PII, across various regulations
- Protect sensitive financial information, like credit card and payment data
- Comply with PII requirements related to location (yours and your clients’)
- Secure information critical to specific industries (including the government)
- Optimize protections for PII compliance requirements across regulations
Compliance is challenging, especially when multiple regulations apply. Working with a security program advisor will help you rethink your cyberdefenses to meet these needs efficiently.
1. Understand What Constitutes PII, Across Regulations
The first and most critical competency for meeting PII compliance requirements is knowing what is considered PII. PII is a board term; it includes, but is not limited to, the following:
- First and last names, aliases, and other names a person has used
- Biometric information, such as fingerprint or retinal scans
- Home, work, mailing, and other addresses (current or past)
- Phone or fax numbers, email addresses, and contact information
- Driver’s license, social security, and other identification numbers
- Usernames, passwords, and other authentication credentials
This information is particularly sensitive when paired with other data, such as educational, health, payment, or other records linked to the individual in question. If a document has some combination of this sensitive information, regulators may consider it to be or contain PII.
The kinds of PII you’ll need to protect vary by industry and location, among other factors. But in all cases, meeting PII compliance requirements means implementing required controls. In some cases, you may also need to perform an assessment to prove your PII security.
Request a Free Consultation
2. Protect Payment and Financial Information
If your organization accepts or processes payments, there’s a strong chance that Payment Card Industry (PCI) regulations apply to you. The PCI Security Standards Council (SSC) specifically protects PII related to payment cards and their holders, which is called cardholder data (CHD).
CHD includes any information of or related to credit cards or their holders, such as Primary Account Numbers (PAN), names on cards, expiration dates, security codes, and more.
Most organizations that process CHD are subject to the PCI Data Security Standard (DSS).
Payment applications are regulated via their developers and vendors, to whom the Security Software Framework (SSF) applies. The SSF breaks down into the Secure Software Standard and Secure Software Lifecycle (Secure SLC) Standard. Together, these regulations comprise some of the most widely applicable PII compliance requirements.
PII DSS and PCI SSF Compliance Requirements
If your organization stores, transmits, processes, or otherwise comes into contact with CHD, you likely need to comply with the DSS. If you are a developer or vendor of payment applications, you may need to comply with the SSF. In practice, complying with either framework begins with implementing its controls (Requirements and Control Objectives, respectively).
Protecting PII per the DSS involves meeting its 12 Requirements:
- Installing and maintaining network security controls
- Using secure configurations on software and hardware
- Protecting any account data stored in your systems
- Encrypting CHD prior to open network transmission
- Safeguarding systems and networks against malware
- Developing and maintaining secure software and systems
- Restricting access to CHD by business need to know
- Requiring user authentication for access to systems
- Limiting physical access to systems containing CHD
- Monitoring and logging all access to CHD and systems
- Testing system and network security at regular intervals
- Supporting CHD security with formal policies and procedures
Likewise, protecting PII per the SSF requires implementing some combination of the Secure Software Standard and the Secure SLC Standard’s respective Control Objectives:
- Secure Software Standard –
- Identify critical assets
- Use secure default options
- Retain sensitive data
- Protect critical assets
- Control authentication and access
- Protect sensitive data
- Use cryptographic controls
- Track activity
- Detect attacks
- Manage threats and vulnerabilities
- Maintain software updates
- Provide guidance for secure implementation
- Secure SLC Standard –
- Define responsibilities and resources
- Implement policies and strategies
- Identify and mitigate threats
- Detect and mitigate vulnerabilities
- Manage changes
- Protect integrity
- Protect sensitive data
- Provide guidance for vendors
- Communicate with stakeholders
- Provide information about updates
Beyond implementing these controls, you’ll likely need to assess and report on their efficacy.
For DSS compliance, you may be able to self-assess, but many organizations will need to work with a Qualified Security Assessor (QSA) for a Report on Compliance (RoC). As for the new SSF framework, working with a PCI SSF advisor will help you prepare for future audits.
