It’s not the same as Pi Day, I get it. That happens once a year. When you’re a hacker, though, EVERY day could be PII day. And that is NOT a good thing.

Personally identifiable information (PII) is any data that can be used to identify a specific individual. Along with the more traditional types of PII—such as name, mailing address, email address, date of birth, Social Security number and phone number—the scope of what is considered PII has broadened to now include IP addresses, login IDs, personally identifiable financial information (PIFI) and even social media posts.

Wow!

This broad definition of PII creates security and privacy challenges that organizations collecting, processing, and storing PII must consider. To help simplify it, PII can be broken down into two categories: sensitive and non-sensitive.

  • Non-sensitive PII can be easily gathered from public records—such as an individual’s ethnicity, gender, or zip code. This type of data is often readily available and if transmitted without encryption, likely does not cause any harm to the individual.
  • Sensitive PII—such as passport, driver’s license, or Social Security numbers—however, requires encryption in transit (if being sent by email, for example) as well as at rest (simply stored as data somewhere in your systems) to prevent harm being caused to the individual if their PII ends up in the wrong hands.

Encrypting PII can save individuals from damaged credit and identity theft and can shield your organization from lost revenue, noncompliance fines, and/or reputational damage.

Understanding the Risk of Unsecured PII

Every single organization stores and uses PII, either on their employees, customers, or both. Take for example a mortgage lending company. The company must collect and process PII to process loans. To collect that PII, their customers are likely sending it using one of several legacy (old standard) methods – fax, FTP, or email.

Think for a moment about the incredibly detailed personal information filled in on a mortgage application. If that application is sent to the mortgage company using one of those legacy methods, the information is most likely not encrypted. An applicant’s security could be breached, AND, it puts the mortgage company (in this example) at risk of a breach of their own, as well as not meeting compliance standards.

Similarly, accounting firms that process tax information are at similar risk. Do clients ever fax or email tax documentation? Do they scan things and pop them up on a shared drive so their accountant can access them? There are so many ways for PII to be shared – and exposed.

As organizations collect, process, and store PII they must also accept responsibility for protecting this sensitive data.  After all, data breaches can occur at all levels of organizational sophistication—take for example the recent First American breach—but the impacts on the organization are often the same: breaches are costly, time-consuming, and damaging.

Limiting your organization’s risk of exposure to potential threats extends beyond protection against malicious attack though. One careless employee can result in PII being shared with unauthorized recipients. Regardless of how the data is lost, the responsibility still falls on your organization’s shoulders.

6 Steps to Start Securing PII Today

Because PII is so attractive to bad actors who can sell it on the black market for a pretty penny, it is imperative that no matter the way your business uses it, you always secure inbound PII. Failure to do so leaves you exposed and at risk of attacks, heavy fines, and loss of customer trust.

Here are six practical steps you can take to begin securing inbound PII today:

  1. Identify the PII your organization uses. Begin by identifying all the PII your company collects, processes, and uses. Once you identify it, you can start planning your security and privacy strategy for protecting it.
  2. Locate where PII is stored. PII data could be stored in any number of locations such as servers, on the cloud or even employee laptops. Be sure to consider the three data states: Data in-use, at-rest, and in-motion. This will help you better understand the various systems you need to protect.
  3. Classify PII in terms of sensitivity. Once you’ve identified and located all PII, grade it by the likelihood of being compromised and the possible consequences of the data being exposed. This helps you prioritize which data and systems to protect first.
  4. Establish an acceptable usage policy. If you don’t already have one, you should get an acceptable usage policy (AUP) in place for accessing PII. This policy defines who can access PII and the acceptable way(s) to use it. This policy can serve as a jumping-off point for building technology-based controls to reinforce proper PII access and usage.
  5. Implement an encryption solution. Seek out a solution that minimizes reliance on trust. Data-centric encryption will protect your organization’s PII from internal and external risks and put customers at ease when you ask for their most sensitive data.
  6. Back up your solution with training. No matter how good your encryption solution is, it is only as good as the individuals using it. Be sure to train employees frequently on any technology updates as well as evolving threats. Customers should also be familiar with how to effectively use your encryption solution. Remember, user-friendly encryption software will help boost user adoption.
Encrypting PII for Ultimate Security

For organizations that need to secure inbound PII, data-centric encryption is a crucial best practice for keeping it protected as it’s shared within your organization and beyond. You will also need the right set of controls. For instance, if you take that same mortgage company example: having the ability to restrict access to fewer people over the lifetime of a loan application is necessary to ensure compliance with the upcoming CCPA.

Protecting PII isn’t just about compliance though. By placing an emphasis on data security and privacy, you can facilitate improved customer experience and streamline communications while protecting their privacy.  Not only does this help boost customer loyalty and trust, but it helps in future-proofing your tech investments against evolving requirements.