How to Secure Personally Identifiable Information against Loss or Compromise
Personally identifiable information (PII) is data which can be used to identify, locate, or contact an individual and includes information like name, date of birth, place of residence, credit card information, phone number, race, gender, criminal record, age, and medical records. Every organization stores and uses PII, be it information on their employees or customers. Even schools and universities will store the PII of their students, while hospitals will store patient data.
The PII your company stores is highly attractive to would-be attackers who can sell PII on the black market at a handsome price. PII can be used for any number of criminal activities including identity theft, fraud, and social engineering attacks. It goes without saying that it is absolutely vital that individuals and companies protect their PII. Failure to secure PII leaves your company open to highly targeted social engineering attacks, heavy regulatory fines, and loss of customer trust and loyalty.
10 steps to help your organization secure personally identifiable information against loss or compromise
- Identify the PII your company stores
- Find all the places PII is stored
- Classify PII in terms of sensitivity
- Delete old PII you no longer need
- Establish an acceptable usage policy
- Encrypt PII
- Eliminate any permission errors
- Develop an employee education policy around the importance of protecting PII
- Create a standardized procedure for departing employees
- Establish an accessible line of communication for employees to report suspicious behavior
1. Identify the PII your company stores
Start by identifying all the PII your company stores or uses. If you are a software vendor, you might have customer bank details and login information you need to protect. Government agencies will store PII like social security numbers, addresses, passport details, and license numbers. Once you have identified all the PII data your company stores, you can start to implement a number of measures to secure this data.
2. Find all the places PII is stored
The PII your company stores may live in a range of different locations like file servers, cloud services, employee laptops, portals, and more. A useful first step here is to think about the three states of the data your company stores:
- Data in use: The data employees use to do their jobs. This data is typically stored in a non-persistent digital state like RAM.
- Data at rest: This is the data stored or archived in locations like hard drives, databases, laptops, Sharepoint, and web servers.
- Data in motion: This is the data which is transitioning from one location to another. An example would be data moving from a local storage device to a cloud server or moving between employees and business partners via email.
You need to consider all three data states as you develop your PII protection plan. Thinking about your company’s data in all of its different states will help you determine where the PII lives, how it is used, and the various systems you need to protect.
3. Classify PII in terms of sensitivity
If you haven’t done it already, you need to create a data classification policy to sort your PII data based on sensitivity. This is a vital part of PII protection. As you prioritize your PII, you should consider the following factors:
- Identifiable: How unique is the PII data? If a single record can identify an individual by itself it is a sign that the data is highly sensitive.
- Combined data: Try to identify two or more pieces of data that, when combined, can identify a unique individual.
- Storage: As outlined in steps 1 and 2 above, you need to discover where your PII is stored and how it is used. In addition to those steps, you should assess how many people access the PII data you store and how frequently it is transmitted over networks.
- Compliance: Depending on the type of organization you work for and the industry you operate in, there will be various regulations and standards for PII. These regulations will also help you prioritize your sensitive data. The regulations you may be subject to include the Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), HIPAA and HITECH ACT (US), and the Criminal Justice and Immigration Act (UK).
Having weighed up the above factors, you will be ready to classify PII based on sensitivity. At a minimum you should create three levels of data classification:
- Restricted: Highly sensitive PII which could cause significant damage if it gets into the wrong hands. Access to this data is strictly on a need to know basis.
- Private: Not as sensitive as restricted data but would still cause a moderate level of damage to the company or individuals if it was to become compromised. Access to this data is only provided to the users who interact with this data as part of their role.
- Public: Non-sensitive, low risk data with little or no access restrictions in place.
There are many benefits to classifying the PII your company stores, such as maintaining compliance, but data classification can also help an organization to organize their data and help employees find the information they need to do their jobs. Finally, in the event of a security breach, data classification can guide your incident response team by informing them about the level of information which was compromised.
4. Delete old PII you no longer need
You should delete any older, unnecessary PII to make it inaccessible to any potential attackers. Be sure to delete PII securely, and be diligent about deleting old files from your data backups in case any PII is stored there.
5. Establish an acceptable usage policy (AUP) for PII
If you haven’t done so already, you need to get an AUP in place for accessing PII. Your AUP should focus on areas like who can access PII and lay out clearly what is an acceptable way to use PII. The SANS Institute has developed a free AUP template which is a useful starting point in creating your policy. For a robust data protection program, you can use this template for PII and all other types of sensitive company data. You AUP can also serve as a starting place to build technology-based controls that enforce proper PII access and usage.
6. Encrypt PII
Encrypting your PII at rest and in transit is a non-negotiable component of PII protection. Use strong encryption and key management and always make sure you that PII is encrypted before it is shared over an untrusted network or uploaded to the cloud. You will need the right set of technical controls in place to ensure that PII is encrypted; however there are many tools today that can automate the encryption process based on data classification.
7. Eliminate Permission Errors
Companies that lose track of their access control rights can leave the PII they store wide open to attackers. Events like mergers and acquisitions can create confusion and errors in access controls as well. As a result, it’s important that companies implement and enforce the principal of least privilege when granting access to sensitive data, which ensures that individuals only have access to the data they need to do their jobs.
8. Develop an employee education policy around the importance of protecting PII
Employee education is a relatively straight-forward, yet vital, step in the protection of PII. Your company’s AUP can be an important part of your employee education program. Ensure that every employee at your company has a copy of your AUP and signs a statement acknowledging that they agree to follow all the policies laid out in the document. Employee training sessions based on the correct way to access and store PII are another way to ensure the protection of PII. A thorough employee education policy on PII protection has the added benefit of transferring a sense of ownership onto employees who will feel they have an important role to play in PII protection.
9. Create a standardized procedure for departing employees
Threats to your company’s PII can be both internal and external. One of the most common internal threats is that of the disgruntled departing employee. Even when a departure is amicable, employees may be tempted to take some valuable PII (or other sensitive data) out the door with them. Some best practices here include:
- Remove access: Delete all user accounts and access to the various enterprise systems they would have used upon departure.
- Legal reminder: You may want to send a reminder to departing employees about their legal responsibilities around PII and other sensitive data.
- Confidentiality agreement: Share a copy of a signed confidentiality agreement which covers PII and sensitive data.
10. Establish an easy way for employees to report suspicious behavior
You should make it easy for employees to report suspicious or risky behavior to management. For instance, an employee might start taking company devices or materials home with them even if it goes against the AUP and could potentially put PII in danger of being compromised. One of the best ways you can police this type of event is to establish an easy way for employees to report this potentially harmful behavior. Other triggers employees should watch out for include colleagues taking interest in data and activities outside the scope of their job description or accessing the network or sensitive resources at odd hours of the night.