Protecting Privacy: Easy as PII?
Psssst! Can you keep a secret?
This simple childhood whisper magnifies an importance in the growing awareness of how organizations maintain the confidentiality of information they receive from individuals.
The electronic world overflows with countless bytes of personal information. Online, people input all types of personal data to transact private or corporate business, contact a government agency or just buy a gift from a retailer. It’s an open secret—everyone knows that personal, confidential, important information is out there.
But how many people actually consider how their information is stored or who can access it? What measures are individuals taking to keep personal information private?
Conversely, as corporations, we collect personal information about staff, clients and consumers every day—in the normal course of business. It has become, in fact, our responsibility to “keep their secret.” What measures should businesses and organizations take to keep safe and private the information collected from individuals?
Good first steps can be found in the “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” from The National Institute of Standards and Technology (NIST). NIST defines PII as:
“any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
The guide also sets standards for confidentiality impact levels, safeguards and response to breaches. It is a must-read for any company that collects private information from individuals.
Here are some issues to consider in how your company handles the confidential information of employees and customers:
“You cannot manage what you cannot measure.”
This adage holds true in the context of PII. Organizations need to understand what they are collecting and where it resides. NIST notes that understanding and reducing the amount of PII stored in any electronic environment (shared drives, servers or removable storage devices like USB sticks) greatly reduces the risk of potential harm that could result from a breach of that data.
“Ignorance of the law excuses no one.”
In the United States, the Health Insurance Portability and Accountability Act (HIPPA) contains sections that protect a citizen’s privacy of Protected Health Information (PHI) which includes similar elements to PII as listed by NIST. Canada has similar legislation in several acts, namely, Personal Information Protection and Electronic Documents Act (PIPEDA), and the Privacy Act, which governs activities of the Federal Government.
“Technology is no match for human error.”
Hardware, software, firewalls, passwords and protocols only work when they are implemented and followed. Develop training for staff that may come in contact with PII, and make information protection a company priority. Enact safeguards—like restricting access to data to only those employees who must use it—and reduce the storage of PII when it is no longer necessary.
On the flip side, tell your clients why you collect the data, how you use it and when you will dispose of the information.
“Identify theft” makes headlines every day as PII remains a hot commodity, and cyber thieves find new ways of accessing confidential data. Keeping PII safe and confidential must be a high priority because it protects not only customers, constituents and employees, but also keeps your company’s reputation safe.
At FileFacets, we would like to help you manage and safeguard PII—and avoid a breach.