What is PII?
PII, according to the U.S. Office of Management and Budget, is any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person.
It consists of a broad range of information that can identify individuals, including Social Security numbers, driver’s license numbers, credit card numbers, bank account numbers, health and insurance records, and much more. Unless your company only accepts cash payments and keeps no payroll-related data about its employees, it has PII it needs to protect.
Data Security Toolkit
Goodbyes are hard, let's stop data loss
Most consumers are careful about disclosing their personal information. But once the information is given to an outside organization, it becomes incumbent on the holder of that PII to be vigilant about its use and access.
According to the U.S. General Accounting Office, 87% of the U.S. population can be uniquely identified using only gender, date of birth and ZIP code. So it's not just the most obvious types of PII—Social Security numbers or credit/debit card information—that require protection.
Consequences of not protecting PII
The cost of losing PII to carelessness or theft goes beyond dollars or euros. For organizations that misuse or allow PII data to leak out of their systems, the negative publicity, loss of customer trust, lost business, and legal costs can be severe: Retailer TJX lost an estimated 94 million customer records in a breach that continued for more than a year. The company set aside $170 million to cover costs, including multiple lawsuits.
- In 2009, Heartland Payment Systems suffered the largest data breach to date, which compromised about 130 million credit and debit cards. Heartland has committed up to $8 million to settle lawsuits.
- The U.S. Veterans Administration lost more than 26 million records when an employee’s unencrypted laptop—carrying PII—was stolen.
- A major UK cellular provider lost tens of thousands of customer records when a rogue employee stole and sold them to a competitor.
- Health Net of the Northeast Inc. lost a hard drive containing 7 years’ worth of unencrypted personal, financial and medical information on about 1.5 million members and network physicians. It agreed to pay for two years of credit-monitoring services for those affected.
The media rarely miss an opportunity to report on such incidents—the dreaded “CNN moment” for affected organizations. Employee morale also takes a hit from the work involved in fixing and recovering from a serious data breach incident.
Questions for developing PII acceptable use policies (AUPs)
- Who need access to PII to do their jobs?
- What regulatory mandates must your company comply with?
- What are your current vulnerabilities?
- What data can be transferred within the organization? Sent outside to third-parties?
- What rules and permissions for data transfer does your organization have or need?
- Is encryption required before data can be transmitted or stored on portable devices?
- Who is authorized to change or update the AUP?