PII, or Personally Identifiable Information, is any information that directly or indirectly identifies an individual, such as name, address, payment information, or contact information. The U.S. The Department of Homeland Security defines a second category of PII: Sensitive PII, which includes Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, biometrics, and criminal history.
Why do criminals want your PII?
PII is especially attractive to cybercriminals, who can steal and sell PII on the black market. It’s a lucrative business, criminals use PII to pay their bills with someone else’s money, create false accounts, take out false credit cards, or even engage in blackmail or extortion. Health records can also be used to receive treatment under someone else’s name, make insurance claims, and obtain prescriptions.
It’s not surprising that PII is being targeted — it’s extremely valuable. A recent investigative report found that criminals are making a lot of money for specific sorts of payment and social media data. A hacked Gmail account goes for $80 in 2021, while a cloned Mastercard and PIN might just go for $25. Paypal transfers of specific amounts from compromised accounts are worth hundreds, while other types of PII, like passport data, are worth thousands.
In fact, the Ponemon Institute found that PII is the most common sort of data stolen in data breaches over the last year. It’s also the costliest kind of record, at $180 a record.
Losing your customers’ PII can cost you something else as well — your reputation. Once customers feel they can’t trust you with their data, they might be wary of doing business with you. That’s why securing PII is so important.
12 tips for securing PII
1. Know your obligations for PII compliance
Are you legally required to meet certain standards when it comes to PII? You likely are, especially if you do business with any resident of the European Union. GDPR or the General Data Protection Regulation (GDPR) sets out several rules for storing, protecting, and disposing of personal data. Depending on where you do business, and on your industry, you may be required to meet other standards, like CCPA (the California Consumer Privacy Act), or HIPAA (the Health Insurance Portability and Accountability Act). These standards will put forth a list of controls you need to have in place in order to be compliant.
2. Thoroughly vet your third parties
Third parties are almost always a target of bad actors and cybercriminals, often because they store or process PII for their clients. When third parties are breached, however, the consequences still fall on you, so be sure you thoroughly examine their security controls during onboarding.
3. Know your PII
What PII is your company storing? Are you storing customers’ names, addresses, payment information, or any other information that might identify them? Are you asking for only what you need, or do you have information that’s superfluous? Be aware of what you have.
4. Know where PII is kept
Sometimes PII doesn’t live in one location. It might be stored in different clouds, across different departments, or even on different devices. Consider healthcare organizations, which keep payment information in one department’s database, while biometrics and medical data may be stored in other databases and devices. What data is being used? What data is being stored? And what data is in motion?
5. Know your most sensitive PII
Not all PII is created equal. Some, like social security numbers, are far more important. Classify your data so you can create a PII protection plan. How can you tell which data is more sensitive than others? Consider this question: can you immediately identify a person with just this information? If so, that data is highly sensitive.
6. Delete PII you no longer need
If you don’t need it, don’t keep it. The last thing you want is a data breach in which you’ve lost sensitive information you didn’t even need to store. If you don’t have it, no one can steal it from you.
7. Know how you’ll handle departing employees
Create a policy that governs how your departing employees handle PII. Do they still have access to PII? How and when will you remove their access to PII? Also, ensure they know the legal penalties for violating your PII policies (just in case they’re tempted to take some sensitive data with them.)
8. Make it easy for employees to report suspicious behavior
Sometimes breaches come from inside the company rather than outside. If one of your employees notices that something is going on with a coworker (maybe that coworker is stealing and selling PII) offer an easy and non-threatening way for them to report that information to you.
9. Put an Acceptable Usage Policy (AUP) in place
Do you know who has access to your data? Do they know who can access it and what it can be used for? An AUP is a way to outline who should have access to PII and what they can do with it.
10. Encrypt PII
Unencrypted PII is a breach waiting to happen, especially if that data is in transit, moving from a device to the cloud, or the other way round. Always use strong encryption on your PII.
11. Don’t give more permissions to users than they need
If an employee or a third-party doesn’t need access to PII, don’t grant them access. While many breaches are caused by malicious attacks, many more are caused by insiders, often by accident. If an employee doesn’t have access to certain data, they can’t accidentally share it.
12. Protecting PII is everyone’s job
Make sure your employees and third parties know what PII is, how it should be stored, and when it should be disposed of. Train them to spot suspicious activity and teach them how to respond if they notice a breach.
How can SecurityScorecard help?
These days, every organization is in the data business, no matter what product or service they actually produce. By protecting your customers’ PII, you’re protecting both them and your organization from the predations of cybercriminals.
SecurityScorecard’s ratings help you see, at a glance, the strength of your security controls as well as those of your third parties and partners. Our scores are based on an A-F scoring scale that quickly shows you where vulnerabilities have been detected and which need to be prioritized first. Our ratings cover a variety of security factors, like endpoint security, network vulnerabilities, and patching cadence. By being able to identify your organization’s weaknesses at a glance, you can keep your customers’ PII safe and secure.