You Need More than Technology to Protect Personally Identifiable Information

Personally identifiable information (PII) is the holy grail when it comes to cybercrime. Hackers know PII can be sold easily on the dark web or used to commit identity theft. Healthcare and tax-related information is particularly valuable as it enables criminals to commit fraud over a long period of time without getting caught.

While more organizations have invested in security technology to reduce the risk of PII exposure, there is no technology that will prevent every data breach. However, organizations can significantly improve their security posture by taking the time to understand PII and re-evaluate how this sensitive data is managed and protected.

PII refers to any information that can be used to distinguish a person’s identity, either by itself or when combined with other data that is linked to the person. For example, if someone has your full name, home address, Social Security number, or driver’s license number, they can identify you. If they have your first or last name and know where you work, they can identify you by piecing this information together.

PII is often discussed in the context of industry and government regulations. In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities maintain the privacy of protected health information (PHI), which not only includes PII but also a patient’s medical records and services received. Similarly, any organization that handles payment card data must protect that data according to Payment Card Industry (PCI) Data Security Standard (DSS) requirements.

The European Union (EU) General Data Protection Regulation (GDPR), which went into effect last year, takes data privacy rules to a different level and gives consumers more control of their data than ever. Any organization that handles the data of EU residents must have the right technology, procedures and personnel to protect that data or face major fines for violations.

One reason why organizations are struggling to protect PII is the fact that individual users often store PII on their devices. Protecting data at the organizational level according to increasingly strict standards is difficult enough, but enforcing such standards at the user level presents a whole new set of challenges. For example, Oregon State University recently disclosed a data breach that exposed the PII of 636 students and their families. The data was stored in an employee’s email account, which was hacked. Ongoing user training focused on data security, especially PII, is critical to avoiding similar incidents.

Another problem is poor data management practices. For example, a Netwrix survey found that 32 percent of healthcare organizations store sensitive data, including PII, in the cloud, but many don’t have the resources to keep that data secure. In fact, 100 percent of respondents never classified their cloud data, meaning PII gets treated the same as all other data in the cloud.

The number of PII records exposed increased by 126 percent to more than 446 million records from 2017 to 2018. Organizations need to do better, not just by investing in technology, but by improving PII management and user training. Let us help you improve your data management strategy and develop a security training program that reduces the risk of PII exposure.