What is PII?
PII stands for Personally Identifiable Information. The National Institute of Standards and Technology (NIST) defines PII as any information that can be used to distinguish or trace a person’s identity or any information that can be linked to a person. PII can include information about an individual such as person’s name, address, date/places of birth, social security numbers, bank account numbers and more.
Examples of PII:
Name
Social Security #
Date/Place of Birth
Drivers License #
Employment Information
Passport #
IP Address
Medical Information
VIN #
Property Data
Education Information
Where is PII Stored?
PII can be stored in many places including social media, servers, laptops, in the cloud, thumb drives, printers/copiers, websites and hard copy documents. It’s important for individuals to know where their information is being stored and who they are submitting their information to. Organizations as well need to ensure they understand what information they are collecting from their customers, where that information is being stored and how long they are in possession of that data.
What Happens When PII Becomes Breached?
If your PII becomes exposed or lands in the wrong hands, it can be extremely detrimental to not only you but those closest to you from family, friends, and co-workers. PII can become breached by a cybercriminal in many ways including phishing scams and ransomware attacks. When PII becomes breached, an individual may suffer from social, economic, or physical harm such as the loss of money, credit damage, compromised medical records, blackmail, and loss of time trying to resolve the issue. When an organization is responsible for mishandling information, they may face risks to their finances, reputation and may be in violation of federal law.
Federal Law and PII
Organizations need to ensure they are properly maintaining the PII they collect in accordance with Federal law. If an organization were to become breached, they may be liable for not properly storing sensitive data.
Federal privacy laws are typically sector-based in the United States. For example, HIPAA (Health Insurance Portability and Accountability Act) applies to the health-care sector while GLBA (Gramm-Leach-Bliley Act) applies to the financial services sector. If an organization conducts their business internationally, they must ensure they are following those countries privacy laws. It is up to the organization to follow and understand which laws apply to them.
Tips to Protect PII
Individuals should monitor where they enter and store their PII while organizations should take steps to establish policies and procedures to ensure the security of the PII they collect. Below are some tips and tricks for both individuals and organizations.
For Individuals:
- Do not share personal information on social media platforms including Facebook, Twitter, Instagram, LinkedIn, YouTube TikTok etc.
- Know where your PII is store ex- websites, apps,
- Be careful of joining public networks
- Use strong passwords
- Stay up-to-date with cybersecurity threats such as phishing scams.
- Monitor your financials
Organizations:
- Develop comprehensive policies and procedures for handling PII
- Provide security awareness training to employees on protecting PII
- Minimize the use, collection, and retention of PII
- Conduct impact assessments and audits
- Setup security controls
- Protect Hard Copy and Electronic files containing PII
GraVoc provides expert Information Security Services including Governance, Risk & Compliance, Security Awareness & Tabletop Training to organizations looking to improve their overall security posture. Click below to learn more about security services and how we can help you keep your PII secure.
Related articles
Change Healthcare Attack: Ransomware Protection Measures for Healthcare Organizations
In light of the Change Healthcare attack, we explore why hackers target healthcare and how healthcare can defend against ransomware.
GraVoc Recognized on CRN MSP 500 List for Second Year in a Row
For the second year in a row, GraVoc has been recognized on the CRN® MSP 500 list in the Pioneer 250 category!
PCI SAQ Types: Which SAQ is Right for Your Business?
In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select a PCI SAQ that’s right for your business.