Why is it crucial to secure Personally Identifiable Information (PII)?
Today, data has gained a prominent place in business operations. Most organizations collect, store, process, and (or) transmit Personally Identifiable Information (PII) of their customers.
Increased usage of PII has been attracting threat actors to exploit vulnerabilities, steal sensitive information, and sell it on the dark web. Data breaches can show adverse results on organizations, from monetary damage to reputational losses.
The news of data breaches has been occupying most space in the headlines. The recent shift in the workforce to remote working has become an opportunity to threat actors to exploit vulnerabilities and harvest business-critical data. Recently, a ransomware attack on the multinational IT service provider Cognizant, involving Maze ransomware strain affected Cognizant’s clients.
Researchers unveiled another massive data breach in June 2020. Cyber fraudsters harvested the sensitive data belonging to more than 7 million Indians in a data breach, involving BHIM e-payment app.
Personally Identifiable Information (PII) is any data that helps in tracking back an individual or contact an individual directly. Names, email addresses, phone numbers, SSNs, credit card information are a few examples of PII.
When an individual’s identity is hacked, cyber fraudsters may use the exposed information to perform several malicious activities in false disguise. Hence, customer data is highly confidential, and organizations must secure PII from exposure.
General Data Protection and Regulation (GDPR)
Effective from May 2018, General Data Protection Regulation (GDPR) is a stringent data protection law to ensure secure and liberal movement of Personally Identifiable Information (PII) across and outside the European Union (EU) and European Economic Area (EEA).
According to GDPR, companies that collect PII of their customers, employees, and third-party vendors (also referred to as data subjects) must protect the data from internal and external threats. Every company that stores and processes the PII of European citizens within EU states must comply with GDPR (even when a company does not have a business presence inside EU or EAA).
GDPR defines roles and responsibilities for companies to secure PII and achieve compliance. The functions include the Data Controller, the Processor, and the Data Protection Officer (DPO). Data Controller and Processor manage the purpose of processing customers’ data and ensure compliance of outsourcing contractors. A DPO oversees the security control implementations and GDPR compliance for the company.
When an organization fails to implement security best practices in their environment to protect PII, GDPR imposes fine on the entity. The fine structure as per Article 83 of GDPR scales with entities and is two-tiered as follows,
1. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
2. The more severe infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
A glance at GDPR guidelines
GDPR has a total of 11 chapters and 91 articles that concern general provisions, principles, and rights of the data subjects, duties of controllers or processes in securing PII of EU citizens, and many more.
GDPR has its base on seven pillars that speak about managing and preserving confidentiality, integrity, and availability of PII.
- Lawfulness, Fairness, and Transparency – Organizations must ensure the processing of personal data lawfully, reasonably, and transparently concerning the data subject.
- Purpose Limitation – Collect personal data for a specific, explicit, and legitimate purpose. Besides, data must only be collected and stored as long as necessary.
- Data Minimization – Ensure processed personal data is adequate, relevant, and limited to necessity and relevancy to the purpose.
- Accuracy – Take every reasonable step to update or remove inaccurate/incomplete data. Individuals have the right to request to erase or rectify erroneous/relevant data, and organizations must do so within a month.
- Storage Limitation – Deletion of inessential personal data after usage according to business circumstances and the reasons for collecting the data.
- Integrity and Confidentiality – Personal data should be kept safe and protected against unauthorized or unlawful processing, accidental loss, destruction, and damage, using appropriate technical and organizational measures.
- Accountability – Data controllers must take responsibility for GDPR compliance
Know how to protect Personally Identifiable Information (PII)
Often, the information is stored as plain text in diverse formats across the complex infrastructures of organizations, which can pose severe threats. Hence, organizations must regularly discover scattered PII across the infrastructure and take necessary actions on the stored information.
To abate the effects of stored data loss, GPDR brings up the importance of data minimization and storage limitation in its clauses. According to these clauses, organizations should collect PII, limited to necessities, and immediately delete inessential PII after usage.
However, manual identification and deletion of scattered data can be daunting for organizations. Leveraging automated data discovery tools such as SISA Tipper to locate and take necessary action on the scattered PII reduces the burden of manual data searching activities on entities.
Scanning for scattered PII with automated data discovery tools is an optimum solution for organizations planning to fight against evolving data breaches. Data discovery tools help find plain text PII in multiple file formats such as images, excel files, audios, videos, etc. within minutes.
Organizations can scan their infrastructure from time to time to find plain text data and encrypt, truncate, mask, or delete the PII accordingly. In addition, data discovery tools can ensure compliance against GDPR and many other regulatory laws and policies.
About the Author:
This blog was proposed and written by Mr. Aman Srivastava, working as a Risk and Compliance Consultant with SISA.