Protecting personally identifiable information (PII) is one of the key aspects of a security expert’s job. What does personally identifiable information include? Social Security numbers, birth dates and places, financial accounts and more can give threat actors a foothold to identify someone or steal their money or identity. This data could also be used to stigmatize or embarrass a person.
State and national governments have taken PII more and more seriously over the years. As digital attackers find new ways to trace a person’s identity and steal PII, governments put sanctions in place to prevent it. Those sanctions also mean business entities could see steep fines if they don’t protect their employees’ data.
So, how can companies protect their employees’ personally identifiable information? And, why should you bother to do so?
Governmental PII Data Protection Requirements
At the state level in the U.S., California recently instilled the California Consumer Privacy Act, which names several rights that the state’s consumers have regarding their personal data. These include the right to be informed about a company’s collection and sale of PII, opt-out of having their personally identifiable information collected by companies and delete PII collected by companies.
In Europe, the General Data Protection Regulation (GDPR) regulates companies’ handling of European Union citizens’ PII. GDPR determines how ﬁrms must process, protect and notify people living in the E.U. regarding their personal data. This includes collecting, storing, transferring or using that data.
5 Steps for Protecting PII
The PII a company collects and stores is highly attractive to attackers who can use it for identity theft, fraud and social engineering attacks.
The Federal Trade Commission (FTC) proposes a five-step plan to secure your company’s PII:
1. Take Stock
Your company should list all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers and other equipment to find out where PII is stored. Track PII throughout your business by consulting with the sales department, IT staff, human resources office, accounting personnel and outside service providers.
You should answer the following questions:
- Who sends PII to your company?
- How does your business receive PII?
- What kind of PII do you collect at each entry point?
- Where do you keep the PII you collect?
- Who has access to that PII?
You should keep in mind that different types of PII present different risks. Your company should pay attention to how you keep your most sensitive PII, such as Social Security and credit card numbers, bank accounts and other sensitive data.
2. Scale Down
Your company should keep only the PII you need for their business and only for as long as you needed it. You should use Social Security and credit card numbers only for required and lawful reasons. Your company’s mobile app should only access the data it needs to function. And you should implement the principle of least privilege when allowing access to PII. If you must keep PII, you should have a retention policy for written records to determine what PII should be kept, how to secure it, how long to keep it and how to dispose of it securely.
3. Lock It
Make sure to protect your PII. The most effective PII security plan addresses physical breaches, electronic safety, employee training and contractor and service providers. For physical security, store files with PII in locked file cabinets, require employees to put secure files they are working on in a secure place, implement strict building access control and store PII at a secure off-site location.
When it comes to electronic security, you should follow best practices in securing PII. These include using robust network security, requiring strong authentication for access to PII and ensuring laptops that handle PII are secure. Use strong firewalls, and secure wireless and remote access for employees. Secure digital copiers and other connected devices, and deploy intrusion detection and protection systems.
4. Pitch It
Your company should properly dispose of PII you no longer need for business purposes. For paper records, these should be shredded, burned or pulverized. For computers, portable storage devices and other electronic devices, erase PII using wipe utility programs. In addition, make sure employees working remotely follow the same PII destruction procedures as your in-office staff.
5. Plan Ahead
Your company should establish a response plan for attacks. If an attacker has compromised a computer, disconnect it from your network. You should look into incidents right away and close existing openings. Develop a list of entities to contact should you suffer a PII breach. These could include law enforcement, media, credit bureaus, regulatory agencies and affected businesses, as well as the individual victims. Privacy and personally identifiable information awareness training can help employees keep PII top of mind.
Employee And Contractor Onboarding
Background checks should be conducted on new hires. You should require them to sign confidentiality agreements and determine what PII they will be handling. When they leave the company, make sure their access to PII is removed. Conduct regular employee awareness training so people can recognize threats, such as phishing emails. Make sure employees know safe PII handling practices.
Your company should also look into the relevant practices of contractors and service providers before you hire them. Get security expectations in writing in the contract. Require third parties to notify you of breaches or other incidents.
Cost of Stolen Personally Identifiable Information
Failure to secure PII could lead to phishing and other attacks, regulatory fines and loss of customer trust and loyalty.
The 2020 Cost of a Data Breach Report estimates that the average cost of a loss of PII or other data is $3.86 million globally, and that number jumps to $8.64 million in the United States. The report also found that custom PII data has the highest cost per record lost at $150, while the health care industry had the highest average cost of a data breach at $7.13 million. Also, the average time to pinpoint and contain a data breach was 280 days.
Threat actors caused more than half of the data breaches, but only 13% of malicious breaches were caused by nation-state actors. Compromised credentials and poorly configured clouds were each behind 19% of malicious breaches.
Also, the FTC and U.S. Department of Health and Human Services (HHS) have increased their fines for companies that fail to protect sensitive data. The FTC fined a credit rating agency $575 million for a data breach that exposed PII and other sensitive financial information on 147 million people.
The HHS has doled out more than $128 million in fines for failing to protect PHI since the HIPAA Privacy Rule took effect in 2003. Last month, HHS fined a health insurance provider $1 million for three data breaches involving health-related personal information.
The bottom line is companies need to implement a top-down plan to safeguard PII. This will help them avoid costly data breaches that can result in large fines, loss of face or lawsuits.