Introduction to PII
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is a hot topic these days, and for very good reason as data security breaches continue to occur at alarming rates, ultimately resulting in the breach of untold numbers of accounts and other sensitive data. We live in a world where information security ultimately controls, commands, and direct our lives like never before, ushering in unprecedented levels of efficiency, yet also with ever-growing security risks. From sensitive medical health records, to credit card information, driver’s license data, social security numbers – and that’s just the tip of the iceberg – society is awash in Personally Identifiable Information, requiring comprehensive measures for protecting such data.
Data Breaches Keep Coming
It seems as if every day there’s yet another front-page news story about a data breach, from credit cards to social security numbers, medical records, or some other type of privileged information. And unfortunately, breaches are only going to continue and grow larger in size and severity, unless companies start making fundamental changes on how they assess, handle, and protect PII. This requires a new thinking, an approach and ideology that needs to be engrained within an organization, not a switch that’s turned on and off, but a process that slowly, but surely builds awareness and accountability within companies.
The digital world we all live in is only going to become much more “digital”, so investing in comprehensive measures for ensuring the safety and security of PII is a must for any entity – regardless of industry, size, or location. And to be fair, a number of regulatory compliance mandates are pushing very aggressively for securing such data, such as the well-known national HIPAA health car law, along with the Payment Card Industry Data Security Standards (PCI DSS) initiatives, and numerous other laws and industry specific mandates. An “A” for effort, but unfortunately an “F” for execution as many compliance mandates are not enforced, brushed aside by companies as cumbersome, intrusive and not in the best interests of business.
What is PII?
As for what is Personally Identifiable Information (PII), according to the National Institute of Standards and Technology (NIST) publication SP 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), it consists of the following:
"Any information about an individual, including (1). any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information".
Additionally, as for "distinguishing", "tracing", and "linking", NIST SP 800-122 defines these attributes as the following:
- To distinguish an individual is to readily identify them.
- To trace an individual is to "process sufficient information for making a determination about a specific aspect regarding an individual's activities or status.”
- As for linking, this is information that is logically associated with other information.
With that said, common examples of PII include, but are not limited, to the following:
- Full name, with all middle names (especially if the name is not common).
- Any part of an individual's name that is stored or displayed in conjunction with any of the subsequent listings of data and information deemed PII.
- National Identification information, such as passports, visas, permanent residence cards, voting information, social security number (United States), or any other type of unique identifier used on a national level.
- Local and/or state, provincial, etc. information, such as driver’s licenses, vehicle registration and permit documents, or any other type of unique identifier used on a local and/or state, provincial level.
- Digital Identifiers, such as IP addresses, usernames, passwords, etc.
- Facial, fingerprint, iris and all other associated biometric information.
- Date of Birth.
- Place of Birth.
- Medical records (i.e. protected health information (PHI) and electronically protected health information (ePHI), and all associated data and information contained (electronically or hard-copy) with the medical records. Also,
- genetic information, if applicable.
- Criminal records.
- Financial and Accounting records, such as banking, mortgage, revolving debt and tax information, along with credit and debit cards.
- Educational information, such as classes taken, schedule, grades received, degrees confirmed, disciplinary actions, financial aid, student loans, etc.
- Professional and occupational information, such as salary, tenure, etc.
- Professional licenses, certifications, designations, etc.
- Any other information deemed PII, but not listed above
PII PHI, ePHI, PIFI, GDPR Personal Information
Additionally, there are subsets of PII, such as Protected Health Information (PHI), electronically Protected Health Information (ePHI), Personally Identifiable Financial Information (PIFI), personal information with the GDPR, and even more subcategories. However, they all share a common trait in that the information is deemed highly sensitive and privileged, ultimately requiring comprehensive measures for ensuring its confidentiality, integrity, and availability (CIA). Whether in electronic format or hard copy paper, PII needs to be protected at all times, which means implementing the following best practices in today’s world of growing cyber security attacks:
Organizations cannot be expected to adequately safeguard Personally Identifiable Information if they don’t know the type of PII they possess, its location, and other important factors. That said, it’s imperative to undertake a data classification and asset inventory exercise for confirming all PII and where in fact it resides.
Prioritizing “Impact Levels” of PII
Yet another, and often overlooked component of PII best practices, is that of prioritizing impact levels regarding potential breaches to PII. Specifically, would the unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information result in a limited, serious, or severe & catastrophic adverse effect on the organization, as described by the United States Federal Information Processing Standards Publication 199 (FIPS PUB 199), "Standards for Security Categorization of Federal Information and Information Systems".
