Personally identifiable information (PII)

Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

The US Government Accountability Office defines PII as

“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.

 ( Source: US Government Accountability Office, “Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information,” Report 08-536, USA, May 2008, www.gao.gov/new.items/d08536.pdf )

However, PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others. These attributions have been referred to as quasi-identifiers or pseudo-identifiers.

Reasons for loss of PII

A great deal of PII loss is the result of stolen or lost equipment, hard drives or documents. The Data Protection Compliance Report by IT Governance studied Data Protection Act (DPA) contraventions from January 2013 to October 2014, revealing that 32% of all incidents were due to personal or sensitive data being inappropriately disclosed. Repeated errors – such as sending information to the wrong recipients due to incorrect fax numbers or email addresses – were common.  Another major cause of human error was the misplacement of files, documents or mobile devices, accounting for an average cost of £35,000 per incident.

Online data breaches and cyber attacks were also among the common reasons for PII loss identified by the report. Significantly, they were the most costly type of data breach in terms of monetary penalties.

Consequences of not protecting PII

Regardless of how the data is lost, the cost of a data breach can be huge. Fines are one of the most widely-known consequences of losing personal data, and they can be very expensive (e.g., up to $2 million per year in the case of a breach of healthcare records in violation of the Health Insurance Portability and Accountability Act [HIPAA] regulation or up to £500,000 from the UK Information Commissioner).

However, the consequences extend much further and include reputation damage, loss of customer trust, employee dissatisfaction and attrition, and clean-up costs following the breach.

Protecting PII is a challenge for individuals and businesses alike. As individuals, we alone are to blame if we expose our own information to risk, but organisations have a far greater liability. Every organisation is built on people and processes, and ultimately it is responsible for the actions of its staff and the effectiveness of the processes that define how PII is protected.

If your still careless with pii, read more from

  1. sony playstation security breach
  2. Hackers steal 2.5 million PlayStation and Xbox players’ details in major breach
  3. IRS breach shows the importance of PII security
  4. The Worst Data Breaches of All Time

What to do?

Personally identifiable information (PII) is an attractive target for hackers and cyber criminals because it is easy to steal and it is easy to sell.

Protecting PII requires organizations to work through a number of steps. Exactly what you do under each step will vary depending on your industry, the type of data you hold, the environment you work in, your risk appetite, your resources, and other factors.

However all organizations should follow the same broad aproach:

  • Identify what PII you hold
  • Implement a layered technology approach that puts in place practical data security controls, including:
    • Encryption-that will keep the data safe if any information asset is lost or stolen,
    • Threat protection-to keep PC safe from viruses, phishing and other threats,
    • Data loss prevention-that will warn users about sending a file with PII,
    • Policy compliance-that will block users from using a browser with a known security vulnerability or stop users from saving the file to an unencrypted USB stick,
    • Blocking of anonymous proxies-for web searches, because they allow personal information to be accessed by administrators of the proxy server,
  • Know where your personally identifiable information (PII) is stored – if you do not know where the information to be protected is located, then it is impossible to provide adequate protection.
  • Know who sees your data – a key control for protecting the privacy of data is access control, ensuring that only those who have a business need to access the data have the relevant rights.
  • Create policies for handling data – set rules regarding access to the data, how the data is received, stored and transmitted, what information can be sent within the organization and what can be passed along to third parties.
  • Educate users – ensure everyone handling PII is aware of the risks and their responsibilities.
  • Carry out full encryption of desktop and mobile devices – USB sticks, laptops, tablets and mobile phones are major contributors to data loss. Make sure they are encrypted and that you have an appropriate BYOD policy in place.

A holistic approach to PII protection

Finally, protecting PII is about adopting a holistic approach that takes into account people, processes and technology. Consider ISO 27001, the information security management standard, which provides guidance on the development, implementation and maintenance of an information security management system (ISMS).

Data encryption, staff training and awareness, effective policies and procedures, and data disposal management are all elements of a well-planned and maintained ISMS.

Creating acceptable use policies (AUPs)

IT managers must balance the desire to tightly control and protect PII with the needs of employees to use the data to perform their jobs. Think of it in terms of CIA: confidentiality, integrity and availability of PII. The goal is to create and enforce AUPs that clearly define which data is most sensitive and which employees are allowed to access and use it in their work. Form a team to help identify and prioritize all the PII your organization possesses.

The team typically would include IT operations, the security team and data controllers—who know what data is available and where it’s located—and representatives of the HR and legal departments, who have expertise in compliance regulation and legal obligations. This team can help you define your organization’s acceptable use policies for handling and storing PII.

Auditing for PII Security Compliance 

Conducting an audit for PII security compliance is a daunting and laborious task. It is not possible to limit PII auditing to specific sections or business processes of an organization and still have the audit remain effective. Likewise, it is not possible to limit the scope of a PII audit to a particular level and still judge the effectiveness of security controls. By using a three-level, top-down approach, auditors can efficiently cover an entire organization and avoid having to duplicate efforts or repeat processes due to deficiencies at higher levels.

More of Auditing for PII Security Compliance, refer to; https://www.isaca.org/Journal/archives/2014/Volume-1/Pages/Auditing-for-PII-Security-Compliance.aspx

 

writer: Kijjambu Ouma Moses

 BIT, DIT, CNS, CCNA, HUAWEI, ISACA MEMBER, CISA STUDENT

Leave a Reply

Your email address will not be published. Required fields are marked *