The Importance of Security and Compliance for Personally Identifiable Information
Securing Personally Identifiable Information (PII) is a critical data protection task. The “perfect storm” of laws regulating privacy of personal, financial, and healthcare data by numerous countries, greater frequency of PII data breaches, class action lawsuits, and increased use of collaboration sites as unstructured data repositories make securing this sensitive information a top priority.
PII data can take many forms, including national identity numbers, drivers license numbers, personal financial information, personal health data, credit card data, and numerous other information types relating to individuals. Understanding where this information resides and preventing unauthorised disclosure of PII data are steps every business needs to complete.
PII Data Protection
First thing everyone should know about is that PII is an extremely attractive target to all kinds of hackers, since this data can be sold at the black market for a lot of money and later used for a variety of criminal activities from basic fraud to identity theft and more. Losing your own company’s PII is also seen as a sign of weakness from a customer’s perspective and more often than not results in heavy losses when it comes to customer loyalty and trust.
PII data protection is a task that may differentiate a lot depending on business types and other factors, but there are several general pieces of advice about PII protection.
First step is general information gathering. Find out what type of PII information exists within your company. The end result of this step should be different for every organisation. One company works with login info, the other keeps passport or social security numbers and so on. Once this step is complete – the process of implementing some PII data security measures can begin.
After identifying specific PII types, it is highly recommended to develop and implement a data classification policy. That way you’ll know which data is the most sensitive and requires more protection efforts. The most common specifications are the following ones:
- Identification – can this specific piece of data identify a person?
- Data combination – can those several unique pieces of data identify a person?
- Accessibility – how often is this data accessed and by who?
- PII Data Compliance – what PII is most important in line with your local standards & regulations (i.e. GDPR, PCI DSS, HIPAA)
These are some of the more general questions which should be asked when it comes to data classification. According to those questions, you’ll begin forming your own PII scanning policy. The amount of detail may vary, but it is strongly recommended to create at least three separate levels – public, private (internal) and restricted.
As the name suggests, public info is something with low level of privacy risk and little to no restrictions in place; private or internal info is the “middle ground” – something that can potentially cause a moderate damage to the company or specific individuals if it’s leaked or lost (access to this kind of data is restricted to only those who works with such data as part of their daily work). Restricted info has the highest potential threat level with the ability to cause devastating damage to a person or a company if it goes public, for that specific reason this type of data is on a need-to-know basis.
PII Discovery and Data Classification
When it comes to PII discovery, the process itself might be tougher than you’d expect, especially if we’re talking about large enterprises with vast amounts of data. That’s where the entire process of finding sensitive data begins.
PII discovery (or data discovery) is a process that detects patterns and outliers by applying various analytical methods or by navigating the data in question visually. It’s highly recommended to perform a data discovery process regularly to avoid missing out on the newer data that wasn’t discovered or classified yet, this solves a lot of problems in regards to compliance and security efforts.
But finding sensitive data’s location is just one part of the process. The next step, as we’ve discussed above, is the PII data classification process. Generally speaking, data classification is an integral part of the identification process that allows organizations to identify the value of individual parts of their data and apply various degrees of security efforts based on the importance of data in question. At the same time, successful PII data classification efforts are known to make the general data handling easier for everyone in the organization.
That being said, manual data discovery and data classification efforts are often ineffective and generally not recommended for a number of reasons, the main ones being the human error probability and the limited scalability of manual approaches to discovery and classification.
That’s why there are solutions like cp. Discover from Cipherpoint. It can work from the pre-configured settings to find various PIIs, and you can always create custom settings for sensitive data types specifically for your organization to work with.
The general pillars of cp.Discover are Metadata discovery, Pre-filtering, Content discovery and Classification.
- Metadata discovery – List file properties like file owner, file type, file size etc.
- Pre-filtering – uses outputs from the metadata scan to filter out files we are not interested in.
- Content discovery – Perform various techniques such as OCR, decompressions etc. to extract text from files.
- Data classification – Once readable text is received perform data classification process against said text. Classification can be a combination of Machine Learning, Regex or keywords.
On the topic of compliance, there’s a lot of different laws and regulations that have different PII compliance guidelines, which may differ due to your physical location, your business specifications, and so on. The most popular ones are GDPR, GLBA, PCI DSS, HIPAA and Aus-NBD.
- GDPR. General Data Protection Regulation is a European Union law regulation that focuses on data protection and privacy on the territory of the EU and EEA (European Economic Area). The same regulation is addressing the transfer of PII outside of the EU and EEA. GDPR addresses quite a lot of possible issues, mainly data breaches, by regulating the legality and cyber security of the data inside the EU from exploitation and/or misuse, and all of that – with proper respect to the data owners (this set of PII regulations includes notifying everyone affected by the possible breach within a strict timeline). The fines for breaching those PII compliance requirements are one of the highest in the world, going up to 20 million euros or four percent of worldwide turnover (whichever is higher).
A good example of a notable PII data breach is the one that happened at the UN’s servers thanks to the SharePoint vulnerability CVE-2019-0604. You can learn more about this PII breach and its consequences here.
