PII Data Classification: 4 Best Practices
Getting personally identifiable information (PII) classification right is one of the first steps to having an effective data protection strategy. We break down four best practices in this blog.
Protecting the personal information of customers and employees is vital to the success of any business — regardless of its size or the industry in which it operates. Knowing how to identify and classify this information is just the first step in ensuring its security and preventing it from falling into the wrong hands. In this article we’ll discuss what PII is, the primary data types, and four best practices for classifying PII data.
What is PII?
PII, or Personally Identifiable Information, is any data or information that, if disclosed, could potentially be used to trace or specifically determine an individual’s identity.
Disclosure of sensitive PII data could possibly result in harm, or otherwise negatively impact the individual identified. This data is given various levels of PII Classification to determine its level of potential risk and help determine acceptable safety protocols based on that risk.
Non-sensitive PII could, typically, result in little or no harm or negative impact to the individual identified.
Understanding these classifications are of ever-growing importance to business owners as more and more of the corporate world is adopting and utilizing Big Data and the security requirements that come with it.
In this article, we’ll take a look at what PII is, why securing it is crucial, and how organizations can best classify their PII data.
Classifications of Data
PII data is most often separated, classified, and secured as Sensitive, Confidential, or High-Risk Data. Let’s take a closer look at what these classifications mean.
Sometimes referred to as “Public” data, sensitive data is any information that can be found in public records like newspapers, telephone books, or social media sites.
This information is basically accessible to anyone, and security concerns are more about limiting the risk of modification, unauthorized changes to data details, or data deletion.
Confidential (or “private”) Data is information that an individual would prefer not be made public. This can include information such as:
- Physical home address
- Internet Protocol (IP) address
- Telephone number (mobile, business, and personal numbers)
- Date or location of their birth
- Maiden name, mother‘s maiden name, birth name, or alias
This can also include information that can be used to identify personally owned property or assets like a VIN (vehicle identification number), title of ownership number, or related information.
Confidential data can typically be found legally, with enough time and effort, but should still be allotted a moderate level of security with respect to the subject’s privacy.
Confidential data is often protected under laws and restrictions like the Health Insurance Portability and Accountability Act (HIPAA) and PCI DSS (Payment Card Industry Data Security Standard).
A subset of confidential data, this is personal data or information, typically related to customers or business relationships, that is meant to be accessible only to authorized internal company personnel or employees who are granted limited access.
Examples of internal data could include inter-office memos, customer call records, business plans, or any other communications not freely accessible to the public.
Sometimes labeled “Restricted” data, high-risk data is the highly confidential information that supports cyber-crime activities and typically can’t be found through legal means of inquiry. This can include data such as:
- Credit card information
- Medical records
- Social Security or TIN (Tax Identification Number)
- Passwords & access codes
- Fingerprints, retina scans, or voice signatures
- Proprietary information (intellectual property) or research documents
High-risk data poses the greatest threat when accessed illegally or without authorization, and should be protected by the highest level of data security possible.
This level of security is necessary because this is the type of data that, if compromised or accessed without authorization, can often lead to criminal charges, public lawsuits, and huge legal fines or fees, all of which can cause irreparable damage to a company and its reputation.
4 Best Practices for Classifying PII Data
Getting PII data classification right is essential for effective data protection. These best practices will help you develop a data classification policy and implement robust data protection solutions to keep PII secure.
- The first step in classifying your PII data is to determine which security level each piece of information falls into. Any PII that you or your organization is responsible for should be classified and secured appropriately.
- Along with these classifications, the organization must determine who has access to each data security (and parameters for determining why this access is granted).
- Safeguards such as security screenings and NDA requirements should be chosen and in place. Guidelines for how long data is kept at each level and how it is eventually disposed of (if at all) must also be written.
- Once your data is categorized into one of these four (or more) classifications, all data listed at high risk should be encrypted, both on-site and when in transit. It may even be wise to consider the additional precaution of encrypting the confidential data, as well.
Many corporate (and all federal) frameworks and procedural regulations have specific legal requirements that dictate how organizations must classify sensitive data, such as:
- HIPAA Privacy Rule
- PCI DSS Requirement 9.6.1
- SOC 2 Trust Services
- GDPR (EU data subjects)
- US Department of Labor (DOL)
These requirements will vary depending on the types of data your organization collects and stores, and what type of framework it's working within. Understanding the importance of data security, and how best to classify and protect the information you’re responsible for, is critical given the ever-increasing cyber-threats in today’s business environment.
Risk Based Security and Flashpoint's 2021 Data Breach QuickView Year End Report revealed that more than 4,100 data breaches were publicly disclosed in 2021 alone. These breaches included over 22 billion individual pieces of data being compromised.
Clearly, knowing what data you should classify, how to classify it, and how to secure personally identifiable information against loss or compromise is absolutely essential to your company’s success, reputation, and customer trust.
Download Digital Guardian’s 2022 Essential Guide to Data Classification to learn more about data classification best practices or request a demo to discover how Digital Guardian works with Titus and Boldon James Data Classification to help you understand what sensitive data you have, where it is, and how it’s used so that you can apply the appropriate data protection controls.
Identifying and classifying PII data is a necessary task that every business and organization faces. Whether that data is
- Confidential, or
it’s critical that each piece of data is protected appropriately. Failing to do so can cause irreparable harm to both the individual affected and to your own company.