There are many definitions of Personally Identifiable Information (PII), but it is broadly considered as any information that can be used to distinguish or trace to an individual’s identity.
Examples include but are not limited to:
- Social Security Number (SSN), passport number, driver’s license number, financial account number or any other personal identification numbers (PINs)
- Street or e-mail address
- Phone number
- Associated data –data that when alone may not be able to identify an individual but when associated with other data leads to identification (e.g. IP addresses)
Today more than ever it is extremely important for organizations to protect their personally identifiable information (PII). Breaches involving PII are both harmful to the individuals and the organizations involved. In addition to the obvious individual harms, such as identity theft and inconvenience, organizations face harms that include the loss of public support, legal liability, and the costs associated with containment, remediation, and notification. Committing to a few simple steps organizations can decrease the likelihood of a breach and protect their PII they accountable for.
Identify all PII and where it resides
Organizations cannot commit to protect data that they do not know exists. Organizations should get into a habit of periodically reviewing and auditing their environment for PII. This includes both internally sourced PII (e.g. employee PII) as well as any PII they create, receive, maintain or transmit on behalf of their customers and business partners.
Identify laws and contractual obligation requirements for protecting PII data
It’s very important for organizations to be aware of any laws or contractual obligations that are required to protect PII. Commonly known laws and obligations include but are not limited to:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach Bliley (GLB)
- Children’s Online Privacy Protection Act (COPPA)
Additionally, applicable State and Local Laws are to be equally considered for the management of PII.
Perform a PII Risk Assessment
A central component of many privacy compliance standards and regulations is the performance of a risk assessment. This not only serves as the basis for compliance with the various compliance and reporting efforts, but is also essential for good corporate governance. In the context of safeguarding PII, this risk assessment should provide specific coverage over the at least the following:
- Identification of regulated PII
- Identification of other sensitive data that may or may not be explicitly regulated but may pose other types of risks (reputational risk, competitive risk, etc.)
- Identification of the applicable commitments and requirements necessary to comply with the applicable laws and regulations described earlier
- Threats to compliance with the external and internal commitments and compliance objectives
- Assessment of the likelihood of the identified threats
- Risk management strategies (including avoidance, sharing, mitigation, and acceptance). This commonly involves the implementation of control procedures and safeguards based on the risk management strategy.
A key aspect of the risk assessment process is ensuring the participation of the various stakeholders, and subject matter experts, including outside examiners, when appropriate. Risk assessments should also be performed at least on an annual basis and sensitive to changes in the regulatory and business environment.
Only collect and retain PII that is necessary to perform the business function related to its collection
In today’s world of “big data” it’s very tempting for an organization to take the approach of collecting as much data as it can. However, this approach may not only be inefficient in how it needs to be managed for usable data, but it is also introduces risk to the organization as it pertains to use, notice, and collection of regulated PII.
Categorize PII by Confidentiality and Privacy impact
Some PII may be inherently less risky to collect and retain than others. For instance a customer listing containing opted-in names and e-mail addresses is likely to have a much lower confidentiality and privacy impact and associated risk than a listing of social security or credit card numbers. Each organization is different and it is their decision how to categorize PII; however, an effective risk assessment can significantly assist with this effort.
Create safeguards for protecting PII according to Confidentiality and Privacy impact
Organizations should create safeguards according the risk assessment (as described earlier) and confidentiality and privacy impact associated with the PII data. These safeguards should clearly reflect the organization’s risk mitigation strategy, and be evaluated on a periodic basis for design and operational effectiveness and be revised accordingly. Listed below are a few safeguards that organizations can utilize:
- Create policies and procedures – organizations should have policies for the collection, use, retention, disclosure and destruction of PII. These policies should be adopted entity wide and communicated to employees.
- Training – organizations should train their employees how to protect and handle PII to reduce the likelihood of a breach.
- De-identification – organizations can protect PII by removing it where it may no longer be needed. De-identification is a great tool safeguard data.
- Encryption – organizations can encrypt databases and repositories where PII is stored