Is your company taking adequate steps to protect your employee and customers’ personally identifiable information (PII)? If not, you need to be.
Enterprise businesses are pressuring their vendors on security measures, seeking to prevent a breach and protect customer information they store or process. If there is a breach companies learn remediation and noncompliance fines are costly, plus notifying customers about a breach is a big hit to a company’s reputation. Security breaches are one of the biggest causes of identity theft in 2020, resulting in harm to many individuals who had information stolen during a breach.
However, businesses that take action to protect PII can avoid a costly breach, while also winning new deals with security-conscious enterprises.
How to Protect PII in 7 Steps
Personally Identifiable Information (PII) is any type of information from which a specific individual may be identified. That includes things like names, social security numbers, passport numbers, or physical addresses. It also includes less obvious things like emails and phone numbers. To protect personally identifiable information:
1. Identify What PII You Collect and Where It Is Stored
Begin by performing an inventory of what personally identifiable information you’re collecting and where it’s being stored. You’ll need to examine whether you’re collecting data correctly and if the storage method contains adequate security measures.
2. Identify What Compliance Regulations You Must Follow
Depending on your industry, you may be subject to legal compliance requirements. These are laws that govern how you collect, handle, store, and transmit certain types of sensitive information. These may vary based on where or who your customers are, rather than your industry or business location. Some common compliance mandates include:
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
3. Perform a Personally Identifiable Information Risk Assessment
A risk assessment will help you identify possible vulnerabilities or weak points in your security strategy before criminals do. You should identify:
- What PII is regulated and what actions you’re taking to ensure compliance.
- What unregulated PII poses risks to reputation, competition, security, etc.
- Possible sources of threats from most to least likely.
- Possible risk management strategies, including control procedures and safeguards that you can implement.
4. Securely Delete Personally Identifiable Information That’s Not Necessary to Business
Are you holding onto PII that you no longer need? While you might think it’s best to hoard as much data as you can, PII can be a security risk when it hangs around forgotten. Comb through your organization and identify information that can be deleted. This includes:
- Customers who have moved away, died, or ended the relationship.
- Records of employees who left the company more than a year ago.
- PII located on disused devices or in abandoned accounts.
- Instances where individuals have requested that you delete their information.
PII accumulates over time, so “cleaning house” can reduce your storage costs as well as your risk.
5. Classify PII by Confidentiality and Privacy Impacts
Not all PII is of the same level of sensitivity. For example, email lists must still be protected, but they have a much lower level of confidentiality than customer records containing credit card numbers. By classifying data according to confidentiality and impact if their privacy is compromised, you can gain a sense of what your security program needs.
6. Review and Update Safeguards That Protect Personally Identifiable Information
Review your overall security program to see what safeguards you need to update. Likewise, make sure you’re using up-to-date tools and solutions to protect PII. This includes your:
- Email service
- Antivirus and malware
- Customer management tools
- Information security management software
7. Update Your Security Policies
With the rollout of enhanced data privacy laws, your policies may need a review. Take a moment to review the foundation for protecting PII: your internal security policies. Policies that include best-practice security controls, from trusted frameworks like SOC 2 or CIS, help ensure that the information you store and process stays say. These policies also create a structure for your employee awareness training around the collection, storage, encryption, de-identification, and deletion of PII.
Keep Your Data Protected No Matter What
Protecting PII should be central to your information security program. Your customers expect you to protect their PII no matter what. With these seven steps, you can build a solid security strategy that meets or exceeds their expectation.
Do you need a strategy to protect PII at your company?