3. Comply with Location-Based PII Protections
There are also requirements that state, national, and other governments enforce to protect PII; these apply across most industries, but they may depend upon business size. They exist to protect individuals who live in or are otherwise connected to a given area. And they often involve implementing a specific framework’s controls and/or assessing your security to ensure that PII is protected up to the governmental standard.
Note that these requirements may apply to you even if your organization is not located in the target area, so long as you conduct business in it physically or virtually. In other words, if your clientele is there, you may need to comply.
Let’s dive into two examples of PII compliance requirements based on client location.
Local Requirements for Protecting PII (CCPA)
In the US, several state governments have enacted or are developing protections for PII. One of the first and most stringent is the California Consumer Privacy Act (CCPA). Meeting PII compliance requirements of the CCPA means ensuring certain rights are protected.
In a nutshell, the CCPA exists to protect four critical rights of California residents:
- The right to know about PII collection, use, and sharing
- The right to delete PII that’s been collected from them
- The right to opt-out of certain uses of PII concerning them
- The right to non-discrimination for exercising CCPA rights
However, the California Privacy Rights Act (CPRA), approved in 2020, adds two more rights:
- The right to correct inaccuracies in PII collected or shared
- The right to limit businesses’ uses and disclosures of their PII
PII compliance for the CCPA means monitoring your systems to ensure that all PII sharing and usage is authorized. You also need to be able to limit or stop PII processing or sharing upon request. There are exceptions to these rules; some unauthorized uses of PII may be tolerated. Working with a CCPA compliance advisor is the best way to determine the scope of controls needed and how to address a complaint.
International PII Security Requirements GDPR
One of the most widely applicable PII protection frameworks in the world is also one of the strictest and most punishing. The European Union’s General Data Protection Regulation exists to protect privacy rights of data subjects or people identified in PII. The massive legal text establishes roles and responsibilities data controllers and processors need to account for to ensure that these rights are upheld, along with fines and enforcement protocols if they are not.
If this seems similar to CCPA compliance, that’s because it is: the CCPA is explicitly modeled after the GDPR. The GDPR is considered the gold standard for security worldwide.
This is largely because of the consequences GDPR non-compliance can have. For example, EU Member States can assess fines of up to €20 million or 4% of an organization’s worldwide revenue.
Working with an external Data Protection Officer (DPO) is one approach to protecting PII per GDPR standards. Another is consulting with a GDPR compliance advisor.
4. Meet Industry-Specific PII Requirements
Industry-specific certifications comprise another source of PII compliance requirements. Some industries that require organizations to handle or process sensitive data, including PII, require special protections to ensure that it’s not compromised. That generally means implementing controls from a given framework and conducting internal or external assessments to verify PII security.
These protections typically apply irrespective of and in addition to local and other regulations. In fact, there may be significant overlap between industry-specific controls and other kinds of requirements.
These regulations also apply to organizations outside of the industry in question. For example, if you are connected to the industry through your partners or clients, you may need to comply.
To that effect, two of the most widely applicable industry regulations involve healthcare and government contract work.
Healthcare-related PII Protection: HIPAA
Organizations in and adjacent to the healthcare industry need to secure a kind of PII called Protected Health Information (PHI). The Health Insurance Portability and Accessibility Act of 1996 (HIPAA) establishes what PHI is and how to protect it. Covered Entities and their Business Associates need to protect information regarding patients’ identities in conjunction with their health conditions, treatments they receive, and payments made for that care.
In practice, meeting these PII compliance requirements means following three prescriptive rules:
- The Privacy Rule – PHI can only be used or disclosed with the consent of the patient or in select Permitted Use cases, such as healthcare operations or public benefit research.
- The Security Rule – Covered Entities must ensure the confidentiality, integrity, and availability of PHI by installing Administrative, Physical, and Technical Safeguards.
- The Breach Notification Rule – Unauthorized disclosures of unsecured PHI must be reported to the impacted individuals, the HHS Secretary, and (in some cases) the media.
