Did you know a total of $4.27 million is lost yearly due to malicious attacks (not to mention the penalties caused by these breaches!).
In order to stay a step ahead of the criminals, you need to ensure that the Personal Identifiable Information (PII) of your customers is in safe hands and you’re on par or even ahead in terms of technology to counter the hackers.
However, before you hunt for suitable security software, you first need to understand what PII is and how you can protect it in your company from a cybersecurity standpoint.
In this post, we’ll be explaining what PII is in detail, outlining the 5 major steps to keep it safe, and the different compliance regulations that govern it.
Here’s what we’ll cover:
- What Is PII (Personal Identifiable Information) And Why Is It Important? (Examples)
- What Counts As PII? 3 Main Types You Need To Know About
- How To Protect Your Personal Identifiable Information: 5 Top Best Practices
- Who Is Responsible For PII Compliance And What Happens In Case of Violation? 3 Compliance Standards To Consider
What Is PII (Personal Identifiable Information) And Why Is It Important? (Examples)
PII or Personal Identifiable Information is the information collected and used by companies, either on its own or in combination with other data, to identify, contact, or locate a person for their business purposes.
What does PII include?
Examples of PII may include:
- Social security numbers.
- Passport numbers.
- Driver’s license numbers.
- Financial information.
- Contact information.
- And more.
PII and privacy law
PII is an integral part of the privacy laws of many countries and territories. Including the United States, European Union, Australia, New Zealand, Canada, and more.
Let’s take a look at some definitions and examples in detail.
PII in the United States
According to the National Institute of Standards and Technology (NIST)’s Guide to Protecting the Confidentiality of Personally Identifiable Information, ‘personally identifiable’ is defined as:
Any information, for instance, name, social security number, or biometric data, that could be used to identify or locate a person’s identity.
PII in the European Union
According to directive 95/46/EC, ‘personal data’ is as follows:
Any information that includes a person’s physical, physiological, mental, economic, cultural, or social factors, which could be used to identify them (specifically ID number).
PII in Australia
Australia’s definition of ‘personal information’ in the Privacy Act 1988 is broader than in other countries. It includes not just the information but opinion as well, which could make a person’s identity apparent or ascertainable.
PII in New Zealand
According to the Privacy Act of New Zealand, ‘personal information’ includes the following:
- Contact details.
- Financial health records.
- Purchase records.
PII in Canada
According to the Personal Information Protection and Electronic Documents Act (PIPEDA), ‘personal information’ is any data, which alone or in combination with other information, can identify a person.
What Counts As PII? 3 Main Types You Need To Know About
There are three important personal information types, which are the main targets of hackers:
- Card and cardholder data.
- General PII.
- And protected health information (PHI).
Below, we’ll cover what you need to know about each type of PII.
Card and cardholder data
As the name indicates, it’s the information associated with a credit or debit card. This includes:
- Cardholder’s name.
- Card numbers.
- Security codes.
- Expiration dates.
- Account numbers.
- And more.
PII could be non-sensitive or sensitive.
Sensitive data requires security measures to prevent it from reaching criminals as it might lead to numerous crimes, for instance, identity theft. Examples of sensitive PII include:
- Social security numbers.
- Birth certificates.
- And more.
Non-sensitive PII information is data that can be stored and transmitted without any security measures in place, such as work phone numbers.
Protected health information (PHI)
Personal health information (PHI) is personal information that includes lab test results, radiology results, diagnosis, and other sensitive health data of a person alongside their name, birth date, and social security number.
This is typical for the healthcare industry. For more information on that, see our guide on healthcare document management best practices.
In addition to the aforementioned PII, there are ‘quasi-identifiers’ and ‘pseudo-identifiers’, which are information that coupled with other data could lead to identifying a person.
Now that you have an idea of what PII is and the different types, let’s take a look at some best practices to protect your sensitive information.
How To Protect Your Personal Identifiable Information: 5 Top Best Practices
The PII that a company holds is a gold mine for attackers as they can use it for a plethora of high-paying crimes, for instance, identity theft, social engineering attacks, and in a few cases, even blackmail.
If you intend to stare clear of any such incident at your company, then you should be following some of the best practices and steps to keep your sensitive information safe.
The Federal Trade Commission recommends doing the following to keep your PII safe:
- Take stock and record what personal information you have on your files and computers.
- Scale down and keep only what you need for your business.
- Lock and protect the information you keep.
- Properly dispose of non-essential PII you no longer need.
- Plan ahead and establish a response plan for cyber attacks and security incidents.
Now, let’s take a look at each step in detail to make sure you get the most out of your personal identifiable information and keep confidential data safe.
1. Take stock and keep an organized record of your personal identifiable information
Since PII is highly confidential and susceptible to cyberattacks, it’s essential to keep it organized and record all the minor details regarding its storage.
For instance, all the computers, data storage devices, physical and digital copies, digital copying equipment, and other hardware and software that are used to store, secure, and monitor the PII.
Consult with all the relevant departments within your company and outside service providers that are in contact with or responsible for storing and securing the PII.
The five major things to keep in check for an organized PII record to ensure it doesn’t land in the wrong hands include:
- Who’s sending PII to your company?
- How does your company receive PII, i.e., what are the hardware and software sources and who handles them?
- The types of PII that you collect at each entry point
- Where is the PII stored?
- Who can access the PII, i.e., hardware, software, and personnel?
Different types of PII pose different risks. For instance, a database of medical history has a different security threat as compared to that of social security numbers and credit card info (Blacklist taught us that even medical histories are susceptible to being used in criminal activities, so it isn’t just about privacy!).
Keeping this in view, you should devise different strategies to keep the collected PII for its various kinds.
