What is Personally Identifiable Information (PII)?
Data is critical in driving innovations, scientific breakthroughs, and key business decisions. Data is not only growing in volume due to the huge number of sources it is coming from, such as social media, bank transactions, or sensor data, but it is also increasing in complexity.
As data grows in size and complexity, it further gives rise to an increased number of cyber breaches and other security threats, such as unauthorized access, data leaks, or insider attacks. Due to the security and privacy concerns of users, international regulatory bodies have enacted laws to protect customers’ data and their privacy.
Personally Identifiable Information (PII) is amongst those types of data, such as financial data, business data, or technical data, that major data privacy laws cover. PII is akin to a jigsaw puzzle. As you need to put together different pieces of the puzzle to complete it, similarly, you need different pieces of PIIs to get a complete picture of an individual. And that is how you can potentially identify an individual.
Read on to learn more about personally identifiable information, why it must be protected, what challenges organizations face while protecting it, and the important controls businesses must consider to secure PII.
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is often used as legal terminology. You may find different definitions of PII in various legal texts, but generally, it would all come down to a piece of information that can potentially distinguish, identify, or trace an individual, such as name, social security number, fingerprint data, home address, birth place, birth date, geo-location, bank account number, etc.
Generally, organizations use PII alone or in combination with other sets of identifiers to identify an individual. For example, with just the name “Eric”, one cannot trace a specific individual. To trace Eric, it is important to use multiple identifiers, such as Eric’s geographic location, social security number, and biometric data, to name a few.
PII can be maintained in either print or any other digital or electronic format. Many organizations have specific policies and procedures in place to protect PII, and there are also laws and regulations that govern the collection, use, and sharing of PII, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
PII can further be categorized into sensitive PII or non-sensitive PII, as both categories require different treatments.
Non-sensitive PII is any PII that is usually available and accessible to the public through social media profiles of individuals, address books or other public records. More importantly, non-sensitive PII cannot be used directly or alone to identify an individual and, therefore, not deemed as confidential on its own. However, it still needs to be protected to prevent misuse since it can trace or distinguish one individual from another when it is used with other identifiers.
Some examples of non-sensitive PII include:
- Postal code
- Birth place
- Birth date
- Geographic location
- Email address
It must be noted that depending on specific circumstances and context, generally considered non-sensitive PII can become sensitive if it can be used in combination with other information to identify a person indirectly.
Sensitive PII is a type of information that is not publicly accessible or available. In fact, if a sensitive PII is exposed to any unauthorized user, such as via a security breach, it may put the data owner at serious risk of harm. Therefore, global data protection laws and industry standards require businesses to ensure that sensitive PII is always legally, ethically, and technically protected, whether it is in transit or at rest. For example, businesses should encrypt or mask sensitive data if such data is shared with a vendor or any third-party contractor for any business purpose.
A sensitive PII can be used directly or alone to identify an individual easily. Examples of sensitive PII may include:
- Social security number
- Passport number
- Insurance information
- Specific medical information
- Fingerprint data
- Driver’s license number
While all PII refers to information that can be used to identify a specific individual, not all PII is considered sensitive. Sensitive PII refers to information that, if disclosed or accessed without authorization, could harm an individual or create a risk of identity theft or other negative consequences.
The Critical Importance of Discovering & Securing PII
Globally, regulatory bodies are introducing, proposing, and enacting data privacy laws to create and establish guidelines for businesses to protect the personal information they collect, process, share or sell. Every data protection law provides a distinct set of principles regarding specific PII elements under personal data. For instance, it is imperative for businesses to not further retain any type of information on their users if that information has fulfilled the purpose for which it was collected and processed. The law then further outlines whether to delete the PII, anonymize it, or archive it. Some laws even guide how long you should retain users’ personal information.
Another great example of data protection laws is the regulation concerning collecting, processing, and sharing sensitive PII. Most data protection laws do not encourage businesses to collect sensitive personal information of users unless consent is obtained or it is necessary for the purposes of public interest, law enforcement action, etc.
Similarly, GDPR requires that collection and processing of sensitive PII must meet a higher standard of legal justification than other types of data. Organizations must have a legal basis to collect and process sensitive PII, such as getting explicit consent from the data subject, compliance with a legal obligation, protection of the vital interests of the data subject or another person, performance of a task carried out in the public interest or in the exercise of official authority, or the legitimate interests of the controller or a third party.
Non-compliance with data protection laws could result in not only monetary loss but also a bad business reputation in the industry as well as loss of customer trust.
Cybercriminals are always looking for personal information that an organization collects, be it from a healthcare institute or any commercial business, for malicious purposes such as identity thefts, spear-phishing, ransomware attacks, etc., and gain financial and other benefits from it. Cybercriminals are now more equipped than ever to carry out complex data breaches where an organization could lose a high volume of users’ personal data, for instance, the 2013 yahoo data breach.
These are some of the critical reasons why it is essential for businesses to discover PII, especially sensitive PII, across their data landscape to establish appropriate security and governance controls to protect it.
