What is PII?
PII stands for Personally Identifiable Information. The National Institute of Standards and Technology (NIST) defines PII as any information that can be used to distinguish or trace a person’s identity or any information that can be linked to a person. PII can include information about an individual such as person’s name, address, date/places of birth, social security numbers, bank account numbers and more.
Examples of PII:
Social Security #
Date/Place of Birth
Drivers License #
Where is PII Stored?
PII can be stored in many places including social media, servers, laptops, in the cloud, thumb drives, printers/copiers, websites and hard copy documents. It’s important for individuals to know where their information is being stored and who they are submitting their information to. Organizations as well need to ensure they understand what information they are collecting from their customers, where that information is being stored and how long they are in possession of that data.
What Happens When PII Becomes Breached?
If your PII becomes exposed or lands in the wrong hands, it can be extremely detrimental to not only you but those closest to you from family, friends, and co-workers. PII can become breached by a cybercriminal in many ways including phishing scams and ransomware attacks. When PII becomes breached, an individual may suffer from social, economic, or physical harm such as the loss of money, credit damage, compromised medical records, blackmail, and loss of time trying to resolve the issue. When an organization is responsible for mishandling information, they may face risks to their finances, reputation and may be in violation of federal law.
Federal Law and PII
Organizations need to ensure they are properly maintaining the PII they collect in accordance with Federal law. If an organization were to become breached, they may be liable for not properly storing sensitive data.
Federal privacy laws are typically sector-based in the United States. For example, HIPAA (Health Insurance Portability and Accountability Act) applies to the health-care sector while GLBA (Gramm-Leach-Bliley Act) applies to the financial services sector. If an organization conducts their business internationally, they must ensure they are following those countries privacy laws. It is up to the organization to follow and understand which laws apply to them.
Tips to Protect PII
Individuals should monitor where they enter and store their PII while organizations should take steps to establish policies and procedures to ensure the security of the PII they collect. Below are some tips and tricks for both individuals and organizations.
- Do not share personal information on social media platforms including Facebook, Twitter, Instagram, LinkedIn, YouTube TikTok etc.
- Know where your PII is store ex- websites, apps,
- Be careful of joining public networks
- Use strong passwords
- Stay up-to-date with cybersecurity threats such as phishing scams.
- Monitor your financials
- Develop comprehensive policies and procedures for handling PII
- Provide security awareness training to employees on protecting PII
- Minimize the use, collection, and retention of PII
- Conduct impact assessments and audits
- Setup security controls
- Protect Hard Copy and Electronic files containing PII
GraVoc provides expert Information Security Services including Governance, Risk & Compliance, Security Awareness & Tabletop Training to organizations looking to improve their overall security posture. Click below to learn more about security services and how we can help you keep your PII secure.
GraVoc Security Consultant, Josh, demonstrates how a hacker can break an iPhone’s wireless settings using a rogue hotspot as seen in the most recent Apple bug, Wi-Fi Network %p%s%s%s%s%n.
GraVoc security consultant, Josh, shows you how hackers can attempt to steal INDALA Badges using a home-brewed hacking device.
In this episode of How Do Hackers Do Things, GraVoc Security Consultant, Josh, will show you how hackers can clone a badge using the Proxmark3. This type of attack could allow an attacker to physically enter a facility and plant other devices that would allow for further exploitation.