IDC Names Securiti a Worldwide Leader in Data PrivacyView
Data is critical in driving innovations, scientific breakthroughs, and key business decisions. Data is not only growing in volume due to the huge number of sources it is coming from, such as social media, bank transactions, or sensor data, but it is also increasing in complexity.
As data grows in size and complexity, it further gives rise to an increased number of cyber breaches and other security threats, such as unauthorized access, data leaks, or insider attacks. Due to the security and privacy concerns of users, international regulatory bodies have enacted laws to protect customers’ data and their privacy.
Personally Identifiable Information (PII) is amongst those types of data, such as financial data, business data, or technical data, that major data privacy laws cover. PII is akin to a jigsaw puzzle. As you need to put together different pieces of the puzzle to complete it, similarly, you need different pieces of PIIs to get a complete picture of an individual. And that is how you can potentially identify an individual.
Read on to learn more about personally identifiable information, why it must be protected, what challenges organizations face while protecting it, and the important controls businesses must consider to secure PII.
Personally Identifiable Information (PII) is often used as legal terminology. You may find different definitions of PII in various legal texts, but generally, it would all come down to a piece of information that can potentially distinguish, identify, or trace an individual, such as name, social security number, fingerprint data, home address, birth place, birth date, geo-location, bank account number, etc.
Generally, organizations use PII alone or in combination with other sets of identifiers to identify an individual. For example, with just the name “Eric”, one cannot trace a specific individual. To trace Eric, it is important to use multiple identifiers, such as Eric’s geographic location, social security number, and biometric data, to name a few.
PII can be maintained in either print or any other digital or electronic format. Many organizations have specific policies and procedures in place to protect PII, and there are also laws and regulations that govern the collection, use, and sharing of PII, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
PII can further be categorized into sensitive PII or non-sensitive PII, as both categories require different treatments.
Non-sensitive PII is any PII that is usually available and accessible to the public through social media profiles of individuals, address books or other public records. More importantly, non-sensitive PII cannot be used directly or alone to identify an individual and, therefore, not deemed as confidential on its own. However, it still needs to be protected to prevent misuse since it can trace or distinguish one individual from another when it is used with other identifiers.
Some examples of non-sensitive PII include:
It must be noted that depending on specific circumstances and context, generally considered non-sensitive PII can become sensitive if it can be used in combination with other information to identify a person indirectly.
Sensitive PII is a type of information that is not publicly accessible or available. In fact, if a sensitive PII is exposed to any unauthorized user, such as via a security breach, it may put the data owner at serious risk of harm. Therefore, global data protection laws and industry standards require businesses to ensure that sensitive PII is always legally, ethically, and technically protected, whether it is in transit or at rest. For example, businesses should encrypt or mask sensitive data if such data is shared with a vendor or any third-party contractor for any business purpose.
A sensitive PII can be used directly or alone to identify an individual easily. Examples of sensitive PII may include:
While all PII refers to information that can be used to identify a specific individual, not all PII is considered sensitive. Sensitive PII refers to information that, if disclosed or accessed without authorization, could harm an individual or create a risk of identity theft or other negative consequences.
Globally, regulatory bodies are introducing, proposing, and enacting data privacy laws to create and establish guidelines for businesses to protect the personal information they collect, process, share or sell. Every data protection law provides a distinct set of principles regarding specific PII elements under personal data. For instance, it is imperative for businesses to not further retain any type of information on their users if that information has fulfilled the purpose for which it was collected and processed. The law then further outlines whether to delete the PII, anonymize it, or archive it. Some laws even guide how long you should retain users’ personal information.
Another great example of data protection laws is the regulation concerning collecting, processing, and sharing sensitive PII. Most data protection laws do not encourage businesses to collect sensitive personal information of users unless consent is obtained or it is necessary for the purposes of public interest, law enforcement action, etc.
