Personally identifiable information (PII) is the holy grail when it comes to cybercrime. Hackers know that PII can be sold easily on the dark web or used to commit identity theft. Healthcare and tax-related information is particularly valuable as it enables criminals to commit fraud over a long period with a low risk of getting caught.
While many organizations have invested in security technology to reduce the risk of PII exposure, no technology will prevent every data breach. However, organizations can significantly improve their security posture by taking the time to understand PII and re-evaluate how this sensitive data is managed and protected.
What Is PII?
PII refers to any information that directly or indirectly distinguishes a person’s identity, either by itself or when combined with other data that is linked to the person. For example, if someone has your full name, home address, Social Security number, or driver’s license number, they can identify you. Combinations of data such as date of birth, physical location and gender can be used to identify a person indirectly.
PII can also include information associated with financial, credit card or healthcare accounts, and data that is commonly used to secure those accounts. Biometric data, mother’s maiden name, and place of birth are often considered to be PII.
Why Is Protecting PII Important?
Organizations must protect PII to uphold the privacy rights of customers, employees and partners. If PII is stolen or compromised, organizations can lose customer confidence, damage their reputation, and face legal action.
Many government and industry regulations also require PII protection. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities maintain the privacy of protected health information (PHI), which not only includes PII but also a patient’s medical records. Similarly, any organization that handles payment card data must protect that data according to Payment Card Industry (PCI) Data Security Standard (DSS) requirements.
The European Union (EU) General Data Protection Regulation (GDPR) and California Consumer Privacy Act give consumers extensive control over their data. Any organization that handles the data of EU citizens or California residents must have the right technology, procedures and personnel to protect that data or face major fines for violations.
Challenges Associated with Protecting PII
The sheer volume of data and growing number of places it can be stored and processed have made it difficult to protect PII. Data is often scattered throughout the organization, stored in on-premises applications and file shares, cloud-based platforms and even individual users’ devices. In many cases, organizations don’t know what PII they have or where it’s located.
Another problem is poor data management practices. Many organizations lack clear policies defining what types of data can be collected, how PII is handled and who is permitted to access it. This increases the risk that users will share PII with unauthorized individuals and store it in a way that puts it at risk of exposure.
PII Protection and Compliance Checklist
Protecting PII requires a multipronged approach involving people, policies and technology. Following are some tips for securing sensitive information and complying with government and industry regulations.
- Determine what PII you have and where it’s stored. This could include customer databases, HR systems and financial applications, both on-premises and in the cloud. It’s also important to determine if PII is stored on individual users’ devices or file-sharing platforms.
- Set policies for PII collection, storage, access and use, and review and update them regularly. Policies should reflect the type of data and the organization’s legal and regulatory obligations. Limiting the amount of PII that’s collected and establishing procedures for disposing of data when it’s no longer needed can help reduce risk.
- Implement robust security controls. These controls should not only protect data from unauthorized access and external attacks but also reduce the risk of accidental disclosure. Data classification and data loss prevention tools can prevent users from storing, downloading and sharing data in a way that violates company policy.
- Provide security awareness training. Training programs should include discussions of privacy policies and procedures and the importance of protecting PII. Proper training can help minimize data loss and exposure due to human error.
- Monitor for compliance with applicable regulations. Regular monitoring helps ensure continued compliance with government and industry regulations and identify potential gaps and risks.
Next Steps
According to Flashpoint’s 2024 Global Threat Intelligence Report, the number of reported data breach incidents increased 34.5 percent in 2023, with more than 17 billion PII records compromised. Organizations need to do better, not just by investing in technology but by improving data management and user training. Let us help you improve your data governance strategy and develop a security training program that reduces the risk of PII exposure.