PII requires protection for both legal and reputational reasons, but if a data breach occurs, will your company still be able to protect this sensitive data?

What Is Considered PII?

Personally identifiable information is any information that could be used to identify a specific individual; this includes Social Security numbers, full names, and passport numbers.

These are typically regarded as the traditional forms of PII. However, with the increased digitization of society and with it our online identities, the scope of PII has expanded to include personally identifiable financial information, login IDs, IP addresses, and social media posts. 

PII Data Classification 

PII data classification is a central part of the PII identification process, and it can be used to broadly differentiate between sensitive and nonsensitive PII. 

Nonsensitive PII

This is the type of PII that can be easily obtained from public sources like corporate directories, the internet, and phone books. It can also be transmitted in an unsecured form without harming the individual or exposing their identity. This type of data usually consists of the following:

• Gender
• Zip Code
• Date of birth
• Place of birth 
• Ethnicity

This obviously isn’t an exhaustive list. However, it underlines the type of information about a person that doesn’t pose any threat to their privacy when made public. 

Sensitive PII

This consists of personal information whose public exposure can be harmful to the individual. The risk of exposure often results in identity theft that damages the individual’s credit or compromises their financial wellbeing.

Examples of sensitive PII include the following:

• Social security number
• Passport number
• Driver’s license
• Mailing address
• Medical records
• Credit card information
• Banking and financial information

Risk also extends to organizations when sensitive PII in their possession is leaked or compromised. The organization breached suffers reputational damage and is often burdened with noncompliance fines. As a result, sensitive PII needs to be stored securely, usually by using strong encryption mechanisms. 

What Are Non-PII Examples?

There is some overlap between non-sensitive PII and what is generally considered non-PII. Though non-PII may relate to an individual, the information is so general it will not point to the individual’s identity.  

Non-PII examples include information such as race, religion, business phone numbers, place of work, and job titles. 

Although nonsensitive PII and non-PII may contain quasi-identifiers, this type of data alone cannot be used to confirm a person’s identity on its own. However, when nonsensitive data is combined or linked with other personal linkable information, it can be used to identify an individual. 

So businesses should still exercise caution with non-PII since reidentification and de-anonymization techniques can be applied on them. Especially through piecing together several sets of quasi-identifiers to distinguish individuals and reveal their personal identities.

Therefore, organizations should ask themselves two questions regarding the sensitivity of their data:

1. Identification: Can this specific piece of data on its own be used to identify an individual?
2. Data combination: Can several unique pieces of data be pieced together to identify someone?

PII is a very malleable term and the precise contours of its definition depend on where you live in the world. For instance, the United States government defines it as anything that can “be used to distinguish or trace an individual's identity,” such as biometric data, whether in isolation or in conjunction with other identifiers like date of birth or educational information.

In Europe, its definition expands to include quasi-identifiers as listed in General Data Protection Regulation. 

Why Is PII Important?

Identification mechanisms are crucial in a functional society to distinguish one person from another. The individual markers that PII provides are necessary to acquire and disseminate goods and services in a market economy. Not to mention its importance for ownership and acquisition of capital. 

For instance, without PII, it would be impossible to have meaningful medical records to facilitate public healthcare or grease the wheels of commerce with credit and banking information.

PII is also important to criminals who can sell it for a handsome profit on the black market.

Why Is Safeguarding PII Important?

As highlighted in the last section, PII is necessary for the flow of goods and services in a society. However, if left unprotected, PII leads to identity theft and other forms of fraud. This is because hackers find PII to be an extremely valuable target due to the variety of criminal activity it allows them to perpetrate. 

Some of the potential harm suffered by individuals may include embarrassment, theft, and blackmail. Data breaches not only create legal liability for the organization but also reduce public trust in the organization. Due to these risks, PII should be protected from unauthorized access, usage, and disclosure to safeguard its confidentiality.

However, PII creates privacy and data security challenges for organizations that collect, store, or process it. Therefore, the importance of PII also stems from its impact on the information security environments of organizations and the legal obligations this demands.

PII Security Best Practices

PII has become so valuable to enterprises and bad actors alike that it needs a special security framework to protect it both at rest and in transit. In addition to the traditional methods of encryption and identity access management, this framework also encompasses document security measures such as data loss prevention, digital rights management, and information rights management. 

DRM includes data security measures that protect PII within the boundaries of the corporate network or firewalls. But while DRM is important to PII, its overriding objective is locking down data, intellectual property protection, and the monetization that goes with it. IRM, however, is based on zero-trust security, which essentially means an implicit distrust of the user or platform that has access to the data. To achieve this, IRM accompanies the data wherever it goes. 

Here are the six practical ways to ensure the PII collected by your organization is secure:

1. Discover and classify PII: This starts with identifying and classifying all the PII an organization collects, accesses, processes, and stores. It also involves locating where this data is stored, especially sensitive PII, to better understand how it can be protected.
2. Establish an acceptable usage policy: This involves creating a framework of policies that guide how PII is accessed. One of its key benefits is serving as a starting point for enacting technology-based controls to enforce proper PII usage and access.
3. Create the right identity access and privilege model: Enforcing usage rights and access controls with identity access management. Establish least-privilege models so users only access the data they need at a given moment.
4. Implement robust encryption: Deploy strong encryption algorithms to protect PII at all times.
5. Delete PII you no longer need: Ensure you don’t store PII you no longer need because it can pose compliance and vulnerability risks. Therefore, create a system for safely destroying old records without accidentally destroying viable ones.
6. Create training procedures and policies for handling sensitive PII: Use training and policies to emphasize how various types of PII should be stored and protected.

