Protecting personally identifiable information (PII) is one of the key aspects of a security expert’s job. What does personally identifiable information include? Social Security numbers, birth dates and places, financial accounts and more can give threat actors a foothold to identify someone or steal their money or identity. This data could also be used to stigmatize or embarrass a person.

State and national governments have taken PII more and more seriously over the years. As digital attackers find new ways to trace a person’s identity and steal PII, governments put sanctions in place to prevent it. Those sanctions also mean business entities could see steep fines if they don’t protect their employees’ data. 

So, how can companies protect their employees’ personally identifiable information? And, why should you bother to do so? 

Governmental PII Data Protection Requirements

At the state level in the U.S., California recently instilled the California Consumer Privacy Act, which names several rights that the state’s consumers have regarding their personal data. These include the right to be informed about a company’s collection and sale of PII, opt-out of having their personally identifiable information collected by companies and delete PII collected by companies.

In Europe, the General Data Protection Regulation (GDPR) regulates companies’ handling of European Union citizens’ PII. GDPR determines how firms must process, protect and notify people living in the E.U. regarding their personal data. This includes collecting, storing, transferring or using that data.

5 Steps for Protecting PII

The PII a company collects and stores is highly attractive to attackers who can use it for identity theft, fraud and social engineering attacks.

The Federal Trade Commission (FTC) proposes a five-step plan to secure your company’s PII: 

1. Take Stock

Your company should list all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers and other equipment to find out where PII is stored. Track PII throughout your business by consulting with the sales department, IT staff, human resources office, accounting personnel and outside service providers.

You should answer the following questions:

  • Who sends PII to your company?
  • How does your business receive PII?
  • What kind of PII do you collect at each entry point?
  • Where do you keep the PII you collect?
  • Who has access to that PII?

You should keep in mind that different types of PII present different risks. Your company should pay attention to how you keep your most sensitive PII, such as Social Security and credit card numbers, bank accounts and other sensitive data.

2. Scale Down

Your company should keep only the PII you need for their business and only for as long as you needed it. You should use Social Security and credit card numbers only for required and lawful reasons. Your company’s mobile app should only access the data it needs to function. And you should implement the principle of least privilege when allowing access to PII. If you must keep PII, you should have a retention policy for written records to determine what PII should be kept, how to secure it, how long to keep it and how to dispose of it securely.

3. Lock It

Make sure to protect your PII. The most effective PII security plan addresses physical breaches, electronic safety, employee training and contractor and service providers. For physical security, store files with PII in locked file cabinets, require employees to put secure files they are working on in a secure place, implement strict building access control and store PII at a secure off-site location.

When it comes to electronic security, you should follow best practices in securing PII. These include using robust network security, requiring strong authentication for access to PII and ensuring laptops that handle PII are secure. Use strong firewalls, and secure wireless and remote access for employees. Secure digital copiers and other connected devices, and deploy intrusion detection and protection systems.

4. Pitch It

Your company should properly dispose of PII you no longer need for business purposes. For paper records, these should be shredded, burned or pulverized. For computers, portable storage devices and other electronic devices, erase PII using wipe utility programs. In addition, make sure employees working remotely follow the same PII destruction procedures as your in-office staff. 

5. Plan Ahead 

Your company should establish a response plan for attacks. If an attacker has compromised a computer, disconnect it from your network. You should look into incidents right away and close existing openings. Develop a list of entities to contact should you suffer a PII breach. These could include law enforcement, media, credit bureaus, regulatory agencies and affected businesses, as well as the individual victims. Privacy and personally identifiable information awareness training can help employees keep PII top of mind. 

Employee And Contractor Onboarding

Background checks should be conducted on new hires. You should require them to sign confidentiality agreements and determine what PII they will be handling. When they leave the company, make sure their access to PII is removed. Conduct regular employee awareness training so people can recognize threats, such as phishing emails. Make sure employees know safe PII handling practices. 

Your company should also look into the relevant practices of contractors and service providers before you hire them. Get security expectations in writing in the contract. Require third parties to notify you of breaches or other incidents. 

Cost of Stolen Personally Identifiable Information

Failure to secure PII could lead to phishing and other attacks, regulatory fines and loss of customer trust and loyalty.

The 2020 Cost of a Data Breach Report estimates that the average cost of a loss of PII or other data is $3.86 million globally, and that number jumps to $8.64 million in the United States. The report also found that custom PII data has the highest cost per record lost at $150, while the health care industry had the highest average cost of a data breach at $7.13 million. Also, the average time to pinpoint and contain a data breach was 280 days.

Threat actors caused more than half of the data breaches, but only 13% of malicious breaches were caused by nation-state actors. Compromised credentials and poorly configured clouds were each behind 19% of malicious breaches.

Also, the FTC and U.S. Department of Health and Human Services (HHS) have increased their fines for companies that fail to protect sensitive data. The FTC fined a credit rating agency $575 million for a data breach that exposed PII and other sensitive financial information on 147 million people.

The HHS has doled out more than $128 million in fines for failing to protect PHI since the HIPAA Privacy Rule took effect in 2003. Last month, HHS fined a health insurance provider $1 million for three data breaches involving health-related personal information.

The bottom line is companies need to implement a top-down plan to safeguard PII. This will help them avoid costly data breaches that can result in large fines, loss of face or lawsuits.

More from Data Protection

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…