2. Scale down and keep only the PII you need
The next step is to look into your database and figure out which PII is needed and which isn’t relevant anymore.
Often companies store data for long periods of time even though they don’t need it anymore. This isn’t just risky but it also eats up your data storage and imposes extra costs due to mismanagement.
Therefore, go back into your database and figure out which PII is needed and which isn’t. This isn’t just limited to keeping records, it’s also about storing the relevant data.
The FTC suggests the following steps for scaling down PII:
- Only use social security numbers for essential and lawful purposes, for instance, for recording and reporting employees' taxes.
- Your company’s mobile app should only access data that it needs to function properly.
- Dispose of your customers’ credit card details as soon as you are done with their business purposes.
- Implement the principle of least privilege (PoLP).
The principle of least privilege (PoLP) is an information security concept in which only those sections of information are accessible for someone that are absolutely essential to perform their job function. This means they have the minimum level of access or permission possible.
3. Lock and protect the sensitive information you keep, secured with an effective PII security plan
An effective PII security plan comprises four key elements:
- Physical security.
- Electronic security.
- Employees’ security training.
- And secure contractors and service providers.
Here’s how each works.
You can ensure the security of physical data, which is paper documents and hard drives, in the following ways:
- Store all paper documents and drives containing PII in a locked room or file cabinet with PoLP.
- Keep all the physical PII in locked areas at all times unless required while working.
- Ensure that your employees lock sensitive files, thumb drives, and computers at the end of the day.
- Have an access control system in place at your workplace and offsite storage facilities.
- Encrypt shipped sensitive information and keep its record.
- Secure devices that collect sensitive data, for instance, PIN pads.
Following are a few ways in which you can ensure the electronic security of PII collected and stored in your company:
- Have a general network security system in place.
- Set up an authentication system to access the data. This could be different based n the level of sensitivity of PII.
- Restrict the use of laptops, and if essential, restrict the employees from storing PII on them.
- Use firewalls for protection against cyberattacks.
- Limit wireless and remote access to your computer network.
- Secure digital copiers.
- Keep a breach detection system in place.
Employees’ Security Training
Implement employees security training on the following principles:
- Do their background checks.
- Make them sign a confidentiality agreement
- Keep records of employees with access to PII
- Train employees on PII security, data breaches, and how to tackle them.
Secure Contractors And Service Providers
Before you outsource your work, ensure that you secure the contractors and service providers who’ll be in contact with the PII. Here’s how:
- Thoroughly analyze the service provider’s data security practices and standards.
- Make contracts regarding PII.
- Insist that in case of any security breach in your list of PII, they’ll let you on complete details.
4. Properly dispose of the Non-essential PII
Once you’re done with the PII of a customer, dispose of it properly as it might be trash for you, but it’s gold for criminals.
Here’s how you can do it with surety that it doesn’t land in the wrong hands:
- Devise and implement an information disposal system for all forms of records (physical, electronic, and with external service providers).
- Shred, burn, or pulverize paper records.
- Wipe your old computers and other devices with wipe utility programs.
- Ensure that your employees follow the PII disposal procedure regardless of where they are.
- Follow FTC’s Disposal Rule if you deal with consumer credit reports.
5. Plan Ahead and create a response plan for cyber attacks
Regardless of how cautious you are, there are chances that your company’s PII might still get compromised as cyberattack procedures are becoming advanced day by day.
Have a contingency plan in place in case of any such incident:
- Devise and implement a response plan to handle and counter security attacks.
- Disconnect a computer from the network immediately in case of a cyberattack.
- Investigate security breaches.
- Create a plan on who to notify in case of a security incident by consulting your attorney.
Now, one last thing, let’s take a look at compliance for PII.
Who Is Responsible For PII Compliance And What Happens In Case of Violation? 3 Compliance Standards To Consider
Your responsibility in terms of PII compliance depends on three factors: the organization type, what state is the organisation based in, and in which country it conducts business.
Following are the main PII laws or compliance standards:
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA), also termed the Financial Service Modernisation Act was enacted in 1999, and requires financial institutions, such as loan providers, insurance companies, and investment firms, to explain their information-sharing practices to their customers.
Furthermore, under GLBA, it’s their responsibility to protect the sensitive data shared with them.
In case of any violation of GLBA, the financial institution will be subject to a civil penalty of up to $100,000. Similarly, on personal levels, i.e., violation officers and directors, the civil penalty is up to $10,000.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a privacy and security law by the European Union imposed on all organizations, throughout the world, targeting or collecting data related to the people in the EU.
In case of a violation of GDPR, the organization will be subject to a fine of up to €20 million or 4% of the annual global turnover, whichever is higher.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) governs the secure data handling, storage, and processing of customer card data.
In case of a violation of PCI DSS, your organization may be subjected to the following penalties:
- Fines range between $5,000 to $10,000 per month.
- The penalty increases as the non-compliance period extend.
- After 7 months, a fine of $100,000 per month is imposed.
Where To Go From Here
Hope that by now you have become somewhat accustomed to Personal Identifiable Information (PII), what it is, and how it works.
Practically speaking, when safeguarding your customer personal identifiable information, you should also be using the best cyber security practices, such as:
- AES 256 End-to-End encryption.
- Role-based access controls.
- Sensitive document expiry & self-deletion.
- 2FA support.
- Full audit and document log.
- Live document alerts.
- Secure API integration.
- Direct & automatic storage
- And more.
For this, you need the right document management system. One that can help with all things document generation and secure storage, automation of delivery, and upgrade your document management operations.
Inkit is a document generation system with a built-in security platform, purpose-built to deal with problems faced by sectors that need assurance in document automation and security, such as:
- Government & defense.
- Financial & insurance.
- Transport & logistics.
- Admin support services.
- Information & telecommunication.
- And more.