- GLBA. The Gramm-Leach-Bliley Act is otherwise known as the Financial Modernization Act on the territory of the US and its main purpose is to regulate the way that financial institutions protect and/or share private information about their customers. PII compliance requirements for GLBA typically imply that financial institutions have to communicate with their customers about the ways that their sensitive data is used and to inform said customers about their ability to opt-out of sharing such data with third parties. The necessity for PII compliance standards to work inside of the financial institutions to begin with is also there, as well as the general tracking of everyone who gains access to sensitive data within the financial institution’s inner systems.
- PCI DSS. Payment Card Industry Data Security Standard handles and specifies the information security standards for companies that work with credit card information. Often called PCI, this collection of PII security standards ensures that all companies that work with credit card data in any way (accepting, processing, storing, etc) can maintain a certain level of cyber security within the environment. There’s a lot of different details that are included in this regulation about PII information security and what it entails, including firewalls, data encryption, anti-virus software, regular updates, access restrictions to card data on a need-to-know basis, including physical access, logging, vulnerability scans, and so on.
- HIPAA. Health Insurance Portability and Accountability Act is strictly about protecting patients’ sensitive data. The specific term for information in question is PHI – protected health information, and all of the companies that work with such information must have various network, process and physical security measures taken and followed to be compliant. Physical PII regulations include limited physical access, physical data transfer restriction and various policies about use of workstations, and more technical safeguards include regular audit reports, data encryption and other data protection procedures.
- Australian NBD. Australian Notifiable Data Breaches Scheme is a law that was introduced by the Office of the Australian Information Commissioner and the gist of their PII compliance guidelines is to notify all of the affected individuals after a set period of time after the data breach was discovered, and the notification of the government officials is also required.
How To Protect PII Correctly?
There are many different places where PII could be found, from the usual places like physical servers and clouds, to more specific ones, like employee’s laptops. That’s why the first step in data handling is determining what state of data each part of your PII belongs to:
- Data “in motion” – specific data that is in the process of moving from one place to another;
- Data “in use” – general data that your employees work with on a regular basis;
- Data “at rest” – everything that is kept on any kind of storage and not in use right now.
On a side note – one important step that a lot of people forget about is to remove outdated and/or unnecessary PII secure information, including the ones that are kept in your backups.
Let’s talk about the core of every data protection policy – PII data encryption. Personally identifiable information’s encryption should be applied to any sensitive data before transfer over an untrusted or even semi-trusted network is performed. This decision should be based on your data classification policy and may also extend to a variety of downstream systems.
Employee PII security
A lot of people tend to forget that data protection – including PII protection – is a collective effort, especially when it comes to sensitive data. That’s why it is quite common for companies to implement all kinds of Acceptable Usage Policies (AUP). Usually AUP focuses on what is the correct way to work with data, who is permitted to access what, and so on.
Speaking of permissions – all organisations should ensure that access control and the distribution thereof are under control. It is easy to lose track of what data is shared and with who. Especially after acquisitions and mergers, make sure to reaffirm data access and look for potential data access errors. This is where the principle of least privilege comes in – most of the daily work employees undertake can be done with minimal access rights.
However, you can’t just implement an AUP and forget about it. Educating your employees is incredibly important. It seems rather easy, but there are a lot of nuances that can create you a lot of problems if you forget about something or do something wrong. For example, every employee should get their own copy of AUP and sign a statement confirming their intent to follow all of the policies outlined in the AUP.
Employee education events about AUP would go a long way in ensuring that your employees understand their part in keeping the company’s – as well as their own – data and PII information safe and secure.
PII transfer risks
PII encryption and data permission control are both crucial to preventing leaks and breaches. Another important aspect that contributes to leaks and breaches, is proper employee offboarding.
Any departing employee is a potential threat to your company’s PII. That’s why it’s quite important to constantly ensure access rights are cleaned up. The best way of preventing this risk is:
- Reminding ex-employees about any confidentiality agreements that are still in place;
- Cleaning up of access permissions which can include domain credentials, database access and even Building or Wi-Fi access.
- A legal reminder to your ex-employees about their responsibilities in regards to PII and similar sensitive data that they may still possess.
All of those points speak to ex-employees, but what about current employees’ behavior? One way to encourage better behavior for existing staff is to establish a proper anonymous channel for reporting suspicious behavior. For example, you may not notice that someone started taking company property home with them, even if it’s against AUP. Allowing fellow staff members to report such behavior in a safe and anonymous environment may prevent such risks.
PII Scanning Tools from Cipherpoint
Cipherpoint scanning solutions help businesses to find PII, encrypt it at rest and control and audit access to it. Using Cipherpoint PII scanning tools, businesses can reduce the probability and impact of a sensitive data breach.
Organisations can scan for and detect various PII types like personal information (emails, bank accounts, credit card numbers, etc.), payment data (all types of credit card data, from Visa and MasterCard to American Express, Discover and other cards) and hard-to-find insecure data with Cipherpoint’s various products and solutions.