Protecting PII in Hardcopy Format
Even in today’s world, the use of paper is still quite prevalent – thus protecting paper records in the following manner is a must, which means implementing these essential best practices:
- First and foremost, avoid printing any documentation containing PII if you can. If that’s not possible, then limit it to the fullest extent possible.
- For paper records containing PII, assign tracking and logging mechanisms as necessary for ensuring its use and whereabouts at any given time, along with assigning an approved data classification level (i.e., sensitive, secret, etc.) for such material.
For paper records containing PII, they must be physically stored in a secure location at all times, such as locked file cabinets, office desks, or any other acceptable measure for ensuring their safety and security from unauthorized parties.
- When such records are no longer needed for business or compliance purposes (such as data retention laws, etc.), they are to be shredded and documented accordingly.
- Other acceptable means of destroying paper records containing PII may include, but are not limited to, shredding, burning, pulping, or pulverizing the records so that PII is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Do not allow paper records containing PII to be viewable or accessible in general commons areas, or in an unsupervised fashion, such as residing on your desk or any other workstation | work areas while not being present.
- The transporting of paper records containing PII is to be limited to authorized personnel only at all times.
- Implement physical access controls and other security safeguards for protecting paper records containing PII at all time.
- Be alert at all times. If you see paper records being inappropriately handled, residing in secure areas, left unattended, have been stolen or compromised in any other way, etc., then say something and report the issue immediately to authorized personnel.
Protecting PII in Electronic Format
In today’s growing digital world, more and more information is being electronically stored, processed, and transmitted than ever before, thus take note of the following best practices for protecting PII in electronic format:
- When sending, receiving, and accessing PII, it needs to be encrypted - specifically - protected by unrecognizable data bits for ensuring its confidentiality and integrity. When sending PII via electronic mail (email), always use encrypted email, and always request data being sent via encrypted email when receiving it. Additionally, when accessing and transferring data, be sure to use encryption at all times, such as making sure your Internet browser shows HTTPS in the address.
- A fun, easy, and commonly used platform for communicating and exchanging information is instant messaging (IM), for which there are many providers of this utility. Unfortunately, IM is not a secure platform, is subject to “snooping” and “eavesdropping”, and as such, PII should never be sent or received on these mediums - no exceptions.
- Devices that can be connected via USB ports, such as thumb drives, external hard drives, and other removal storage and memory devices should never contain any PII. Their small size, lack of security (such as not having encryption) and the ease for which these devices may be obtained (conferences, trade shows, etc.) deem them a high-risk item, especially with respect to PII.
Approved disposal techniques are always to be used when destroying computer hardware and related assets that contained PII.
Many times, it is not necessary for organizations to contain full and/or comprehensive records of PII for purposes of conducting necessary transactional activities. Known as de-identifying measures by (NIST) publication SP 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information”, many practices can be used for protecting PII, such as algorithms, codes, etc. Look into NIST SP 800-122 for further guidance on implementing PII minimization procedures.
Security Awareness Initiatives for PII
Employees need to know exactly what constitutes Personally Identifiable Information, where it’s located, and what are some of today’s leading security issues, threats, and concerns relating to PII. Having employees and other workforce members properly trained on critical information security topics and best practices is often an organization’s best defense against data breaches and security compromises. Getting there begins by putting in place high-quality and in-depth security awareness training programs – those geared specifically towards the topic of PII and other essential security initiatives.
Incident Response Measures for PII
Incident response measures regarding PII must include initiatives consisting of the following categories, for which authorized personnel are to enact when such measures are required:
- Initial Response and Containment
- Security Analysis | Recovery and Repair
- Post Incident Activities and Awareness
- Training and Testing
Responding swiftly and quickly to PII issues is an absolute must, and it starts by having well-documented and highly formalized incident response measures in place.
In summary, today’s digital world has brought unprecedented levels of efficiency in all we do, yet responsibilities loom large for ensuring the confidentiality, integrity, and availability (CIA) of Personally Identifiable Information (PII). From social security numbers to dates of birth, medical records – and much more – the world is awash with PII, and it’s time organizations put in place comprehensive measures for protecting such information. Start with a comprehensive PII policy that’s available for immediate download from FLANK.
The paper world we once knew is quickly fading away, resulting in more and more digital transactions for any type of activity, from buying a movie ticket, to paying one’s utility bills. Now’s the time to become vigilant about protecting PII.