Introduction
Personally identifiable information (PII) is some of the most valuable data that organizations can have. It's also some of the most dangerous if you don't follow data security best practices. If you don't treat this data with care, you could end up in the headlines as the victim of the latest data breach, costing you money and damaging your reputation.
Of course, you should never leave PII data unprotected. So what is the best way to protect the confidential and sensitive PII that you handle? In this article, we'll discuss the techniques for safeguarding the personal information that your organization collects, stores, and processes.
What is PII Data?
The U.S. National Institute of Standards and Technology (NIST) defines personally identifiable information (PII) as "any information that can be used to distinguish or trace an individual's identity," as well as "medical, educational, financial, and employment information" that pertains to a specific individual.
According to NIST, the types of PII data include:
-
Identifiers: first, middle and last names; home address; phone number and other contact information; age; date and place of birth; gender; marital status; race or ethnicity; mother's maiden name nationality; ID numbers (e.g. Social Security number, passport number, or driver's license number)
-
Work and education: employee or student ID; workplace or school address; years of work or study
-
Biometric identifiers: biometric templates (i.e. digital representations) of an individual's fingerprints, retina scans, facial recognition data
-
Internet data: browsing history, search history, IP addresses, mobile app activity, geolocation data
-
Financial information: credit card numbers, SSNs, bank account numbers
It's important to distinguish between sensitive PII and non-sensitive PII. Not all personal data is also sensitive PII: For example, telephone numbers are routinely published in phone books. Other information such as a person's gender, age, and date of birth is also potentially discoverable and not necessarily sensitive.
Sensitive data is data that might lead to damage, such as identity theft, in the event of unauthorized disclosure. For example, a person's Social Security number is sensitive PII in part because of its common use as an identification method on financial documents.
Non-sensitive PII can also become sensitive in certain contexts. For example, a person's name itself may not be considered sensitive PII, but it becomes such if it appears on a medical clinic's list of patients.
How to Safeguard Your Unprotected PII Data
Every organization handles personally identifiable information about their employees and/or customers—but far too often, this PII goes unprotected. Without following best practices for data privacy and data security, you're putting yourself at significantly greater risk of data breaches, i.e. unauthorized disclosure of PII. In this section, we'll discuss four techniques for safeguarding unprotected PII data.
1. Don't Forget Physical Security
When enacting a solid data security policy, it's easy to forget that physical security is a crucial part of the package. Physical security seeks to prevent individuals from gaining unauthorized access to and tampering with IT infrastructure (e.g. hard drives, servers, network cables, and mobile devices).
Your organization, and the third-party IT contractors you use, should have surveillance systems in place and a solid access control policy. This may include guards and physical defenses, passwords, ID scanners, and biometric identification (e.g. fingerprints, facial authentication, and voice recognition).
The Unified Stack for Modern Data Teams
Get a personalized platform demo & 30-minute Q&A session with a Solution Engineer
2. Obey the Regulations
Make sure you're aware of which data security and data privacy regulations apply to your organization. These laws and regulations place clear limits on how organizations can collect, store, and process sensitive PII, with the potential for fines and other penalties in the event of noncompliance.
For example, the European Union's General Data Protection Regulation (GDPR) doesn't just apply to businesses in the EU—it applies to any business that handles the personal data of EU citizens and residents. Similar conditions apply to California residents under the California Consumer Privacy Act (CCPA). Meanwhile, the Privacy Act of 1974 constrains the U.S. federal government agencies' use of PII.
3. Establish Good Data Governance
If you don't know which PII you're handling, how can you hope to protect such information? "Data governance" is a term for an internal framework that determines how organizations make decisions about data management.
Good data governance for sensitive personally identifiable information means:
- Identifying the PII that your organization handles, as well as the information technology that processes and stores this PII.
- Determining which data and systems to prioritize by classifying your PII in terms of multiple factors, including:
- How sensitive or confidential the information is
- How attractive the information is to potential attackers
- How well-protected the information currently is
- How severe the consequences would be if the information were exposed
- Defining who can access different types of PII and the acceptable ways in which they can use that PII.
- Establishing data security training and education programs, so that everyone in the organization can properly handle PII and identify security threats.
4. Use Encryption
Data encryption, for information either in transit or at rest, is one of the best defenses against improper disclosure of PII. Even if your systems suffer a breach by a malicious actor, encrypted PII will be useless in the hands of the attacker without the corresponding decryption key.
The regulations that protect data privacy recognize this power of encryption. According to data security regulations such as the GDPR, for example, organizations do not have to notify affected individuals about a breach of their personal data if this data has been properly encrypted.
How Integrate.io Can Help with Unprotected PII
Techniques such as physical security, good data governance, and data encryption are tremendously valuable for unprotected PII—but how can you actually implement these techniques within your organization?
Integrate.io is here to help. The Integrate.io platform is a powerful, feature-rich solution for ETL and data integration, with security as our top priority. We offer SSL/TLS encryption on all our websites and microservices, making it easy to keep your sensitive PII protected. With Integrate.io, you'll never have to worry about the security of the PII data that you handle in your ETL workflows.
Want to learn how Integrate.io can keep your PII safe and secure while making it easy to build data pipelines to the cloud? Get in touch with our team of data experts today for a chat about your business needs and objectives, or to start your 7-day pilot of the Integrate.io platform.