Top Threats That Put PII at Risk
There are a number of risks associated with the collection, processing, and sharing of personally identifiable information. However, specific risks may depend upon the sensitivity of the PII and the data protection regulation pertinent to it. Regardless, here are some of the common security, privacy, governance, and compliance risks linked to PII.
- Weak security controls that allow hackers to get unauthorized access to PII, which may result in data leaks, hacking, cyber espionage, etc.
- Cyber criminals can collect different identifiers of an individual to create a profile that is consequently used for targeted attacks or social engineering attacks.
- Inadequate data retention policies that lead to organizations retaining users’ PII for longer than necessary and thereby increase the chances of cyber attacks as well as legal consequences like regulatory fines.
- Using third-party vendors to handle sensitive PII and not having appropriate processes in place to assess the compliance status of contractors or service providers, which ultimately puts the organization at serious risk of non-compliance.
- Lack of training for employees on how to recognize and avoid online risky behaviors and phishing emails etc., and have the practical knowledge on how to encrypt properly and store data may inadvertently put PII at risk.
Common Challenges to Protecting PII
Globally, businesses are moving their operations to the cloud infrastructure. Cloud brings a boatload of opportunities and benefits to organizations. For instance, the cloud allows better scalability, reduced cost, and global footprints. However, organizations still find it challenging to adopt. The challenge is often linked to the complexity of cloud implementation, but it also relates to how efficiently and effectively the organization manages its PII. Here are some challenges that businesses face when protecting PII in the multi-cloud.
- The primary challenge that businesses face with protecting PII is the lack of awareness of what type of PII they have across their corporate landscape, where the PII is stored, and how it is being used across departments. Without knowing what data they have, they cannot protect it.
- Organizations often lose sight of their data systems during cloud migration. This usually happens when there are dark data systems that are migrated to the cloud during the lift and shift. Those dark data systems or non-cloud native systems aren’t indexed by the cloud service provider and thus don’t appear in the inventory. Due to that, they are unable to get the complete picture of PII in their network.
- Organizations generate high volumes of data throughout the year. Moreover, data creates more data, making it difficult for businesses to track and manage it effectively. If data isn’t managed properly or if the business fails to optimize its governance framework, this may lead to data quality issues, inconsistent or outdated data, and non-compliance risks.
- Data sharing is integral to every business, and for some, it is important to share data externally either to run diagnostics or advanced analysis. However, some data might contain sensitive PII that shouldn’t be shared externally. Without having a clear picture of which data amongst thousands of data sets is sensitive can hinder data sharing.
8 Must-Have PII Security, Governance & Compliance Controls
To enable increased protection of PII and to meet data protection compliance requirements, it is essential for organizations to have appropriate controls around their data. Following are some of the must-have controls that businesses need to have in place for effective PII management, protection, and compliance.
1. Data Discovery Policies
Identifying PII across the data landscape must be the primary responsibility of any business. Therefore, set up policies around discovering PII elements stored in data systems, applications, or databases. Automate the discovery policy so that new PII is discovered and inventoried during data ingestion.
2. Data Classification & Cataloging Policies
Data classification and cataloging are amongst the core elements of PII management, especially sensitive PII. These processes enable businesses to understand, manage, and use their data better. With classification, teams can determine the sensitivity of the data, which further enables them to consider how to protect it or where to store it. Similarly, cataloging gives a clear inventory of data and metadata to the business, allowing them to use it effectively, retrieve it, or analyze it.
3. Security Posture Policies
Businesses must gain a bird’s eye view of the misconfigurations in their multi-cloud environment. Automate remediation for misconfigurations that don’t require to be configured manually and set up manual guidelines for complex misconfigurations. Furthermore, a centralized alert system can enable teams to be notified of misconfigurations as they happen and resolve them on time.
4. Data Governance Policies
Data governance is the core part of data management to effectively use data and make sure it is of high quality, accurate, and reliable. Optimize the governance framework keeping in view the types of sensitive data in the environment so data teams can establish appropriate policies and rules regarding data quality, cataloging, and lineage.
5. Data Access Governance Policies
Set a detection engine that identifies who’s accessing sensitive data, from which geographies, and how much volume of data they access. Set up user or role-based access policies and strict them to least privileged access. This enables teams to have the minimum level of access they need to get the job done.
6. Data Sharing Policies
Set up table-based dynamic masking policies for sensitive data that is required to be shared externally or internally with teams that don’t require access to sensitive data.
7. Data Breach Analysis Policies
Drill deep down to specific data elements that are compromised. Map the affected data to the precise individuals that were impacted by the data breach. Create regulatory guidelines for specific regulations to create relevant breach notification policies.
8. Data Compliance Policies
Securiti DataControls Cloud Enables PII Protection & Compliance
Organizations often establish all these important controls around their data in departmental silos using varying tools. Consequently, this creates data inconsistency, integration difficulties, collaboration challenges, added operational costs, and even security risks.
Organizations must strive to centralize these controls, enabling different departments to access, use, and analyze PII via a unified set of tools. Securiti DataControls Cloud is pioneered to deliver that unified control for increased efficiency, collaboration, data protection, and compliance.
Request a demo to learn more about DataControls Cloud and how it can help you protect PII and meet compliance requirements.