Skip to content

How to Secure Personally Identifiable Information against Loss or Compromise

Secure PII protection is a crucial component of many data privacy regulations and a valuable way for customers to trust you. Here are 10 steps to ensure that your organization has PII security.
Personally identifiable information (PII), is information that can be used to locate, identify, or contact an individual. It includes information such as name, date, residence, credit card information and phone number. Every company stores and uses PII. This includes information about their customers or employees. Schools and universities will keep the PII information of students. Hospitals will store patient data.

Your company’s PII is attractive to potential attackers, who may be able to sell it on the blackmarket at a high price. PII can be used to commit a variety of criminal acts, including identity theft, fraud, or social engineering attacks. It is vital that both individuals and businesses protect their PII. Your company is vulnerable to social engineering attacks and heavy regulatory fines. Customers may also lose trust in your company if they don’t secure their PII.
Ten steps to help you organization protect personally identifiable information from loss or compromise

Identify the PII in your company’s stores
Locate all places where PII is kept
Define sensitivity for PII
You can delete any PII that you don’t need.
Set up a acceptable usage policy
Encrypt your PII
All permission errors must be eliminated
Create an employee education policy that emphasizes the importance of protecting PII
Create a standardized procedure for departing employees
Employees can report suspicious behavior to you by setting up a line of communication

1. Identify the PII in your company’s stores

Begin by identifying the PII that your company keeps or uses. Software vendors might have login and bank details that customers need to protect. Government agencies may store PII such as social security numbers, passport details, addresses, passport details, or license numbers. Once you identify all the PII data that your company has, you can begin to take steps to protect it.
2. Locate all places where PII is kept

Your company may store PII in a variety of locations, including file servers, cloud services and employee laptops. It is a good idea to first think about the three state of the data that your company has:

Data used: This is the data that employees use to perform their jobs. These data are typically stored in non-persistent digital states like RAM.
Data at Rest: This refers to data that is stored or archived in places like laptops, databases, hard drives, Sharepoint and web servers.
Data in motion: This refers to data that is moving from one place to another. Data moving from one location to another, or between employees and business partners by email is an example.

When developing your PII protection program, you must consider all three data types. You can determine the location, use, and security needs of your company’s data by looking at it in all its states.
3. Define sensitivity for PII

You should create a data classification policy to organize your PII data based upon their sensitivity. This is an essential part of PII protection. These are some factors to consider when deciding which PII should be prioritized.

Identifiable: How unique are the PII records? A single record that can identify an individual is considered highly sensitive.
Combination data: Combine data to identify two or more pieces that can be used to identify one individual.
Storage: You need to find out where and how your PII data is being used. You should also assess the number of people who have access to your PII data and how often it is transmitted over network.
Compliance: Depending upon the type of company you work for, and the industry in which you operate, there may be different standards and regulations for PII. These regulations can also help you prioritize sensitive data. These regulations may include the Payment Card Industry Data Security Standard, General Data Protection Regulation, HIPAA and HITECH ACT (US), and Criminal Justice and Immigration Act (UK).

After weighing the above factors, it is possible to classify PII based upon sensitivity. You should at least create three levels for data classification.

Restricted: This sensitive PII could cause serious damage if it is not protected. This data can only be accessed on a need-to-know basis.
Private data: This is not as sensitive as restricted data, but it could still cause moderate damage to the company and individuals if compromised. Only those users have access to this data.
Public: Data that is not sensitive and low-risk, with few or no access restrictions.

It is important to properly classify the PII that your company has. This will help you maintain compliance. However, data classification can help organizations organize their data and make it easier for employees to find the information they need. Data classification can also be used to guide your incident response team in case of a security breach by informing them of the extent of the information that was compromised.

4. You can delete any PII that you don’t need.

To make it impossible for potential attackers to access, you should delete any unnecessary PII. You should delete PII securely and make sure you have deleted any files from backups so that no PII may be stored.
5. For PII, establish an acceptable usage policy (AUP).

You should have an AUP for accessing PII if you have not done so. Your AUP should address areas such as who can access PII, and clearly define what is acceptable use of PII. A free AUP template has been created by the SANS Institute. This is a good starting point for creating your policy. This template can be used for PII as well as all other sensitive company data to create a strong data protection program. The AUP can be used as a foundation for technology-based controls to control PII access.
6. Encrypt your PII

Protecting your PII is not an option. It is a must. Strong encryption and key management are essential to ensure that your PII is protected at all times. Ensure that PII is not shared over untrusted networks or uploaded to the internet. To ensure that PII remains encrypted, you will need to have the appropriate technical controls in place. However, there are many tools available today that automate the encryption process based upon data classification.
7. Eliminate Permission Errors

Companies that lose sight of their access rights could leave their PII open to hackers. Access controls can also be affected by mergers and acquisitions. Companies should ensure that they enforce the principle of least privilege in accessing sensitive data. This will ensure that employees only have the information they need to perform their jobs.
8. Create an employee education policy that emphasizes the importance of protecting PII

Employee education is a simple, but crucial, step towards protecting PII. An important component of employee education programs is the AUP. Every employee in your company should have a copy and sign a statement acknowledging their agreement to the AUP. Training sessions for employees on how to access and store PII is another way to protect it. Employee education policies on PII protection are a great way to give employees a sense that they are part of the solution.
9. Create a standardized procedure for departing employees

There are many threats to your company’s PII, both internal and externe. The disgruntled employee who leaves is one of the biggest threats to your company’s PII. Even if a separation is peaceful, employees might be tempted take valuable PII (or sensitive data) with them. Here are some best practices:

Removing access: All user accounts and access rights to enterprise systems that they used after their departure are deleted.
Legal reminder: It may be a good idea to remind departing employees of their legal responsibilities in relation to PII or other sensitive data.
Confidentiality agreement: Send a copy of a signed confidentiality arrangement that covers sensitive data and PII.

10. Employees should be able to easily report suspicious behavior

Employees should be able to easily report any suspicious or dangerous behavior to their manager. An example of this is when an employee may take company materials or devices home, even if they are against the AUP. This could put PII at risk. This type of behavior can be easily reported to management. Employees should also be aware of colleagues who take an interest in data or activities that are not within their job description, or who access the network or sensitive resource at odd hours.