Personally identifiable information (PII) is any data that can be used to identify a specific individual. Along with the more traditional types of PII—such as name, mailing address, email address, date of birth, Social Security number and phone number—the scope of what is considered PII has broadened to now include IP addresses, login IDs, personally identifiable financial information (PIFI) and even social media posts.
This broad definition of PII creates security and privacy challenges that organizations collecting, processing and storing PII must consider. To help simplify it, PII can be broken down into two categories: sensitive and non-sensitive. Non-sensitive PII can be easily gathered from public records—such as an individual’s ethnicity, gender, or zip code. This type of data is often readily available and if transmitted without encryption, likely does not cause any harm to the individual.
Sensitive PII—such as passport, driver’s license or Social Security numbers—however, requires encryption in transit as well as at rest to prevent harm being caused to the individual if their PII ends up in the wrong hands. Encrypting PII can save individuals from damaged credit and identity theft, and can shield your organization from lost revenue, noncompliance fines or reputational damage.
Understanding the Risk of Unsecured PII
Every single organization stores and uses PII, either on their employees or customers. Take for example a mortgage lending company. The company must collect and process PII in order to process loans. To collect that PII, their customers are likely sending it using multiple legacy methods—fax, FTP or email. Without encryption, these methods do not provide the data privacy, ownership and visibility needed to give customers a positive experience. What’s more, it puts the organization at risk of a breach and of not meeting compliance standards.
As organizations collect, process and store PII they must also accept responsibility for protecting this sensitive data. After all, data breaches can occur at all levels of organizational sophistication—take for example the recent First American breach—but the impacts on the organization are often the same: breaches are costly, time-consuming and damaging.
Limiting your organization’s risk of exposure to potential threats extends beyond protection against malicious attack though. One careless employee can result in PII being shared with unauthorized recipients. Regardless of how the data is lost, the responsibility still falls on your organization’s shoulders.
6 Steps to Start Securing PII Today
Because PII is so attractive to bad actors who can sell it on the black market for a pretty penny, it is imperative that no matter the manner in which your business uses it, you secure inbound PII at all times. Failure to do so leaves you exposed and at risk of attacks, heavy fines and loss of customer trust. Here are seven practical steps you can take to begin securing inbound PII today:
- Identify the PII your organization uses. Begin by identifying all the PII your company collects, processes and uses. Once you identify it, you can start planning your security and privacy strategy for protecting it.
- Locate where PII is stored. PII data could be stored in any number of locations such as servers, on the cloud or even employee laptops. Be sure to consider the three data states: Data in-use, at-rest and in-motion. This will help you better understand the various systems you need to protect.
- Classify PII in terms of sensitivity. Once you’ve identified and located all PII, grade it by the likelihood of being compromised and the possible consequences of the data being exposed. This helps you prioritize which data and systems to protect first.
- Establish an acceptable usage policy. If you don’t already have one, you should get an acceptable usage policy (AUP) in place for accessing PII. This policy defines who can access PII and the acceptable way(s) to use it. This policy can serve as a jumping-off point for building technology-based controls to reinforce proper PII access and usage.
- Implement an encryption solution. Seek out a solution that minimizes reliance on trust. Data-centric encryption will protect your organization’s PII from internal and external risks, and put customers at ease when you ask for their most sensitive data.
- Back up your solution with training. No matter how good your encryption solution is, it is only as good as the individuals using it. Be sure to train employees frequently on any technology updates as well as evolving threats. Customers should also be familiar with how to effectively use your encryption solution. Remember, user-friendly encryption software will help boost user adoption.
Encrypting PII for Ultimate Security
For organizations that need to secure inbound PII, data-centric encryption is a crucial best practice for keeping it protected as it’s shared within your organization and beyond. You will also need the right set of controls. For instance, if you take that same mortgage company example: having the ability to restrict access to fewer people over the lifetime of a loan application is necessary to ensure compliance with the upcoming CCPA.
Protecting PII isn’t just about compliance though. By placing an emphasis on data security and privacy, you can facilitate improved customer experience and streamline communications while protecting their privacy. Not only does this help boost customer loyalty and trust, but it helps in future-proofing your tech investments against evolving requirements.
Virtru provides the data-centric protection that organizations need to secure inbound PII. With Virtru, implementing an encryption solution is simple and hassle-free, integrating directly with your existing applications and providing seamless protection. It’s also easy to adopt, ensuring that the security will be fully implemented throughout your organization.
Now, with the ability to embed the Virtru Data Protection Platform into your organization’s custom applications, you can leverage industry-tested persistent encryption and access controls to secure inbound PII, all without any added burden for your Engineering team. Learn more about the Virtru Developer Hub here.