According to a recent report on data breaches in the U.S., the personally identifiable information (PII) of consumers remains the top target of cybercriminals. A whopping 97 percent of all breaches in 2018 involved the exposure of PII. Almost half (48 percent) of breaches affected the healthcare sector, while the cost of breaches in the financial sector jumped from $8 million in Q1 2018 to $6.2 billion in Q1 2019.
The increased exposure of PII comes despite a 12.4 percent increasein spending on security products and services. Clearly, technology is not enough. Understanding PII and the risks involved is critical to preventing costly data breaches.
PII is data that can be used to identify an individual, either by itself or when combined with other data. For example, a person’s date of birth and Social Security number, the most frequently compromised types of PII in the data breach report, can be used to identify someone. A person’s first or last name, location, gender and medical records are examples of data that can be used to identify someone when combined with other data.
Different types of data vary in different contexts, as do data protection requirements, depending on the industry. In healthcare, where data breaches are a major problem, HIPAA (Health Insurance Portability and Accountability Act) regulations focus on protected health information (PHI), which refers to medical records that are considered PII. Any organization that accepts credit card payments or handles cardholder data must comply with PCI (Payment Card Industry) regulations for isolating and protecting that data.
Many analysts believe the General Data Protection Regulation (GDPR) represents the future model for the protection of PII. The GDPR gives European Union citizens unprecedented control of their data while implementing stricter requirements and penalties for organizations that handle that data. The State of California has already enacted similar rules to protect PII, and more states are following suit.
Although organizations are investing in security technology,one major challenge is that employees often have customer PII on their devices and in their inboxes. For example, when employees fall for an email phishing scam or their credentials are stolen or compromised, any PII that can be accessed by those users can easily fall into the wrong hands. Users need to be trained regarding the importance of protecting PII by not storing it locally.
Centralized control of PII is critical for security and compliance purposes, but too many organizations are doing a terrible job of managing PII. When you have outdated technology and fail to update software, or you’re simply unaware of how sensitive data is being protected, the risk of PII exposure increases dramatically. For example, investigations into a recent data breach that affected more than 1.4 million Maryland students discovered servers using versions of software from 2015, as well as computer programs from 2008.
More and more PII is being generated, transmitted and stored every day. More and more of that data is being exposed, resulting in major losses for the victim organization and major headaches for those whose data is compromised. Let us help you improve your data management strategy, develop or enhance user training programs, and assess the state of your security technology to keep your sensitive data safe.