Recently implemented changes to the PCI Data Security Standard (DSS) include MFA requirements for...
Types of PII and How to Keep it Safe
Media accounts of the theft of personally identifiable information by hackers seem to keep coming like a two-mile-long train—there just seems to be no end in sight. Understanding the different types of PII and what your business needs to do to protect customer data is critical.
That’s because cyberthieves stand to make enormous amounts of money selling personal data in bulk on the black market.
So what exactly qualifies as personally identifiable information (PII)? Essentially, it’s data that can be used to specifically distinguish one individual from another—names, social security numbers, birthdates, biometric records, email addresses, or anything that could be used to uniquely identify a person (even something as trivial as login names or social media handles).
Personally identifiable information in the hands of bad actors can be used to pilfer bank accounts, erode consumer credit ratings, and destroy an individual’s reputation when seeking employment. For financial organizations and other entities handling personal data, the average cost of a data breach is staggering—$7.3 million in the U.S. alone—which is why it’s important to know the regulations and your responsibility to protect data.
Types of PII
There are three important types of PII that are typically targeted by hackers and at most risk of being compromised for financial or other unlawful gain.
Cardholder Data – A type of personally identifiable information usually associated with a credit or debit card. The information associated with the card—account number and name, pin numbers, expiration dates, and security codes—is typically all that is needed for hackers to help themselves to ill-gotten merchandise or cash.
General Personally Identifiable Information (PII) – There are two types: sensitive and non-sensitive. Sensitive information personally distinguishes you from another individual, even with the same name or address. Sensitive information includes birth certificates, passports, social security numbers, death records, and so forth. A breach of this type of data can result in significant financial harm. Non-sensitive data, such as public property ownership records and social media accounts, can be used to confirm ownership of sensitive data.
Protected Health Information (PHI) – This type of information includes personal information such as birthdates and social security numbers, but goes a step further in that it includes results of lab tests, radiology, diagnoses, and other sensitive health information. Networks containing PHI are increasingly attacked because hackers know that they can often access a patient’s PII for financial gain.
Responsibility for Compliance
Your responsibility to protect PII depends on what type of organization you are, what state your operations are based in, and, to some extent, what country your company does business in.
The Gramm-Leach-Bliley Act (GLBA) was enacted during the infancy of today’s current cybersecurity threat environment. On the federal level, it essentially mandates that financial institutions must be in compliance when it comes to protecting consumers’ private data.
The GLBA is administered by the Federal Trade Commission and is largely directed toward U.S. organizations that must have safeguards in place to identify risks to customer data, have a means of disposing of electronic data, and train employees on best practices for securing consumer documents. Penalties for noncompliance can be severe and start at $100,000 per violation.
In a global economy, many companies operate internationally, and if they operate in any of the 28 European Union countries, they are subject to the General Data Protection Regulation (GDPR). In May 2018, the EU imposed some of the strictest data protection regulations safeguarding the private data of EU citizens.
The GDPR applies to U.S. companies if they handle, store, or process the information of EU citizens, even if the organization is not based in the EU. The GDPR’s teeth come from the fact that private citizens must “opt in” and give consent to the use of their private data, which is not the case in much of the U.S.
Penalties for noncompliance are harsh, starting at around US $23 million or 4 percent of annual global revenues, whichever is greater.
Consumer card data is largely regulated by the Payment Card Industry Data Security Standard, or PCI DSS, which mandates that consumer card data is protected when stored or transmitted.
Required security measures include:• Maintaining an IT security policy that secures applications and networks• Restricting physical access to data• Performing periodic vulnerability testing of systems and processes• Encrypting sensitive data
Despite fines of up to $500,000 per incident, anyone paying attention to the current rash of cybersecurity breaches is fully aware that many of the current policies in place fall far short, given that the majority of successful attacks have been aimed at financial organizations.
The protection of PHI is largely governed by the U.S. Health Insurance Portability and Accountability Act, or HIPPA. Private health information is protected against unauthorized disclosure, use, or access by anyone other than healthcare providers, health insurance companies, patients, and their designated caregivers.
Despite this, the healthcare industry in 2017 was second only to private enterprise, logging 24 percent of all known cyberattacks.
Protecting Private Data
There are several effective ways to protect personally identifiable data. One such method involves encryption. With encryption, data is translated into a code that cannot be read unless you or someone authorized by your organization possesses a password to decrypt the data. Despite encryption being a highly secure solution to data protection, it can be vulnerable to “brute-force” attacks, whereby a hacker will try many random keys until one is found to break the cipher.
Data masking is a way for organizations to remain in compliance while limiting unnecessary exposure of real data to third parties. Data formatting remains the same, but values are masked (changed) using character shuffling, word substitutions, and encryption solutions. These methodologies make detection of actual or real data extremely difficult to discover.
Data hashing is another form of security that is often confused or used interchangeably with encryption, but they are different. Hashing is often used to store and disguise passwords and secure credit card data. It works by generating a string of numbers from a correlating string of text.
No one data security tool can function as blanket coverage to keep personally identifiable data out of the hands of bad actors. In many cases, multiple layers of data protection solutions will have to be employed, depending on the industrial sector, country of operations, and compliance regulations that apply to you.