What is PII? What Should We Do About It?
Dreams and fantasies are often referred to as “pie in the sky” thinking—nice to ponder, but, realistically speaking, not likely to happen. A generation ago we would have thought the digitization of info would usher in a Utopian paperless age when our information would be secured, stored, and shared only with people with a need to know.
However, thanks to the rise of hackers and other cyber criminals, identity theft resulting from the increase of unsecured PII is on the rise. In 2014, identity theft was the #1 consumer complaint at the Federal Trade Commission. Thieves stole more than $16 billion from 15 million U.S. consumers in 2016, according to a recent study. The fact of the matter is that PII—stored on connected devices, software, applications, and servers—will at some point be compromised.
So, what is PII? And, more importantly, how can organizations secure this data, thwart cyber thieves, and establish cyber resiliency by mitigating threats and attacks?
What Is PII?
In short, PII (personally identifiable information) is any information used (either alone or in conjunction with other data), to distinguish one person from another. PII may include, but is not limited to: name, date of birth, credit card number, Social Security number, tax records, and even medical history (personal health information—PHI—is a subset of PII).
Just for a moment, think of your last visit to the post office, accountant, doctor, realtor, or grocery store. Even when you fill out requested information on paper, these forms are keyed into digital systems of record. Now, factor in auto withdrawal bill payment and online shopping, ticket purchases, and other cyber transactions.
Name here; Social Security number there; bank account info everywhere. Yes, your information is out there.
All it takes is a misplaced form or an unsecured terminal to expose your information to the wrong person. Dedicated information hackers may target victims by rifling through trash bins or infiltrating wireless routers to steal PII.
The good news is industries and organizations realize they must take extreme and deliberate measures to keep PII secure. Governments, from local to global, have issued guidelines and regulations to establish accountability and have instituted penalties for lack of compliance.
How Do We Secure PII?
Organizations must seriously consider data security and have a plan to provision, promote, and maintain cybersecurity. The best path to data security is through compliance with security standards outlined in industry, governments, or economic blocs.
For example, in the United States, privacy and data security practices are regulated through a patchwork of overlapping and interconnected guidelines and frameworks which define accountability and enforcement components used by regulators. These include consumer protection acts enforced by the Federal Trade Commission, such as the Financial Services Modernization Act (which regulates collection, use, and disclosure of financial information), and the Health Insurance Portability and Accountability Act (HIPAA, which supplies guidelines and regulations for medical information).
The European Union’s General Data Protection Regulation (GDPR) is the first comprehensive attempt at establishing data compliance standards across national economies. It establishes timelines (72 hours) to notify users of data breaches, penalties for non-compliance, and gives citizens rights to access their own data. This regulation takes effect in May 2018. For a primer on GDPR, download our free whitepaper.
What Should You Be Doing Now?
Most companies started addressing PII issues a few years ago. If you have not, first steps can be found in the “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” from The National Institute of Standards and Technology (NIST). The guide also sets standards for confidentiality impact levels, safeguards and response to breaches. We noted the guide and other first steps in a blog in May 2016.
For all companies and institutions, key steps start with finding and organizing all existing files that contain PII. For many businesses, the task of locating files sounds simplistic but quickly becomes complicated as files are located in multiple repositories across multiple servers. Additionally, most companies discover they have a bad case of ROT—redundant, obsolete, and trivial files stored throughout their network.
Software platforms, like FileFacets, offer a rescue from ROT and the pathway to not only organization for all files, but also a clear, systematic way to search for and aggregate PII. FileFacets, in particular, extracts and aggregates PII from unstructured network-based and cloud-based file sharing repositories, leading ECM technology platforms, Microsoft Exchange Servers, and individual desktops. And, once data is collected, the software enables users to classify PII, so it can be either be moved to a new secure destination, properly disposed of, or otherwise handled appropriately.
Securing PII is not a one-time event. Setting up a secure system and analyzing existing data begin the process, but to maintain security and compliance, companies need dynamic, ongoing mechanisms and checkpoints. Your system should define rules and flags for sensitive information and automatically process files. Compliance—and secure PII—require daily and rigorous maintenance.
PII—and the job of keeping it secure—will only grow in the coming years. Smart companies will not only address today’s compliance issues, but will also invest in tools that are scalable and adaptable to their enterprise’s future. Moreover, these tools must be user-friendly and offer a seamless workflow experience.
Take a Test Drive of FileFacets
FileFacets’ online privacy compliance and enterprise analytics platform makes it easy for businesses to search for, identify, and process PII across multiple sources, identifying where it is, and what it is, so it can be properly protected. Mitigating risk and reducing cost, the platform offers solutions for many industries, including legal, health care, and other highly regulated fields.