Security experts must protect personally identifiable information (PII). What is personally identifiable information? Threat actors can use social security numbers, birth dates, places, financial accounts, and other information to identify people or steal their identity or money. These data can also be used to shame or embarrass someone.
Over the years, both national and state governments have been more concerned about PII. Governments have put in place sanctions to stop digital attackers from stealing PII and tracing an individual’s identity. These sanctions could also lead to severe fines for business entities if they fail to protect the data of their employees.
How can companies ensure that employees are protected? Why should you bother?
Requirements for Governmental PII Data Protection
California’s California Consumer Privacy Act was recently adopted at the state level. It lists several rights that consumers in California have in regard to their personal data. These rights include the right to receive information about a company’s collection or sale of PII and to opt-out of having their personally identifiable data collected by companies.
The General Data Protection Regulation (GDPR), which regulates the handling of personal information by companies in Europe, governs how they handle personal data from citizens of the European Union. The GDPR outlines how companies must protect, notify and process personal data of EU citizens. concerning their personal data. This includes collecting, storing and transferring that data.
Read more at https://www.verygoodsecurity.com/use-cases/pii
Five Steps to Protect PII
Attackers can steal the PII a company stores and use it to commit identity theft, fraud, and other social engineering attacks.
The Federal Trade Commission (FTC), proposes five steps to protect your company’s personal information.
1. Take stock
To find out where PII is stored, your company should list all computers, laptops and mobile devices, flash drives or disks, computers at home, digital copiers, and other equipment. You can track PII in your company by consulting the IT department, sales staff, human resource office, accounting personnel, and other service providers.
These questions should be answered:
Who sends PII?
How can your business get PII?
Which type of PII are you collecting at each entry point
What are the best places to keep all of your PII?
Who has the right to access that PII
Different types of PII pose different risks. You should be careful about how your company keeps the most sensitive PII such as Social Security numbers and credit card numbers.
2. Scale Down
Your company should only keep the PII necessary for your business, and only for as long you require it. Social security numbers and credit card numbers should only be used for legally required purposes. The company’s mobile app must only have access to the data it requires to operate. When granting access to PII, you should follow the principle of least privilege. You should create a written retention policy to record PII. This will allow you to decide what PII you need to keep, how you want to protect it, how long it should be kept, and how you plan to dispose of it.
3. Lock it
Protect your PII. Protecting your PII is as simple as avoiding physical security breaches, employee training, and contract and service providers. Store files containing PII in locked cabinets. Require employees to keep files they are working on safe. Implement strict building access controls and store PII off-site.
You should use best practices when protecting PII. You should use strong network security and require strong authentication to access PII. Also, ensure that laptops handling PII are protected. Secure remote and wireless access for employees with strong firewalls. Protect digital copiers and all connected devices with intrusion detection and prevention systems.
4. Pitch It
You should dispose of any PII that your company no longer needs for business purposes. These should be destroyed, burnt, or pulverized for paper records. Wipe utility programs can be used to erase PII from computers and portable storage devices. Ensure that remote employees follow the same PII destruction processes as in-office staff.
5. Plan Ahead
A response plan should be prepared for any attacks. Disconnect a compromised computer from your network if it is being attacked. It is important to investigate incidents immediately and close any existing gaps. If you are the victim of a PII breach, make a list of people to reach out to. These entities could include media, law enforcement, credit bureaus and regulatory agencies, as well the victims. Employees can be trained in privacy and personal identifiable information awareness to help them keep PII at the forefront of their minds.
Onboarding of Contractors and Employees
New hires should undergo background checks. They should sign confidentiality agreements. You also need to determine the PII they will be handling. Make sure they are able to access PII when they leave the company. Regular employee awareness training is necessary to help employees recognize potential threats such as phishing email. Employees should be familiar with safe PII handling procedures.
Before you hire contractors or service providers, your company should investigate their practices. In writing, include security expectations in your contract. You must require third parties to notify of any breaches or other incidents.
Cost of Stolen Personally Identifiable Data
Inadequate security of PII can lead to phishing, other attacks, regulatory fines, and loss customer loyalty and trust.
According to the 2020 Cost of a Data Breach Report, the global average cost of a data breach is $3.86million. In the United States, that number rises to $8.64million. According to the report, custom PII data had the highest per-record loss cost at $150. Health care industry had the highest data breach cost at $7.13million. It took 280 days to find and contain a data leak.
While threat actors were responsible for more than half the data breaches, only 13% of malicious breaches occurred due to nation-state actors. 19% of malicious attacks were caused by compromised credentials or poorly configured clouds.
The FTC and the U.S. Department of Health and Human Services have increased their penalties for companies that fail protect sensitive data. A credit rating agency was fined $575 million by the FTC for a data breach that exposed PII, and other sensitive financial information about 147 million individuals.
Since 2003, the HIPAA Privacy Rules was implemented, HHS has issued more than $128million in fines to PHI-protection agencies. HHS recently fined a HIPAA-compliant health insurer $1 million for three data breaches that involved health-related personal data.
Companies must implement a top down plan to protect PII. This will prevent costly data breaches which can lead to lawsuits, face loss, and large fines.