Every business is responsible for keeping sensitive customer information private. Personally identifiable information (PII) is not only precious to your customers, but treating it carefully is important to ensure your company's reputation as a safe place to do business.
With the proliferation of identity theft today, it only takes a few pieces of information for thieves to create false accounts or to even to sell identities to data brokers. If your infrastructure suffers a leak of customer data, it may significantly -- and permanently -- damage your business.
A wide variety of information is considered to be PII:
· Social security number
· Full name
· Place of residence
· Email address
· Telephone number
· Date of birth
· Passport number
· License number
· Credit/debit card number
· Log-in credentials
The list goes on -- it includes any unique data that can be used to identify a customer. That information should be treated as private and must be protected.
How to Protect and Manage PII
The first step is to identify what information your company stores that should be classified as PII. If you're a partner with schools or government agencies, PII will include social security numbers, addresses, passport details, and license numbers, and will be subject to various legal requirements.
The next step is to hunt down where all that information lives: servers, cloud services, employee laptops and desktops, and so on. Data may exist in three states: In use (e.g., stored in RAM), at rest (e.g., archived on a hard drive), and in motion (e.g., moving between nodes on a network). Once it has all been located, a data classification policy based on sensitivity can help organize the management process.
Classifying the data also allows you to determine whether it is still relevant and appropriate to store. Delete any old, unneeded PII to ensure it is inaccessible to potential attackers. Be sure to delete PII securely and permanently. Scrub old files from your data backups, as well. PII that's printed on paper should be shredded regularly.
Locate and Lock Down
Keep a record of how and when data records are processed, what systems use personal data records, and where they're stored. All of those systems must be protected with access control and encryption. Note that most encryption software scrambles information at rest or in transit, leaving some sensitive data potentially vulnerable to exposure during processing. Review vendors' encryption and data privacy practices carefully.
The Department of Homeland Security has several suggestions for protecting PII, including:
· Documents and records shouldn't be accessible to anyone unless they need the information at that time. Activate computer screen savers when leaving the work area.
· Hard copies that contain PII should be stored in locked drawers or file cabinets.
· Employees should either log off from or activate a password-protected lock on their computers at the end of each shift.
· Intra-office or telephone conversations regarding sensitive PII should take place in private locations.
· Sensitive PII that must be emailed should be saved in a separate document (not sent in the body of an email) and password-protected or encrypted. The encrypted document should be sent as an email attachment, with the password provided to the recipient in a separate email or by phone. Sensitive PII should never be emailed to a personal email account.
Training Employees to Handle PII
Customers trust that the companies they do business with are handling their information properly. If your staff isn't properly trained in handling PII, you are risking exposing your company to litigation, a damaged reputation, and possible fines. Employees should be aware that:
· Downloading PII from the network to their laptops is forbidden. Data stored on employee laptops is at higher risk of loss or theft than when it is maintained by internal systems with proper controls.
· Work and personal accounts must be kept separate. There is never a reason to transfer company data containing personal information to personal machines or accounts. Likewise, company data should not be moved to cloud services that have not been sanctioned for company use.
· In some organizations, IT uses 'dummy' copies of transaction records and customer databases for testing and development. Those files must be anonymized before anyone is allowed to use them.
· Criminals impersonate other companies or individuals through phone calls ("vishing"), emails ("phishing") and even text messaging ("smishing") to trick employees to divulge personal information.
The Cost of Stolen PII
The Ponemon Institute found that the average cost per lost or stolen data record was $146 -- but each compromised record containing PII cost $150. Eighty percent of hacked organizations reported that thieves aimed specifically to steal PII.
Most small businesses work with PII. Mishandling that sensitive data can have serious, and sometimes devastating, consequences. Investing in security software, data management tools, and employee training will help to avoid breaches and mitigate them if they do occur.