Finding and Identifying PII to Protect Your Data
What is PII?
The digital world we live in makes it easier than ever for our systems to be hacked and our personal information misused.
Data breaches pose a serious threat to organizations and the information they manage on behalf of their clients. That said, organizations manage personally identifiable information (PII) on behalf of their employees and they are entrusted with personally identifiable information (PII) about their customers, so they must take the right steps to protect it.
But before you can take measures to protect PII, you need to know where it is and how to identify it.
Simply put, PII is any information that includes personal identifiers that can be used to distinguish an individual or trace their identity. Some examples of PII are Social Security numbers, bank account numbers, full legal names, phone numbers, credit card numbers, street addresses, and other associated data — data that, in isolation, may not be able to identify a person, but can when associated with other data. This can be information you retain on employees or customers alike that needs to be safeguarded.
PII can exist in structured data formats, making it simpler to find and manage. It can also be stored in unstructured documents such as chat logs, letters, and proposals.
So as you can see, PII takes many different forms — each of which poses a different level of security risk if leaked.
What Happens if PII is Leaked?
If you are responsible for a data breach, not only do you inconvenience your clients and make them vulnerable to identity theft — you risk damaging your reputation, as well as facing legal consequences and financial losses associated with containment and remediation.
To help you prevent this, we’ve outlined five steps that your organization can take to protect personally identifiable information.
How to Protect Personally Identifiable Information
Step 1: Locate and Identify PII
The first step in protecting PII is to find out where it lives.
To do this, you’ll need a comprehensive inventory of all data and information stored within your databases and content management systems across your organization. Once you have this inventory, you can begin to identify PII.
Generally speaking, data collection forms and other documents that contain PII are easy to identify. They include names, addresses, birth dates, and other information that can identify an individual.
In some cases, the actual PII might not be included in the form itself, but rather stored elsewhere in the organization’s system. For instance, a form may ask for an employee’s social security number but store that number in a different place.
PII may be stored in a variety of locations, so it’s important to regularly review and audit your systems for this information. We recommend using automated data management software like Shinydocs. This software can scrape your systems for any PII that is created, received, kept, or transmitted on behalf of your clients and business partners and inform you where it is being stored.
Step 2: Determine Internal Regulations for PII
Given the sensitivity associated with PII, organizations are required to protect it with a heightened standard of security and transparency. As such, it is imperative that you understand your organization’s policies regarding PII, as well as industry regulations and compliance laws that govern how organizations must handle it.
The most common ones are the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR). Understanding these regulations will ensure that your organization takes the necessary to protect PII and reduce risk while ensuring compliance.
Step 3: Perform a Risk Assessment
Every organization is different, and how you classify your PII is ultimately up to you. That said, understanding the varying degrees of associated risk will help you take the right measures to protect it.
This is where a risk assessment comes into play.
Risk assessments are the cornerstone of many privacy compliance standards and regulations. These assessments help organizations identify vulnerabilities within their systems that could expose sensitive data to unauthorized access and misuse.
Critical to the success of a risk assessment is that all places where content is stored are audited for PII. Just like you wouldn’t apply virus scanning to just some locations, you must look in all places for PII and not only structured systems. This includes personal drives, network drives, email and attachments, chat logs, and enterprise content management systems (ECM).
Your organization should perform a risk assessment annually, at minimum. In the context of identifying where personally identifiable information is located so it can be properly managed or moved. This risk assessment should consider the following:
- All of the places where PII can be stored or shared
- Whose information is at risk and how
- Which PII is regulated
- What measures are in place to ensure regulatory compliance
- What, if any, threats to compliance exist and their risk magnitude
- What other sensitive data is or is not explicitly regulated, but may pose security, operational, or reputational risks. This last consideration is critical. If there is potential that PII is stored or shared outside of officially managed systems, then those places are susceptible PII getting into the wrong hands.
Should your risk assessment reveal any system vulnerabilities or gaps in your data management strategy, you can take steps to resolve them. This includes taking preventative measures to reduce the risk of a breach, as well as minimizing their impact should they occur.
Step 4: Enforce PII Classification
Businesses must ensure that appropriate technical and organizational measures are in place to protect PII against accidental or unlawful alteration, loss, or destruction, as well as unauthorized access to and disclosure of personal data.
The sensitivity of the PII within your system will impact how you classify it and where your security priorities need to be.
There are two different types of PII to consider: sensitive and nonsensitive.
The sensitivity level of the data depends on its potential damage if released or disclosed. For example, Social Security numbers may not have much value in isolation, but could be valuable when combined with other data points such as birth dates and addresses. This makes them more sensitive than other types of information like employee ID numbers or phone numbers that are publicly available through other sources.
If there’s a possibility that the information could be used for identity theft or fraud, then it must be treated as sensitive PII because it would be very damaging if compromised. On the other hand, if there is no real threat associated with exposure of this type of data, then it probably does not need to be considered sensitive.
Once you understand the sensitivity of the PII you possess, you can determine the level of security it requires and the safeguards you need to put in place to protect it.
Step 5: Review & Update PII Safeguards and Security Policies
Organizations can protect PII by developing policies and procedures that define acceptable collection, retention, and use of information and data; as well as outlining what measures you will take to protect it.
These measures may include:
- Implementing a program to regularly crawl and audit all content systems to monitor for PII, such as Shinydocs’ automated data discovery tools.
- Proactively managing or moving PII that is not stored in the correct places.
- Developing a data breach response plan with clear roles and responsibilities for different departments within the organization.
- Encrypting databases and repositories to protect PII from internal and external risk.
- Performing data backups.
- Training staff on cybersecurity and data management protocols.
Lastly, it is essential that you regularly update these policies so that they reflect new technology and evolving threats to cybersecurity.
As personally identifiable information rapidly becomes the backbone of the data-driven economy, people will lose interest in accessing anything related to their accounts if they believe that their information is not adequately protected.
With this in mind, it becomes clear why organizations need to make PII protection a priority.
Whether you’re a small business owner or work for a large scale enterprise, there are privacy laws and regulations that require you to identify and locate PII within your systems and networks. This poses a challenge for organizations that have not previously considered this aspect of data protection or the risks that come with failing to do it properly.
Thankfully, there are steps you can take and policies you can enforce to ensure that your databases are secure and the PII therein is protected.
In reading this guide, you’re already halfway there.
We’re Rethinking Data
At Shinydocs, rethinking data means constantly questioning our assumptions, reimagining what’s possible, and testing new ideas every step of the way to transform how businesses function.
We believe that there’s a better, more intuitive way for businesses to manage their data. Contact us to improve your data management, compliance, and governance.
Did you enjoy this article? Read this next: