Personally identifiable information (PII) is data which can be used to identify, locate, or contact an individual and includes information like name, date of birth, place of residence, credit card information, phone number, race, gender, criminal record, age, and medical records. Every organization stores and uses PII, be it information on their employees or customers. Even schools and universities will store the PII of their students, while hospitals will store patient data.
* IDENTIFY THE PII YOUR COMPANY STORES
Start by identifying all the PII your company stores or uses. If you are a software vendor, you might have customer bank details and login information you need to protect. Government agencies will store PII like social security numbers, addresses, passport details, and license numbers. Once you have identified all the PII data your company stores, you can start to implement a number of measures to secure this data.
* FIND ALL THE PLACES PII IS STORED
The PII your company stores may live in a range of different locations like file servers, cloud services, employee laptops, portals, and more. A useful first step here is to think about the three states of the data your company stores:
Data in use: The data employees use to do their jobs. This data is typically stored in a non-persistent digital state like RAM.
Data at rest: This is the data stored or archived in locations like hard drives, databases, laptops, Sharepoint, and web servers.
Data in motion: This is the data which is transitioning from one location to another. An example would be data moving from a local storage device to a cloud server or moving between employees and business partners via email.
You need to consider all three data states as you develop your PII protection plan. Thinking about your company’s data in all of its different states will help you determine where the PII lives, how it is used, and the various systems you need to protect.
* CLASSIFY PII IN TERMS OF SENSITIVITY
If you haven’t done it already, you need to create a data classification policy to sort your PII data based on sensitivity. This is a vital part of PII protection. As you prioritize your PII, you should consider the following factors:
1.Identifiable: How unique is the PII data? If a single record can identify an individual by itself it is a sign that the data is highly sensitive.
2.Combined data: Try to identify two or more pieces of data that, when combined, can identify a unique individual.
3.Storage: As outlined in steps 1 and 2 above, you need to discover where your PII is stored and how it is used. In addition to those steps, you should assess how many people access the PII data you store and how frequently it is transmitted over networks.
4.Compliance: Depending on the type of organization you work for and the industry you operate in, there will be various regulations and standards for PII. These regulations will also help you prioritize your sensitive data. The regulations you may be subject to include the Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), HIPAA and HITECH ACT (US), and the Criminal Justice and Immigration Act (UK).
Having weighed up the above factors, you will be ready to classify PII based on sensitivity. At a minimum you should create three levels of data classification:
Restricted: Highly sensitive PII which could cause significant damage if it gets into the wrong hands. Access to this data is strictly on a need to know basis.
Private: Not as sensitive as restricted data but would still cause a moderate level of damage to the company or individuals if it was to become compromised. Access to this data is only provided to the users who interact with this data as part of their role.
Public: Non-sensitive, low risk data with little or no access restrictions in place.
There are many benefits to classifying the PII your company stores, such as maintaining compliance, but data classification can also help an organization to organize their data and help employees find the information they need to do their jobs. Finally, in the event of a security breach, data classification can guide your incident response team by informing them about the level of information which was compromised.
* DELETE OLD PII YOU NO LONGER NEED
You should delete any older, unnecessary PII to make it inaccessible to any potential attackers. Be sure to delete PII securely, and be diligent about deleting old files from your data backups in case any PII is stored there.
* ENCRYPT PII
Encrypting your PII at rest and in transit is a non-negotiable component of PII protection. Use strong encryption and key management and always make sure you that PII is encrypted before it is shared over an untrusted network or uploaded to the cloud. You will need the right set of technical controls in place to ensure that PII is encrypted; however there are many tools today that can automate the encryption process based on data classification.
* CREATE A STANDARDIZED PROCEDURE FOR DEPARTING EMPLOYEES
Threats to your company’s PII can be both internal and external. One of the most common internal threats is that of the disgruntled departing employee. Even when a departure is amicable, employees may be tempted to take some valuable PII (or other sensitive data) out the door with them. Some best practices here include:
Remove access: Delete all user accounts and access to the various enterprise systems they would have used upon departure.
Legal reminder: You may want to send a reminder to departing employees about their legal responsibilities around PII and other sensitive data.
Confidentiality agreement: Share a copy of a signed confidentiality agreement which covers PII and sensitive data.
* ESTABLISH AN EASY WAY FOR EMPLOYEES TO REPORT SUSPICIOUS BEHAVIOR
You should make it easy for employees to report suspicious or risky behavior to management. For instance, an employee might start taking company devices or materials home with them even if it goes against the AUP and could potentially put PII in danger of being compromised. One of the best ways you can police this type of event is to establish an easy way for employees to report this potentially harmful behavior. Other triggers employees should watch out for include colleagues taking interest in data and activities outside the scope of their job description or accessing the network or sensitive resources at odd hours of the night.