29 Aug Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information
In a time where discussion of cyber attacks frequents the news, customers are starting to demand more attention to their personal data – and they should. When personal information is offered or required from customers, there is fair expectation that the business will take reasonable steps to protect that data. However, when government organizations and major corporations aren’t able to keep data safe from attacks, customers and employees are left feeling frustrated and with a sense of distrust.
Personally Identifiable Information (PII) is so desirable to hackers, that even the strongest defenses can fall victim to penetration. As such, organizations need to start viewing the situation as not a matter of if their data will be compromised, but when. Planning based on that assumption is the first step towards PII management and helping put the owners of the PII at ease.
What is PII?
Personally Identifiable Information (PII) is quite broadly any information that can be used to determine an individual’s identity. This includes data such as names, email addresses, phone numbers, payment information, social security numbers, etc.
PII can be internally sourced (from employees) and externally sourced (from customers). Any PII created, stored, received, or transmitted should be protected and there should be proper acknowledgement to where that data is. Loss of PII can result in identity theft or minor inconveniences, such as having to get replacement credit cards, for the affected parties. See more detail on PII here.
Performing risk assessments and checking compliance to relevant standards and regulations helps mitigate the risk or a breach and protect the PII a company is responsible for.
Know Your PII
To manage your PII, it helps to have an understanding of how it exists in your organization. Assessments will help you with this, but there are three major areas to consider.
- Data Necessity– Is it absolutely necessary for your organization to have this data? Consider the risks that are presented to you by having unnecessary information on hand that you are liable for. Review all documents where data is stored and see if you can redact any information, such as with email addresses or social security numbers. For example, for commonly accessed files, perhaps you only store the last 4 numbers of each person’s social. If the full data is required, keep that in a separate, secure system that can be referenced.
- Data Access– Now that you only have the absolute necessary PII, determine who can access it. Not all customer data is relevant to each person’s job function, and as such their access should be limited. State in company policy that accessing non-essential information isn’t allowed. Create a log of who accesses what data. As an example, in a pharmacy setting, technicians are given a code that is generated at the beginning of every shift that grants them access to patient PII. This verifies that the data is only viewed by employees, and also ensures employees aren’t abusing their rights by keeping a log.
- Data Retention– Verify that any PII is not being kept longer than required. your organization should have policies regarding the retention of any forms or documents that have PII. This practice minimizes liability by limiting the amount of data that can be accessed in the event that your systems become compromised.
Performing a PII Risk Assessment
As a starting point, its best to address any content that is required by law or contractual obligation. This required content can include the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), or the Family Educational Rights and Privacy Act (FERPA). It’s also good habit to assess against industry standards and best practices to ensure a more total defense.
The goal of an assessment is to gain a comprehensive understanding of all the PII your organization manages, how it is transferred, and what procedures and systems you have in place to protect it. This identifies both cyber and physical security controls that are in place to safeguard this data. The assessment results will identify your greatest risks and document the severity of security gaps, allowing you to focus on areas of improvement. Within your assessment, you will look at policies that explain in detail how data should be managed and steps that should be followed if that data is compromised. You will then be able to update policies and procedure, set up employee trainings, ensure database encryption, and other required/suggested security measures.
Establishing effective security measures and reactionary steps is a major component of a comprehensive PII management strategy. Following these processes reduces the likelihood of a breach, and prepares you for when a breach does occur.
Need to review your own PII? Take a free trial of our software and select one of our content libraries.