Failure to protect PHI according to these rules can lead to monetary and criminal penalties, as detailed in the Enforcement Rule. Working with a HIPAA advisor is the best way to prevent breaches, mitigate risks, and steer clear of non-compliance.
Governmental PII Protection: NIST and CMMC
If your organization works closely with the US government, there’s a good chance you process Controlled Unclassified Information (CUI). There is a category of CUI dedicated to PII, and many other forms of CUI include other forms of PII. So, in practice, meeting compliance requirements for CUI means implementing and assessing against various National Institute of Standards and Technology (NIST) frameworks.
For example, organizations that work with the Department of Defense (DoD) need to achieve Cybersecurity Maturity Model Certification (CMMC) at one of three levels:
- CMMC Level 1 – Foundational protections, requiring implementation of 15 practices adapted from NIST SP 800-171, along with annual self-assessment and affirmation
- CMMC Level 2 – Advanced protections, requiring implementation of 110 practices (covering the entirety of NIST SP 800-171) and triennial self or third-party assessments
- CMMC Level 3 – Expert protections, including all 110 practices from Level 2 and an undefined set of controls from NIST SP 800-172, along with government-led assessment
These Levels correspond to deeper and more comprehensive protections for Defense-specific CUI, which includes additional forms of PII such as Federal contract information.
Working with a CMMC advisor is the best way to prepare for assessments and meet the PII compliance requirements for winning DoD contracts.
5. Streamline Your PII Compliance Requirements
Chances are, your organization is faced with multiple and overlapping requirements for protecting PII, given the different kinds you process and other factors noted above. Even if the scope of PII compliance is straightforward, you will benefit from a dedicated tool or suite of solutions for monitoring and protecting PII.
One of the most useful tools in this regard is a PII/PAN Scanner.
PII/PAN Scanners work by searching for, identifying, and flagging all PI that exists on your systems. This lets you know in real time what needs to be protected. Depending on where you are in your security maturity, this can be a critical first step or an ongoing process of discovery and segmentation.
The HITRUST CSF Approach to PII Compliance
Another approach to meeting overlapping PII compliance requirements is implementing a single, comprehensive framework that accounts for all of them at once—like HITRUST.
The HITRUST CSF comprises controls adapted from frameworks mentioned above, such as the GDPR and DSS, along with many others. It condenses practices for all requirements for these and other regulations into one framework.
Namely, the CSF houses thousands of PII protections across 14 Control Categories:
- 0.0 Information Security Management Program
- 01.0 Access Control
- 02.0 Human Resources Security
- 03.0 Risk Management
- 04.0 Security Policy
- 05.0 Organization of Information Security
- 06.0 Compliance
- 07.0 Asset Management
- 08.0 Physical and Environmental Security
- 09.0 Communications and Operations Management
- 10.0 Information Systems Acquisition, Development, and Maintenance
- 11.0 Information Security Incident Management
- 12.0 Business Continuity Management
- 13.0 Privacy Practices
HITRUST also allows for streamlined assessment against various regulations’ requirements as part of the “assess once, report many” approach. All controls are mapped to various “Levels,” including applicable requirements for PCI, HIPAA, NIST, CMMC, and other assessments.
So, one comprehensive and surprisingly straightforward way to check off every box on your PII compliance checklist is working with a HITRUST advisor to achieve CSF Certification.
Optimize PII Defenses with RSI Security
To recap, meeting all the PII compliance requirements that apply to your organization starts with identifying any data you preside over that might qualify as PII, such as certain kinds of financial information. There are also protections for PII based on where you or your clients are located, and certain industries require specific PII controls. To account for all these considerations at once, use a comprehensive PII security solution.
Whichever kinds of PII your organization needs to protect, RSI Security will help you rethink your defenses and optimize your compliance. To learn more about how, or tailor this PII compliance checklist to your organization’s specific needs, contact RSI Security today!