Similarly, GDPR requires that collection and processing of sensitive PII must meet a higher standard of legal justification than other types of data. Organizations must have a legal basis to collect and process sensitive PII, such as getting explicit consent from the data subject, compliance with a legal obligation, protection of the vital interests of the data subject or another person, performance of a task carried out in the public interest or in the exercise of official authority, or the legitimate interests of the controller or a third party.
Non-compliance with data protection laws could result in not only monetary loss but also a bad business reputation in the industry as well as loss of customer trust.
Cybercriminals are always looking for personal information that an organization collects, be it from a healthcare institute or any commercial business, for malicious purposes such as identity thefts, spear-phishing, ransomware attacks, etc., and gain financial and other benefits from it. Cybercriminals are now more equipped than ever to carry out complex data breaches where an organization could lose a high volume of users’ personal data, for instance, the 2013 yahoo data breach.
These are some of the critical reasons why it is essential for businesses to discover PII, especially sensitive PII, across their data landscape to establish appropriate security and governance controls to protect it.
There are a number of risks associated with the collection, processing, and sharing of personally identifiable information. However, specific risks may depend upon the sensitivity of the PII and the data protection regulation pertinent to it. Regardless, here are some of the common security, privacy, governance, and compliance risks linked to PII.
Globally, businesses are moving their operations to the cloud infrastructure. Cloud brings a boatload of opportunities and benefits to organizations. For instance, the cloud allows better scalability, reduced cost, and global footprints. However, organizations still find it challenging to adopt. The challenge is often linked to the complexity of cloud implementation, but it also relates to how efficiently and effectively the organization manages its PII. Here are some challenges that businesses face when protecting PII in the multi-cloud.
To enable increased protection of PII and to meet data protection compliance requirements, it is essential for organizations to have appropriate controls around their data. Following are some of the must-have controls that businesses need to have in place for effective PII management, protection, and compliance.
Identifying PII across the data landscape must be the primary responsibility of any business. Therefore, set up policies around discovering PII elements stored in data systems, applications, or databases. Automate the discovery policy so that new PII is discovered and inventoried during data ingestion.
Data classification and cataloging are amongst the core elements of PII management, especially sensitive PII. These processes enable businesses to understand, manage, and use their data better. With classification, teams can determine the sensitivity of the data, which further enables them to consider how to protect it or where to store it. Similarly, cataloging gives a clear inventory of data and metadata to the business, allowing them to use it effectively, retrieve it, or analyze it.
Businesses must gain a bird’s eye view of the misconfigurations in their multi-cloud environment. Automate remediation for misconfigurations that don’t require to be configured manually and set up manual guidelines for complex misconfigurations. Furthermore, a centralized alert system can enable teams to be notified of misconfigurations as they happen and resolve them on time.
Data governance is the core part of data management to effectively use data and make sure it is of high quality, accurate, and reliable. Optimize the governance framework keeping in view the types of sensitive data in the environment so data teams can establish appropriate policies and rules regarding data quality, cataloging, and lineage.
Set a detection engine that identifies who’s accessing sensitive data, from which geographies, and how much volume of data they access. Set up user or role-based access policies and strict them to least privileged access. This enables teams to have the minimum level of access they need to get the job done.
Set up table-based dynamic masking policies for sensitive data that is required to be shared externally or internally with teams that don’t require access to sensitive data.
Drill deep down to specific data elements that are compromised. Map the affected data to the precise individuals that were impacted by the data breach. Create regulatory guidelines for specific regulations to create relevant breach notification policies.
Organizations often establish all these important controls around their data in departmental silos using varying tools. Consequently, this creates data inconsistency, integration difficulties, collaboration challenges, added operational costs, and even security risks.
Organizations must strive to centralize these controls, enabling different departments to access, use, and analyze PII via a unified set of tools. Securiti DataControls Cloud is pioneered to deliver that unified control for increased efficiency, collaboration, data protection, and compliance.
Request a demo to learn more about DataControls Cloud and how it can help you protect PII and meet compliance requirements.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.