How to Safeguard and Enforce PII Compliance

One of the first points of order to safeguard PII is to understand where it is located. Once a business knows where its PII resides, it can subsequently embark on the necessary mechanisms to prevent its unauthorized disclosure. 

Data discovery is the process of identifying and locating sensitive data such as PII to ensure it’s secure and protected.

PII Data Discovery

In today’s vast digital landscape, awareness of where your data resides is a tall order. Data discovery, knowing where your data is located, especially with regards to sensitive data, is an integral part of establishing an effective PII security plan.

The process of PII discovery is important in safeguarding PII because it helps to avoid missing out on data, especially in large enterprises that typically have vast amounts of it. Moreover, PII discovery helps to locate and discover newly generated data that hasn’t yet been classified. 

Although data discovery often involves navigating the data visually, it also uses analytical methods to detect patterns and outliers. The latter is highly recommended to avoid overlooking newer or unclassified data. 

How Data Protection Regulation Is Impacting PII Security

The need to secure PII is a critical data protection function. The avalanche and increased frequency of data breaches over the years compelled government agencies around the world to enact regulations to control the use and storage of PII. 

Research from Gartner anticipates that by 2023, PII data legislation will cover over 65% of the world’s population. These data protection laws are designed to minimize the incidence of data breaches and the class action lawsuits they precipitate by regulating the privacy of personal, healthcare, and financial data. 

Businesses in various jurisdictions are now compelled to uphold a myriad of data protection laws, such as the Health Insurance Portability and Accountability Act (HIPAA), New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR).

Hence, PII compliance often involves a complex network of regulations all over the world. The most consequential for PII is GDPR. 

The Far-Reaching Impact of GDPR on PII Security and Compliance

GDPR is wide-reaching and impacts any company worldwide that processes or stores the personal data of European Union residents. Therefore, GDPR regulation applies to any website that attracts European visitors, even if they aren’t specifically marketing their goods and services to EU residents. 

GDPR is currently one of the most burdensome privacy regulations for businesses. One of its major highlights is that it shifts the balance of power to the consumer by granting them more rights regarding how companies use their data. The GDPR regulation has become a game changer, both for consumers and especially for technological companies operating globally.

Here are some highlights of GDPR legislation:

• It grants users more control over their personal data.
• It is applicable to companies based outside the European Union, as long as they provide goods and/or services to EU customers.
• It provides easy withdrawal of consent for the consumer at any point in time.
• Consumers are allowed to know their precise data points being stored and how the collecting company is using them.
• Data portability is made possible, so users can export their data and move it to another provider.
• Any data breach that occurs must be reported to the relevant authorities within 72 hours of the organization’s knowledge of the incident.
• Users are required to be informed of the data breach without any undue delay.
• Heavy fines are imposed for noncompliance and data breaches—as much as 4% of the company’s annual revenue!

GDPR is one of the laws that has strengthened PII security and compliance on a global scale. However, its impact on global data security standards means that an organization’s security team not only has to ensure PII is protected, but also that they strictly adhere to reporting processes. 

Moreover, the impact of GDPR cuts across all verticals, so it doesn’t matter what business you are operating in, whether you’re a hospital, social media company, or financial institution. 

Digital Guardian Secure Collaboration Is Equipped to Help Strengthen Your PII Security and Compliance

PII data protection should be paramount in the minds of every organization. Weakness in this area could be difficult to recover from. 

Moreover, laxity with PII protection sends the message to customers that you cannot be trusted with their privacy. Hence, the erosion of customer loyalty and trust. In addition, business partners will grow wary of your ability to handle confidential information. 

Since safeguarding and regulating PII will remain a dominant issue for businesses and governments for years to come, it behooves organizations to partner with those with extensive expertise in this area. 

Our Secure Collaboration functionality is at the top of the game when it comes to transitioning from a perimeter security to a borderless landscape. This migration is important because, with the acceleration of remote work, mobile devices, and cloud-based systems, there’s no longer a clearly defined security zone to protect. 

These are the specialized ways the product will help protect your sensitive data such as PII, whether it’s in transit or at rest:

• IRM over DRM and DLP: While others are still twiddling with cumbersome solutions that fixate on locking down data, the product is busy pioneering data-centric security with IRM that travels with data wherever it goes.
• Data classification: Tagging and differentiating nonsensitive data from PII requires reliable data identification. Through Fortra's Data Classification Suite, the product provides best-of-breed data classification customized for your business.
• Comprehensive audit logs: Our audit trail logs provide a detailed account of where files containing PII have been and who has accessed them. These logs also provide evidence you are maintaining regulatory compliance. 

To learn more about protecting and securing PII, read our e-book, the Definitive Guide to Protecting Sensitive Healthcare Data.