Q and A : Protecting PII

How are you protecting the PII (Personally Identifiable Information) of your clients, customers or members?

As others are stating, sharing the specifics of these plans can open you up to risk, so it is best to share generally about this topic.

PII is a big deal and you can be responsible for it even though you didn’t initially send it.

Let’s cover the basics of what PII is and isn’t.

Personally Identifying Information (PII) is defined as any information about an individual maintained by an agency, including:
(1) any information that can be used to distinguish or trace an individual’s identity, such as: Name, Social Security Number, Date and place of birth, Mother’s maiden name, Biometric records

2) any other information that is linked or linkable to an individual, such as: Medical, Educational, Financial, Employment information.

PII can be sensitive or non-sensitive.
*Non-sensitive PII information:
– Can be transmitted in an unencrypted form without resulting in harm to the individual.
– Can be easily gathered from public records, phone books, corporate directories and websites.

Sensitive PII information:
– When disclosed, could result in harm to the individual whose privacy has been breached.
– Should be encrypted in transit and when data is at rest.
Personally identifiable financial information (PIFI) is any information that a consumer provides to a financial institution that would not be available publicly.
PIFI may include information such as:
– An individual’s name
– Personal contact details
– Bank account number
– Credit Card number
– Social Security number
– And more
PIFI generally contains private and confidential data visible only to authorized personnel.
The term is mainly applied in an operating environment where security, privacy and authenticity of financial information is the primary objective. The data stored within PIFI is used for a set of different applications and/or business services.
For example, an online e-commerce site may contact a consumer’s bank and use PIFI from the bank’s server to identify and validate a buyer’s credit card.
Under the Gramm-Leach-Bliley Act, financial institutions must alert their customers to privacy policies and practices and avoid the disclosure of nonpublic personal information about consumers to third parties without consumers’ consent.
Financial institutions must also establish appropriate standards for protect PIFI.

OK, you still there? I know that was a lot of text, but it’s a great guideline to helping you understand WHAT you need to protect.

So, HOW do we protect PII? A few best practices include:

Identify where you are storing PII. Many file management services will offer this, you can also purchase software audits or have a professional consultant come in.

Determine the sensitivity of the PII you store.

Remove any legacy PII that is no longer needed for active work. Use a retention policy and retire data as quickly as you can.

Encrypt PII in transit and at rest.

We strongly suggest that you NEVER EVER EVER email PII. Consider scans to encrypted network folders or secure cloud services like Egnyte with proper roles and permissions.

Email compromise is the number one method for bad actors to gain access and steal PII. Having strong inbound and outbound email compliance solution can help prevent attacks and mitigate leaks.

PERMISSIONS. Not everyone in your organization needs access to PII, properly storing this data by user role and access permissions will help mitigate many risks.

Educate your team on the critical nature of PII. We suggest at least an annual security awareness training session or PII refresher.

Have a standard onboarding and offboarding process for your team. Do not COPY permissions from users.

If you can, have a dedicate compliance officer who can check and audit your internal process at least quarterly.

There is a lot to understanding and protecting PII. Having a trusted partner like PremierePC can help you avoid many pitfalls, implement complicated solutions, and assist your team in driving compliance.