As a key component to many data privacy regulations, securing PII can be a valuable tool to gain customer trust. Here are 10 steps that will help you keep PII safe within your company.
Personally identifiable information (PII), which is data that can be used in order to identify, locate or contact an individual, includes name, date and place of birth, credit card information, phone number and race, gender, criminal history, age and medical records. Every organization uses and stores PII. Even schools and universities can store the PIIs of their students. Hospitals, however, will store patient information.
Potential attackers will find it attractive to steal PII from your company. They can then sell it on black market for a very high price. PII could be used in a number of criminal activities, such as identity theft, fraud and social engineering attacks. It is essential that companies and individuals protect their PII. If you fail to protect your PII, you could be vulnerable to targeted social engineering attacks, severe regulatory fines, as well as losing customer loyalty and trust.
10 steps to help protect your company’s personally identifiable information from theft or compromise
Identify the PII that your company stores
Check out all the locations where PII can be found
Classify PII according to sensitivity
Delete any PIIs you no longer require
Adopt a policy of acceptable usage
Any permission errors should be corrected
Establish a policy for employee education about the importance and protection of PII
Create a standardized procedure for departing employees
Set up an open line of communication so employees can report suspicious behavior
1. Identify the PII that your company stores
Start by identifying all PII stored or used in your company. You might need to protect customer login details or bank details if you’re a software vendor. Government agencies can store PII, such as social security numbers and passport details. Once you’ve identified all the PII information your company holds, you can take a variety of steps to secure it.
2. Check out all the locations where PII can be found
Your company might store PII in a variety locations such as file servers, cloud service, employee laptops, portals and other. The first thing to do is to consider the three states of data your company holds.
Data used: Employees use data to do their jobs. These data are usually stored in a non-persistent state such as RAM.
Data at rest: This includes data stored in or archived on hard drives, databases and laptops.
Data in motion is data that is changing from one place to the next. One example is data moving from a local storage device into a cloud server, or between employees to business partners via email.
As you create your PII Protection Plan, it is important to take into account all three data states. It is important to consider all the data that your company has in each of the different states. This will allow you to determine the locations and uses of the PII, as well as the systems that you need protection for.
For more information visit: https://www.verygoodsecurity.com/use-cases/pii
3. The sensitivity of the PII should be classified
To sort your PII data based sensitivity, create a data classification policy. This is a critical part of PII security. Consider the following factors when deciding how to prioritize your PII:
Identifiable – How unique is the PII information? It is an indication that the data is sensitive if a single record can be used to identify an individual.
Data combining: This is a way to identify multiple pieces of data that when combined can be used in identifying a single individual.
Storage: This is the first step. These steps are not enough. You also need to assess how frequently PII data is transmitted and how many people have access.
Compliance: Depending on your industry and the type and level of your organization, there are different regulations and standards regarding PII. These regulations will help you prioritize sensitive information. You may be subject to the Payment Card Industry Data Security Standard(PCI DSS), General Data Protection Regulations (GDPR), HIPAA and HITECH ACT in the US, and the Criminal Justice and Immigration Act in the UK.
Once you have weighed the factors above, you can now classify PII based sensitivity. At the minimum, you should have three levels of data classification.
Restricted: High-sensitive PII that could cause severe damage if they get into the wrong hands. Only those who have a legitimate need to access this data are allowed to see it.
Private: Although not as sensitive or as restricted data it can still cause some damage to individuals and companies if it were to be compromised. This data is restricted to those who have to interact with it as part of their job.
Public: Information that is non-sensitive and has low risk. There are no restrictions on access.
There are many benefits to classifying the PII in your company’s possession. These include maintaining compliance. But data classification can also help an organisation organize its data and aid employees in finding the information they need. In the event of a security incident, data classification will inform your incident response teams about the amount of information that has been compromised.
4. Delete any PIIs you no longer require
Any PII that is not necessary should be deleted to prevent potential attackers from accessing it. Securely delete PII and ensure that you regularly backup your data to make sure no PII is left behind.
5. A policy of acceptable usage (AUP), for PII.
An AUP must be in place to allow you access to your PII if it has not been done. Your AUP should be focused on areas such as who has access to PII and what is permissible use of PII. A template for an AUP has been developed by the SANS Institute. It can be used as a starting point to create your policy. This template is suitable for PII and other sensitive company data. An AUP can also be used to create technology-based controls that control PII access.
6. Encrypt PII
Your PII must be encrypted at rest and during transit. This is a mandatory component of PII protection. Strong encryption and key management should be used. Ensure that PII cannot be shared over untrusted networks, or uploaded to the Cloud. Technical controls are necessary to ensure that PII encryption is done correctly. There are many tools that automate this process based on data classification.
7. Eliminate Permission Errors
Companies that lose track their access control rights may leave their PII exposed to attackers. Mergers and acquisitions, for example, can cause confusion and lead to errors in access control. It is important that companies enforce the principle of least privilege when granting sensitive data access. This ensures that only the individuals who need it can access the data.
8. Establish a policy for employee education about the importance and protection of PII
Employee education is a straightforward, but vital step towards the protection of PII. The AUP of your company can be an important part in your employee education program. Each employee should be given a copy of the AUP and signed a statement acknowledging they will follow the policies. Another way to protect PII is to have employees trained on how to access and keep it safe. An employee education policy that covers PII protection is a good idea. It will give employees a sense ownership and make them feel like they have a role in PII security.
9. Create a standardized procedure for departing employees
External and internal threats can both exist to your company’s PII. Disgruntled employees are one of the greatest threats to internal security. Employees may try to take sensitive data or PII with them, even if the departure is peaceful. These are some of the best practices.
Remove access: You must delete all user accounts, access to various enterprise systems, and any access they might have had upon your departure.
Legal reminder: Sending a reminder to your departing employees regarding their legal responsibilities with respect to PII and sensitive data may be a good idea.
Confidentiality Agreement: Provide a copy a signed confidentiality agreement that covers sensitive data as well as PII.
10. Set up a simple way for employees to report suspicious behaviour
It should be easy for employees and managers to report unusual or unsafe behavior. Employees might take company equipment or materials home from work, even if this goes against the AUP. This could pose a risk to PII. It is important to provide an easy reporting mechanism for employees in order to prevent this from happening. Others to watch out for are colleagues who may be interested in data and other activities beyond their job description. They might also access sensitive resources or the network at odd hours.