How Organizations can Safeguard Personal Identifiable Information (PII)
British Airways (BA) recently shared that ICO proposed to levy a fine of whopping £183m for a security breach that was first disclosed back in September 2018. The breach had affected approximately 380,000 transactions. The stolen information included names, email addresses and credit card information. BA described the attack as a ‘sophisticated, malicious criminal attack’ and claimed that it moved quickly to limit the damage. Yet, the damage to the company’s reputation as well as the monetary hit (in terms of fine) has been massive.
Several organizations store customers’ personal data for various purposes in the course of their operations. Customer information including usernames and passwords, passport numbers, social security numbers, telephone numbers etc. is routinely stored by organizations.
This information is often like a ticking time bomb that can severely damage an organization’s reputation in case it is stolen or leaked. Studies suggest that in an overwhelming majority of data breaches, it is Personal identifiable information (PII) that is targeted. Unfortunately, for organizations, breaches that involve PII are also the ones that cause maximum damage to organizational reputation.
Protecting Personal Identifiable Information (PII) Data
When it comes to ensuring the security of all PII data in your system, there are a few things that you need to manage.
- Data Discovery
A large majority of data breaches occur due to inadvertent storage of sensitive data. Organizations should habituate the task of periodically reviewing and auditing their environment for PII. This includes both internally sourced PII (e.g. employees’ PII) along with the PII companies create, receive, maintain or transmit on behalf of their customers and business partners.
- Choose the Right Tools
According to GDPR guidelines, business critical data is not allowed to store in a plain text format in an organization’s environment. Hence, it is suggested to invest in a good data discovery tools that are flexible enough to identify data across multiple functions and cull out any errant data.
Choosing tools with the ability of scanning through multiple environments such as Windows all versions, Mac OS, Linux based OS, Solaris, HP-UX, IBM AIX and many more major operating systems and also major databases like MSSQL, MySQL, Oracle, DB2 etc. The tool also scans emails, Google drive and cloud for sensitive data is also very crucial.
SISA Tipper, for example, is built on a machine learning algorithm, and can scan data across multiple file formats including audio, excel, zip files, text documents, pdf files, images, etc. It can even read scanned documents.
- Delete Unwanted Data or Old Data
Once you identify all the sensitive data saved within your systems, it is important to evaluate each file and determine whether the data really needs to be retained. Is it required for a specific business function? Or does it need to be saved as part of any contractual or legal requirement? If it does not do either of these, it is best to just delete the data rather than let it languish within your system.
For this, it is always suggested to use data discovery tools, which can help organizations in minimizing the effort by filtering out the sensitive data and mask, truncate and/delete the data automatically using time stamp based filtering.
- Encrypt All Remaining Data
Once you identify the data that needs to be saved, ensure that it is encrypted or masked. Ensure that access to this data is highly restricted to one single server or location and the granted access only on business need basis. In addition, the data should never be stored in any removable media device.
- Review Your Policies
The right data management and processing policies can play an important role in preventing any inadvertent data storage and misuse of data. One important aspect is to ensure that there are stringent policies in place to safeguard data from internal as well as external parties.
- Awareness, Training, Education
Conduct regular training and education programmes to educate employees on the importance of being vigilant about data. Encourage them to always follow best practices. Also, establish open lines of communication and encourage employees to come forward and report any suspicious activity.
Given the many sensitivities involved in the storage of Personal Identifiable Information (PII), organizations need to be especially vigilant about following optimum storage policies when storing and processing such sensitive data.
Better safe than sorry!