Personally identifiable information (PII) is everywhere. You can't escape or ignore it. Regardless of your industry, or the size of your company, you almost certainly have PII that needs to be protected.
The definition of PII is any data that can be used to identify a specific individual. Along with the more traditional types of PII—such as name, mailing address, email address, date of birth, Social Security number and phone number — the scope of what is considered PII has broadened to include IP addresses, login IDs, personally identifiable financial information (PIFI) and even social media posts.
What Are the 2 Types of PII?
This broad definition of PII creates security and privacy challenges that organizations collecting, processing and storing PII must consider. To help simplify it, PII can be broken down into two categories: sensitive and non-sensitive.
- Non-sensitive PII can be easily gathered from public records—such as an individual’s ethnicity, gender, or zip code. This type of data is often readily available and if transmitted without encryption, likely does not cause any harm to the individual.
- Sensitive PII—such as passport, driver’s license, or Social Security number— is another story. It requires encryption in transit as well as at rest to prevent harm being caused to the individual if their PII ends up in the wrong hands. Encrypting PII can save individuals from damaged credit and identity theft, and can shield your organization from lost revenue, noncompliance fines or damage to your reputation.
Unsecured PII Risks and Consequences
Every single organization stores and uses PII, whether it's employee PII from onboarding and information housed in HR and finance) or customer PII in Salesforce or Zendesk CRM software.
Take for example a mortgage lending company. The company must collect and process PII in order to process loans. To collect that PII, their customers may be sending their data using legacy or consumer-oriented methods — fax, FTP, or email. Without encryption, these methods do not provide the data privacy, ownership and visibility needed to give customers a positive experience, or peace of mind that their highly sensitive financial records and PII are being protected. What’s more, it puts the organization at risk of a breach and of not meeting compliance standards like GLBA, FINRA, SOX, and other regulations.
As organizations collect, process and store PII, they must also accept responsibility for protecting this sensitive data. After all, data breaches can occur at all levels of organizational sophistication—from major credit reporting bureaus to small banks — and the impacts on the organization are often the same: breaches are costly, time-consuming and damaging.
Limiting your organization’s risk of exposure to potential threats extends beyond protection against malicious attack though. One careless employee can result in PII being shared with unauthorized recipients. Regardless of how the data is lost, the responsibility still falls on your organization’s shoulders.
Best Practices for PII Security: 6 Simple Steps
Because PII is so attractive to bad actors who can sell it on the black market for a profit, it is imperative that no matter the manner in which your business uses it, you secure inbound PII at all times. Failure to do so leaves you exposed and at risk of attacks, heavy fines, and loss of customer trust.
Here are six practical steps you can take to begin securing inbound PII for stronger security:
1. Identify the PII your organization uses.
Begin by identifying all the PII your company collects, processes and uses. Once you identify it, you can start planning your security and privacy strategy for protecting it.
2. Locate where PII is stored, and where it moves.
PII data could be stored in any number of locations such as servers, on the cloud or even employee laptops. If you're using CRM software or SaaS apps to manage customer records, you're almost certainly sending, receiving, and storing PII via these systems.
Be sure to consider the three data states: Data in-use, at-rest and in-motion. This will help you better understand the various systems you need to protect. After all, data often needs to move and is often shared, both internally and externally. Take this external data sharing into account when assessing your PII usage.
3. Classify PII in terms of sensitivity.
Once you’ve identified and located all PII, grade it by the likelihood of being compromised and the possible consequences of the data being exposed. This helps you prioritize which data and systems to protect first.
4. Govern access to PII and establish an acceptable usage policy.
Just because you manage PII, doesn't mean every employee has the right to access it. If you don’t already have one, you should get an acceptable usage policy (AUP) in place for accessing PII. This policy defines who can access PII and the acceptable way(s) to use it. This policy can serve as a jumping-off point for building technology-based controls to reinforce proper PII access and usage. Furthermore, for sensitive data like customer payment information and social security numbers, you need to make sure you're using attribute-based access controls wherever possible, to ensure you're not granting unnecessary access — and taking on unnecessary risk.
5. Implement an encryption solution.
Seek out a solution that minimizes reliance on trust. (If you've heard the cybersecurity term Zero Trust, that's what this refers to — not extending unearned trust to any individual, device, or system trying to access sensitive data.) Data-centric security will protect your organization’s PII from internal and external risks, and put customers at ease when you ask for their most sensitive data.
6. Back up your solution with training.
No matter how good your encryption solution is, it can only be effective if people actually use it. Be sure to train employees frequently on any technology updates as well as evolving threats. Customers should also be equipped with secure ways to share information with you: Solutions like Virtru Secure Share give them a user-friendly, safe way to send encrypted information to your team. Remember, user-friendly encryption software will help boost user adoption.
Protect PII for Compliance and Data Security
For organizations that need to secure inbound PII, data-centric encryption is a crucial best practice for keeping it protected as it’s shared within your organization and beyond. You will also need the right set of controls. For instance, if you take that same mortgage company example: Having the ability to restrict access to fewer people over the lifetime of a loan application is necessary to ensure compliance with CCPA and other compliance regulations.
Protecting PII isn’t just about compliance, though. By placing an emphasis on data security and privacy, you can facilitate improved customer experience and streamline communications while protecting their privacy. Not only does this help boost customer loyalty and trust, but it helps in future-proofing your tech investments against evolving requirements.
Easily Encrypt PII with Virtru
Virtru provides the data-centric protection that organizations need to secure inbound PII, however it flows into your organization — and outbound PII that needs to be shared externally.
Virtru's data security solutions integrate with the apps you already use every day, like Gmail, Google Workspace, Microsoft Outlook, Salesforce, and Zendesk, just to name a few. With Virtru, implementing an encryption solution is simple and hassle-free, integrating directly with your existing applications and providing seamless protection. It’s also fast and easy to adopt, ensuring that the security will be fully implemented throughout your organization.
Ready to get started with a quick, easy solution for PII encryption? Contact our team today. We'd love to show you what Virtru can do.
