What is PII data and why should organizations care?
Personal identifiable information comprises any data that can be used to identify an individual uniquely. This includes the name, address, social security number, phone number, email address, financial details, and more. Cybercriminals actively seek this information to commit fraudulent activities, leading to devastating consequences for the victims.
British Airways (BA) recently shared that ICO proposed to levy a fine of whopping £183m for a security breach that was first disclosed back in September 2018. The breach had affected approximately 380,000 transactions. The stolen information included names, email addresses and credit card information. BA described the attack as a ‘sophisticated, malicious criminal attack’ and claimed that it moved quickly to limit the damage. Yet, the damage to the company’s reputation as well as the monetary hit (in terms of fine) has been massive.
Several organizations store customers’ personal data for various purposes in the course of their operations. Customer information including usernames and passwords, passport numbers, social security numbers, telephone numbers etc. is routinely stored by organizations.
This information is often like a ticking time bomb that can severely damage an organization’s reputation in case it is stolen or leaked. Studies suggest that in an overwhelming majority of data breaches, it is Personal identifiable information (PII) that is targeted. Unfortunately, for organizations, breaches that involve PII are also the ones that cause maximum damage to organizational reputation.
When it comes to ensuring the security of all PII data in your system, there are a few things that you need to manage.
These are broad steps that organizations can take to safeguard customers’ PII data:
- Data Discovery: A large majority of data breaches occur due to inadvertent storage of sensitive data. Organizations should habituate the task of periodically reviewing and auditing their environment for PII. This includes both internally sourced PII (e.g. employees’ PII) along with the PII companies create, receive, maintain or transmit on behalf of their customers and business partners.
- Identifying PII data: The first step is to identify the PII data that an organization collects, stores, and uses. This can be a complex task, but it is essential for effective PII protection.
- Classifying PII data: Once all the PII data has been identified, it needs to be classified according to data sensitivity level. This will help organizations to determine the appropriate level of security for each type of PII data.
- Implementing security controls: Once the PII data has been classified, organizations need to implement appropriate security controls to protect it. These controls can include administrative, physical, and technical measures.
- Choose the Right Tools: According to GDPR guidelines, business critical data is not allowed to store in a plain text format in an organization’s environment. Hence, it is suggested to invest in a good data discovery tool that are flexible enough to identify data across multiple functions and cull out any errant data.
- Monitoring and auditing: It is important to monitor and audit the effectiveness of the PII security controls on an ongoing basis. This will help to ensure that the controls are effective and that they are being implemented correctly.
It is always suggested to use data discovery tools, which can help organizations in minimizing the effort by filtering out the sensitive data and mask, truncate and/delete the data automatically using time stamp based filtering.
Organizations need to be especially vigilant about following optimum storage policies when storing and processing such sensitive data.
- Delete Unwanted Data or Old Data:
Once you identify all the sensitive data saved within your systems, it is important to evaluate each file and determine whether the data really needs to be retained. Is it required for a specific business function? Or does it need to be saved as part of any contractual or legal requirement? If it does not do either of these, it is best to just delete the data rather than let it languish within your system.
- Encrypt All Remaining Data:
Once you identify the data that needs to be saved, ensure that it is encrypted or masked. Ensure that access to this data is highly restricted to one single server or location and the granted access only on business need basis. In addition, the data should never be stored in any removable media device.
- Review Your Policies:
The right data management and processing policies can play an important role in preventing any inadvertent data storage and misuse of data. One important aspect is to ensure that there are stringent policies in place to safeguard data from internal as well as external parties.
- Awareness, Training, Education:
Conduct regular cyber security training and education programmes to educate employees on the importance of being vigilant about data. Encourage them to always follow best practices. Also, establish open lines of communication and encourage employees to come forward and report any suspicious activity.
Safeguarding PII data is an important responsibility for organizations that collect, store, and use PII data. By implementing a comprehensive set of security controls, organizations can help to protect their PII data and protect their customers from identity theft and other serious consequences.