Protecting PII – A Primer

Virtually every organization acquires, uses and stores personally identifiable information (PII) about its customers, employees, patients, students and other individuals. You’re expected to manage this private data appropriately and take every precaution to protect it from loss, unauthorized access or theft. And if you don’t, there are consequences, not just in terms of lost reputation but also fines and possible criminal prosecution.

There’s a lot to understand in the world of PII. Let’s take a look under the hood.

Protecting PII

The way data moves right now, everything is at risk in some way. Everyone, both in business and in their personal lives, is online—working, shopping, storing information. It’s made us much more flexible, but incurred significant dangers as well. Customer records are stored online. Organizations store highly sensitive records. Patient data is stored electronically. It truly is a digital world.

Data breaches are an alarmingly common occurrence, and can be broken down into two basic types: accidental and malicious. Human error can account for much of the data loss out there, so organizations should take steps to remove the potential for innocent but potentially harmful mistakes like an email attachment sent to the wrong recipient.

The average cost of a lost or stolen record is about $150 per record, according to a 2015 report by IBM. The average consolidated total cost of a data breech is $3.8 million, a 23% increase from 2013—that is, what it costs to fix the cause, replace stolen devices, pay for legal defense, disclosure costs, and fines.

Defining PII

The U.S. Office of Management and Budget defines PII as "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc."

PII consists of a broad range of information that can identify individuals, including driver’s license numbers, credit card numbers, bank account numbers, health and insurance records, and much more. Unless your company only accepts cash payments and keeps no payroll-related data about its employees, it has PII it needs to protect.

Most consumers try to be careful about disclosing their personal information. But once the information is given to an outside organization, it becomes incumbent on the holder of that PII to be vigilant about its use and access.

According to the U.S. General Accounting Office, 87% of the U.S. population can be uniquely identified using only gender, date of birth and ZIP code. So it's not just the most obvious types of PII—Social Security numbers or credit/debit card information—that require protection.

The cost of losing PII to carelessness or theft goes beyond dollars or euros. For organizations that misuse or allow PII data to leak out of their systems, the negative publicity, loss of customer trust, lost business, and legal costs can be severe. Retailers have seen data breaches cost hundreds of millions of dollars to repair, and the media loves to jump on incidents of lost PII. Be prepared.

Creating acceptable use policies

IT managers have an interesting task—they’ve got to balance the need to control and protect PII while making sure employees can access the data to do their jobs. You’ll need an acceptable use policy or AUP that which data is most sensitive and which employees are allowed access to it.

Tip: build a team to identify and prioritize PII. Include IT, legal, HR, and data controllers to help you navigate compliance regulation and legal obligations for PII use and storage.

There are five key steps every organization must take to begin the process of preventing data loss:

  1. Identify PII your organization must protect.
  2. Prioritize PII.
  3. Find where PII is located.
  4. Create an AUP.
  5. Educate your employees about your AUP.

Once you’ve found your PII (and it can be stored in many places and in many states of use) you’ll want to accomplish three goals with your AUP: protect your PII data, define who can access it, and establish rules for how it can be used by authorized employees.

And don’t overlook educating your employees on PII use—make them an active participant in compliance.

Choosing the right solution to protect PII

Protecting PII can’t be done with a single “silver bullet”—you’ll need multiple layers of technologies to keep your PII safe.

Encryption is integral to protecting your sensitive data. If an attack gets past antivirus, firewall, and other controls, your PII is at risk. Encryption helps ensure sensitive information is unreadable in the wrong hands.

With encryption, you’ll want full disk, removable media encryption, policy-based email encryption, as well as file share encryption and central key management and backup. You’ll also want to be able to audit your encryption status.

Threat protection, including antivirus, firewall, application, and device control will guard against malware, spyware, phishing attacks and other risks is a necessity. A top of the line technology will identify sensitive data, warn users before they send it out, remind the user of the organization’s AUP, and either allow or block the transfer and log the event.

You’ll want a solution that updates frequently to guard against new threats; stops zero-day threats with built-in host intrusion prevention system and web-based script attack detection; automatically assesses managed and guest computers for out of date security; and delivers instant visibility of security status.

Data loss prevention should be employed to prevent accidental loss by scanning for sensitive information sent out by email or IM or saved on stage devices with automatic rules.

Policy compliance comprises three key elements—application control, device control and web control—that need to work together to ensure users comply with applicable policies.

  1. Application control: Unauthorized apps put your data at risk, and IT departments are continually charged with controlling the installation and use of unauthorized apps. You’ll want a security solution that detects these unauthorized apps (preferably with the same product that identifies and malware so you don’t have to manage a separate product). You can support your AUPs by leveraging granular application control technology to prevent use of these applications if it's determined they create a vulnerability for data leakage. You also can configure policies for groups of endpoint computers to reflect the security requirements for specific locations or departments.
  2. Device control, in conjunction with application control, can significantly reduce your company's exposure to accidental data loss and restrict the ability of users to introduce software and malware from outside your network environment. You can establish policies that control the use of network devices and removable storage media, down to specific models and by work group or individual, which will block the ability to place PII on USB memory sticks, or burn it to CDs, or provide read-only access.
  3. Web control is an important aspect of an overall policy compliance program to prevent users from picking up malware from compromised sites. Web control can prevent infection by blocking access to known malicious and infected sites. Controlling access to the web can protect your data by preventing accidental data leakage, policing access to high-risk sites, controlling what data leaves your organization through applications, and blocking the use of insecure, anonymous proxy servers which can capture and compromise sensitive information.

For all four solutions you’ll need—encryption, threat protection, data loss prevention, and policy compliance—you’ll want to prioritize your solutions based on your risk profile to avoid straining resources. For this reason, and because it is inherently more cost efficient, look into an integrated solution. An integrated solution should simplify installation, streamline where you can go for support as needed, and save time and money.

To learn more about how Sophos can help you protect your data in one simple-to-manage solution, please visit: