Virtually every organization acquires, uses and stores personally identifiable information about its customers, employees, patients, students and other individuals. These organizations are expected to manage this private data appropriately and take every precaution to protect it from loss, unauthorized access or theft. Misusing, losing or otherwise compromising this data can carry a steep financial cost, damage a business's reputation, and even lead to criminal prosecution, because of complex and frequently changing regulations. This white paper examines the challenges organizations face and the steps they can take to protect themselves and their customers against data breaches and ensure the safety of this sensitive information.
By John Stringer, Product Manager, Sophos
Protecting personally identifiable information
What data is at risk and what you can do about it
Not so long ago, the most common way people protected their personally identifiable information (PII) was to pay for an unlisted telephone number. Today, there are many types of PII that we need to protect, with credit card information one of the most common (see Table 1). Customer records are processed and stored electronically in databases. And it's not just businesses that use and must protect PII. Universities, healthcare facilities, retailers, government offices and many other organizations also acquire, process and store highly sensitive records. This use of technology has resulted in much greater flexibility and speed when it comes to making purchases, processing payments and managing data records. However, it also has led to a growing data leakage prevention (DLP) problem that puts people's PII at risk.
Data Leakage for Dummies
We wrote a book- and it's FREE!
In 2008, 285 million data records were breached, according to the 2009 Data Breach Investigations Report. There are two types of data loss: accidental and malicious. Human error or carelessness as well as a lack of data security in an organization can lead to accidental loss, including something as simple as sending an e-mail attachment containing PII to the wrong recipient.
Malicious data breaches, on the other hand, are deliberate internal or external attacks on an organization's data systems. Regardless of how the data is lost, the cost of a data breach can be huge. The average cost to companies per lost or stolen record is $204, according to the Ponemon Institute (Fifth Annual U.S. Cost of a Data Breach Study, January 2010). The average organizational cost of a data breach reached more than $6.6 million in 2008, up 46% since 2005, according to Ponemon. These costs include fixing the cause of the breach, replacing lost or stolen laptops and storage devices, legal defense costs, disclosure costs for informing consumers about the breach via letters and press releases, loss of business, and expensive fines (e.g., up to $1.5 million per year in the case of a breach of healthcare records in violation of the Health Insurance Portability and Accountability Act [HIPAA] regulation).
Examples of PII
- first or last name (if common)
- Country, state or city of residence
- Age, especially if non-specific range
- Gender or race
- Name of school attended or workplace
- Grades, salary or job position
- Criminal record
- Digital identity
When combined with other data
- Full name (if not common)
- National identification number
- IP address (in some cases)
- Vehicle registration plate number
- Driver's license number
- Face, fingerprints or handwriting
- Credit card numbers
- Digital identity