The odds are strong that your personal information is out there: Some of the largest data breaches of the 21st century affected millions of users from brands like Experian, Yahoo!, eBay, and LinkedIn (among others). Even Twitter was guilty of leaving the passwords of its 330 million users in an unmasked log.
It’s become apparent that many businesses have a problem with the storage and management of personally identifiable information (PII). However, fostering a culture where PII is protected and effectively managed should be a core best practice for modern businesses.
What is PII?
PII is considered any information that helps to identify a particular individual. Examples of this information include a person’s date of birth, mailing or email address, or phone number. Sensitive PII can extend to include a person’s social security number, driver’s license or another identification number, bank account information, or biometric identifier (such as a fingerprint). PII can encompass the information that criminals use for fraud attempts, which means it’s important that steps are taken to protect such information from falling into the wrong hands.
How can PII be protected?
The best way to keep this kind of information private is by not having the information in the first place. However, in the case of companies that manage employee information, the best way to manage the information is to invest in cloud-based applications that can store this information rather than locally to prevent the information from falling into the wrong hands. (We discuss this further below.)
The U.S. Department of Labor has issued guidelines for safeguarding PII, and states, “The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information… we have a special responsibility to protect that information from loss and misuse.”
Best practices for protecting PII
The total number of records compromised in 2020 exceeded 37 billion, which was a 141% increase compared to 2019 (according to a Risk-Based Security Report) – this was by far the most records exposed in a single year since reporting began. This means there’s an ongoing, growing threat that PII will be exposed and result in potential identity theft.
Breach notifications depend on the state you’re living in, which can affect what triggers an alert – and states are changing these requirements on a regular basis. But the responsibility of the data falls to businesses to protect the customer data that’s stored within their system, which means they can be held liable for data breaches when they occur under certain situations (especially if the info was stored in a way that makes it easily accessed by an outside threat). Breaches can result in significant fines that can eat into revenue for the business.
Companies can also be held liable for issues of employee misconduct with private information, making it imperative for organizations to provide best practices for fostering a culture of protection across the organization.
But there are ways that organizations can protect PII, including a number of best practices:
- Use trusted/certified cloud providers that specialize in this type of data. There are many cloud providers that specialize in the management of PII. These include payroll, HR, and other types of specialized companies. Rely on them to manage and protect your personal identifiable information. You should also ensure that your teams cannot locally save reports that contain PII. Reports should only be allowed to produce masked PII references such as SSNs, etc., unless special approval for clear PII has been approved. Finally, data must be encrypted at rest and in transit.
- All PII should be removed locally from file servers/workstations/email. You must delete any locally stored PII wherever possible, either manually or through automated solutions. After all, the best way to keep a secret is not to know it.
- Secure passwords: While there are multiple ways to strengthen the protection of PII from falling into the wrong hands, implementing a strong password – or a passphrase – for critical systems, such as servers or HR software, can help protect information.
- Multi-factor authentication (MFA): MFA is a process for authenticating the identity of a person through two or more methods before allowing access to certain applications or accounts. MFA can be used to protect PII as an added measure (although we use MFA as a core component of our ZAG Standards because it’s so critical).
- Control access: Above all, controlling and restricting access to PII to only those individuals who require this level of access can help protect the information from being mishandled by employees who might not have had enough user training or email security training.
- Practice good data management. Destroying sensitive data securely, installing application updates, securing wireless networks, and using virtual private networks are some of the ways that companies can implement strong data management policies aimed at protecting data.
How can companies foster a culture of protection for PII?
In addition to establishing technology-related best practices for protecting PII, companies must also begin to foster a culture of protection for PII. From day one, companies should engage with employees on a regular basis about safe practices for managing data, ensuring privacy, and creating safeguards that bolster personal responsibility that translates to protection at the company level.
Company cultures are a critical component for data protection. While there’s often a shared goal of collaboration and enhanced communication to be successful, there also must be a shared responsibility to build a data protection culture alongside it. The role of data protection often falls to IT, but privacy is everyone’s job and part of building a strong culture of protection is providing your employees with the tools and resources they need to understand why it’s necessary.
This kind of culture includes:
Education. Training and education around PII – what it is, what it means, how it can be compromised – is one thing, but it’s a completely different approach to embracing a culture around protecting this information when you address the “why.” What happens when this information isn’t protected? What are the consequences of a breach? Simply communicating the policy can leave questions around the importance of following it, but painting a picture of the potential ramifications can be far more effective.
Preparing for the unknown. We often get the question: How does IT ensure compliance around protecting PII? While there are some cloud-based built-in protections for applications such as Office365 or OneDrive, companies that rely heavily on on-premise storage and management methods that aren’t as well-monitored. This is where training, education, and ongoing best practices will need to be implemented to ensure the protection of PII.
Understanding differences in governance. While we’ve seen the implementation of the European Union’s General Data Protection Regulation (GDPR) for all companies that process or stores the personal data of EU residents, the United States varies significantly. From state to state, the collection and management of PII differ and it doesn’t matter where your business is headquartered, it matters where your people are and how a breach needs to be reported to meet the state’s standards.
In California, for example, the California Consumer Privacy Act (CCPA) “requires a business or a government agency that owns or licenses unencrypted computerized data that includes personal information, as defined, to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” It’s critical for companies to understand the laws that govern PII and associated breaches to understand what happens when one occurs.
The bottom line is: It’s up to every organization to ensure that PII is protected, that the culture is one that protects this kind of information, and that the technology being used is as secure as possible through ongoing updates and maintenance.
Contact ZAG to learn more about PII and how your organization can put together a technology strategy that helps protect it.