How Organizations Can Protect Personally Identifiable Information (PII)
Every organization stores and uses personally identifiable information (PII), whether on its employees or customers. As enterprises collect, process, and store PII, they also inherit responsibility for protecting it. Doing so ensures the integrity of individuals’ identities while protecting your company’s reputation.
PII can be compromised in a variety of ways. Digital files can be hacked and accessed by criminals, while physical files can be exposed to threats if not properly secured. Without safeguards and a PII protection policy, organizations and their customers are at risk of identity theft. In 2020, identity theft was the most common consequence of a data breach, occurring 65% of the time.
So, what can organizations do to make sure all of this PII is protected? Here, we’ll take a closer look at what information is considered PII and the steps your business can take to protect it.
What is PII?
With the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) setting the standard for regulatory compliance for personal data and information privacy, it is important to note that not all personal data and information forms are the same. There are also different personal data and information types. The requirements for collecting, storing, and securing information can change depending on their respective definitions under regulations such as GDPR and CCPA.
Two commonly misinterpreted terms in this space are personally identifiable information (PII) and personal data. Personally identifiable information (PII) is any information that can be used to identify one individual from another. On the other hand, personal data is any information that relates to an identifiable, living individual.
Types of PII
Traditionally, PII included contact information, location data, or identification information like Social Security Numbers and birth dates. The definition has expanded to include digital information such as IP addresses and login IDs.
While protecting PII as an organization has always been challenging, this broadened definition creates even more things to consider when determining how to protect PII.
According to the NIST PII Guide, the following information types qualify as PII because they can identify a human being:
- Social Security Number (SSN), passport number, driver’s license number, financial account number, credit card, or any other personal identification numbers (PINs)
- Street or email address
- Phone number
- IP addresses
- Unique Identifier
Best Practices for Protecting PII
Once you have a firm understanding of what PII is, you can continue with the following PII compliance checklist to ensure the protection of your employee and customers’ information:
1. Discover Where PII is Collected and Stored
The first step in protecting PII is to perform a data discovery or mapping exercise. Identify your most sensitive assets, whether those are employee records, intellectual property, or customer data.
This exercise enables you to locate PII within your network and other environments and get an idea of where it travels throughout your organization. Once you have mapped the data flow, you should have a better picture of where PII resides and how to isolate those systems from the rest of your environment.
Some questions you may want to ask during your discovery are:
- What is the most critical information that we need to protect? Customer data? Intellectual property? Employee records?
- Where is PII located within your network and other environments?
- What security measures are being taken when this data is collected?
2. Identify PII Compliance Regulations
Every industry must comply with specific compliance laws and regulations governing collecting, storing, handling, and transmitting PII.
With a deeper understanding of these regulations, you will be more likely to ensure proper data protection and mitigate PII risk.
Examples of federal statutes protecting PII include:
- Gramm-Leach-Bliley Act (GLBA)
- Fair Credit Reporting Act (FCRA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- The Family Educational Rights and Privacy Act (FERPA)
- The Children’s Online Privacy Protection Act (COPPA)
- The Privacy Act of 1974
3. Conduct a PII Risk Assessment
Conducting a risk assessment is the best way to identify any vulnerabilities and gaps in your data security strategy.
The knowledge and facts you uncover in this step will shape the expectations for your data protection plan, identify threat opportunities, and ways to minimize their impact should they occur.
Here are a few things to consider during your assessment:
- Decide who will be harmed and how?
- What PII is regulated and what is currently being done to ensure regulatory compliance.
- For unregulated PII, are there any existing reputational, security, or operational risks?
- Rank the threats determining their risk magnitude, which is the combination of likelihood and consequence.
- Make a comprehensive list of your findings.
4. Safely Store and Destroy Unnecessary PII
Another effective way to protect PII is to limit information risk as much as possible.
Only collect the information you deem absolutely necessary and store hard copies and electronic records in a highly-secure location, such as records storage facilities with advanced security controls. Properly destroy physical and digital records and outdated electronics, as they can leave a trace for high-tech thieves.
Data types that you should consider destroying are:
- Customers you no longer do business with
- Outdated employee records
- PII found on unused devices
5. Classify Your PII in Terms of Sensitivity
Once you know what PII is being collected and stored, create a data classification policy to sort it based on sensitivity. This is an integral part of PII protection.
Here are some things to consider when segmenting your PII:
- Restricted: Highly sensitive PII that can cause significant damage if it falls into the wrong hands. Data access is strictly controlled on a “need-to-know” basis.
- Private: Not as sensitive as restricted data. However, it can cause moderate damage to the individuals or company if it is compromised. Only users who interact with this data as part of their role should have access to it.
- Public: Non-sensitive, low-risk data with little or no access restrictions in place.
6. Create Safeguards for PII Protection
Not all PII requires the same level of protection. For example, a public directory lists phone numbers with individuals’ permission making its protection less critical. Thus, companies need to implement a variety of safeguards that address the different risk levels.
A few methods to protect PII include:
- Creating policies and procedures – Organizations should have policies for collecting, using, retaining, disclosing, and destroying PII adopted entity-wide and communicated to employees.
- Encryption – Data-centric encryption will protect your organization’s PII from internal and external risks and put your customers at ease when you request their most sensitive data.
- Training – Training staff on proper cybersecurity protocols can go a long way to prevent breaches. While one careless employee can share PII with unauthorized recipients, the responsibility of protecting it falls on the organization ultimately. Continually train employees on both technology updates and new, evolving threats to prevent the risk of a breach.
7. Data Privacy Program and Policy Review
With the rollout of enhanced data privacy laws, your policies may need a review—schedule time to update your framework for protecting PII regularly.
While conducting audits may be time-consuming, they will help maximize the effectiveness of controls and identify any weaknesses.
Here are a few things to consider during your policy review:
- Are all of our controls practical and efficient?
- Are there any lessons from recent risk events, including near-misses, changes, trends, successes, and failures that we should consider?
- Can any changes in the external and internal risk criteria be detected?
- What emerging threats do we need to be aware of?
Outsourcing Your Data Protection
When it comes to PII protection, the best defense is a good offense. Make it a priority to safeguard your confidential information by trusting an expert to ensure your employees, customers, and business’s long-term protection.
At Vital Records Control, we understand the importance of protecting your critical assets. That’s why we’ve designed a suite of high-quality solutions to keep your organization’s sensitive information secure, from physical document storage, cloud-based document storage to secure destruction. Learn more about Vital Records Control’s commitment to protecting the information assets that matter to you the most.