Personal Identifiable Information (PII): How to safeguard your most important information

By Cody Lents, Partner and Customer Steward at COVI, Inc.

Keeping your personal information safe is critical, but many companies may not understand the differences between just keeping it safe versus incorporating best practices. The basics of Personal Identifiable Information, also known as PII, is any data that could potentially identify a specific individual. It is essentially any information used to distinguish one person from another. Think of public records such as phone books, corporate directories, and websites as places to gather non sensitive PII. That data might include zip code, race, gender, date of birth, or your religion. However, when both nonsensitive and sensitive PII are combined, the PII can become even more important to secure.

Sensitive PII (SPII) is even more critical information that could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual if lost, compromised, or disclosed without authorization. Sensitive PII can include your name, address, email, telephone number, date of birth, driver’s license number, credit or debit card number, medical records, or social security number. Rest assured, there are plenty of ways to protect this information through the storage of files. According to the National Institute of Standards and Technology, you should configure your files to avoid data loss prevention and limit sensitive PII from being retrieved by hackers or mistakenly sent. To ensure your PII is safe, it’s best to follow some simple practices.

Simple practices include encouraging your employees to participate in good data backup procedures, safely destroying or removing old media with sensitive data, and installing software, application, and mobile updates. Do you and your co-workers have a good secure recycling process? Furthermore, using secure wireless networks rather than public Wi-Fi and virtual private networks (VPNs) or cloud adoption are great ways to incorporate best practices. As far as protecting the PII, employees should limit what they share on social media and keep their social security cards in a safe place. Individuals should also make online purchases or browse financials on secured HTTP Secure (HTTPS) sites. Be careful about uploading sensitive documents to the cloud and lock devices when not in use.

If your organization minimizes the amount of PII it uses, collects, and stores, it can significantly reduce the likelihood of harm caused by a breach. For example, an organization should only request PII in a new form if the PII is necessary. An organization should also regularly review its holdings of previously collected PII to determine whether the information is still relevant and essential for meeting the organization’s business purpose and mission. When PII is accessed more often, or the PII is regularly transmitted or transported offsite, there are more opportunities to compromise the confidentiality of the PII.

Protecting PII is essential for personal privacy, data privacy and protection. All it takes is just a few bits of an individual’s personal information for thieves to create false accounts in their name, incur debt, create a falsified passport or sell a person’s identity. When an individual’s personal data is recorded, tracked, and used daily — such as in biometric scans with fingerprints and facial recognition systems used to unlock devices – it is increasingly essential to protect individuals’ identity and any pieces of identifying information unique to them.

On the other hand, if you’re outsourcing someone to work on your company‚Äôs internal initiatives, you must ensure that they are following proper protocol. First, automate technical controls if possible. If not, minimize the vendor’s use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and scope of work. You may consider the feasibility of de-identifying or anonymizing the information. Next, you should require any third-party vendors to obtain additional information on security or cyber liability insurance in the amounts recommended by risk management. Another way to incorporate these steps is to ensure the vendor you’re utilizing completes a vendor security risk assessment.

There are many factors that evaluate how sensitive PII is, including identifiability, quantity, and classification. Organizations should determine how easily PII can be used to identify specific individuals and how many may be impacted if there is a breach.

As the amount of structured and unstructured data available keeps expanding, the number of data breaches and cyberattacks by actors who realize the value of PII continues to climb. It’s more important than ever to secure PII and ensure the information is safe and secure before it’s too late. Even a breach of nonessential PII could leave you picking up the pieces and paying for it in the long run.

For more information, please visit https://gocovi.com/blog/