{"id":14630,"date":"2023-11-15T20:00:00","date_gmt":"2023-11-15T20:00:00","guid":{"rendered":"https:\/\/businessyield.com\/tech\/?p=14630"},"modified":"2023-11-15T09:48:52","modified_gmt":"2023-11-15T09:48:52","slug":"pii-in-cybersecurity-what-is-it-and-how-does-it-work","status":"publish","type":"post","link":"https:\/\/businessyield.com\/tech\/technology\/pii-in-cybersecurity-what-is-it-and-how-does-it-work\/","title":{"rendered":"PII In Cybersecurity: What Is It And How Does It Work?","gt_translate_keys":[{"key":"rendered","format":"text"}]},"content":{"rendered":"
Personally identifiable information (PII) in cybersecurity is any data that could potentially identify a specific individual. It is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.<\/p>
As people have come to increasingly rely on information technology in their work and personal lives, the amount of PII that organizations gather grows. For example, companies collect customers’ data to understand their markets. Consumers also readily give out their telephone numbers and home addresses to sign up for services and shop online.\u00a0<\/p>
Sharing PII can have its benefits. It allows businesses to tailor products and services to the wants and needs of their customers. This includes serving up more relevant search results in navigation apps. However, the growing storehouses of PII accumulated by organizations attract the attention of cybercriminals. Hackers steal PII to commit identity theft, sell it on the black market, or hold it captive via ransomware.\u00a0<\/p>
According to IBM\u2019s\u00a0Cost of a Data Breach 2022\u00a0<\/em><\/a>report<\/a>, 83% of companies have suffered more than one data breach, with the average breach costing USD 4.35 million. Individuals and information security professionals must navigate a complex IT and legal landscape to maintain data privacy in the face of these attacks.\u00a0<\/p> PII is any data that can be used to uniquely identify a person. This includes names, Social Security Numbers (SSNs), addresses, phone numbers, bank account numbers, and more. In short, all of your sensitive personal information falls under this umbrella.<\/p> When discussing cybersecurity, protecting PII is paramount. With many businesses storing customer data in their systems or networks, they need to invest in reliable security measures that will protect the data from cyberattacks or other forms of unauthorized access. Without proper protection, criminals can probably gain access to sensitive customer information, leading to identity theft or other serious financial crimes.<\/p> The purpose of a PII is to verify the identity of an individual. When a website or business collects and stores an individual\u2019s information, they are essentially creating a digital image of a person that can be used for various purposes, such as to verify the customer\u2019s identity online, track purchases, and even grant access to certain services.<\/p> PII is widely applicable in the banking sector. Many financial institutions use your personal information (name, address, SSN) to open accounts and approve loan applications. Therefore, these organizations must protect this sensitive data from unauthorized access or misuse.<\/p> PII comes in two types: direct identifiers and indirect identifiers. Direct identifiers are unique to a person and include things like a passport number or driver’s license number. A single direct identifier is typically enough to determine someone’s identity.<\/p> Indirect identifiers are not unique. They include more general personal details like race and place of birth. While a single indirect identifier can’t identify a person, a combination can. For example,\u00a087% of U.S. citizens<\/a> could be identified based on nothing more than their gender, ZIP code, and date of birth.<\/p> PII and similar terms exist in the legislation of many countries and territories:<\/p> The most commonly used PIIs are:<\/p> All of this information is considered sensitive, so it\u2019s important to protect it from unauthorized access. That\u2019s why cybersecurity measures are in place to ensure that only authorized individuals can gain access to this data.<\/p> From a legal perspective, the responsibility for protecting PII is not solely attributed to organizations; responsibility may be shared with the individual owners of the data. Companies may or may not be legally liable for the PII they hold.<\/p> However, according to a study by Experian, 42% of consumers believe it is a company\u2019s responsibility to protect their personal data, and 64% of consumers said they would be discouraged from using a company\u2019s services following a\u00a0data breach. <\/p> In light of the public perception that organizations are responsible for PII, it is a widely accepted best practice to secure PII. A common and effective way to do this is using a Data Privacy Framework.<\/p> PII can be classified as sensitive and non-sensitive. The non-sensitive PII includes information like your name, address, phone number, and email address. This poses little risk, even if it falls into the wrong hands. However, sensitive PII includes data such as SSNs, bank account details, passwords, biometric data, etc. If stolen or accessed without authorization, it can lead to serious financial crimes, identity theft, etc.<\/p> While there are no hard and fast rules on what constitutes sensitive data, an effective strategy is to evaluate whether a piece of certain information can be easily accessed in public databases or phone books. For instance, while an individual\u2019s personal telephone numbers can be considered private data, their names and email addresses from corporate directories can\u2019t necessarily fit into this definition as they are usually available publicly.<\/p> According to regulatory standards, all sensitive data must adhere to specific protocols for storage and transfer. To protect this information from malicious third parties, encryption is essential, no matter if the data is at rest (sitting on a drive or in a database) or in motion (traveling across the network).<\/p> Not only is a PII subject to regulations but healthcare data and financial data are also safeguarded by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA dictates the cybersecurity protocols for healthcare providers such as physicians, hospitals, dentists, insurance companies, etc., ensuring that all Protected Health Information (PHI) is safely handled.<\/p> A business needs to adhere to any of the stringent regulations imposed by governing bodies that oversee financial data, such as the Financial Industry Regulatory Authority (FINRA), and security benchmarks, such as Payment Card Industry Data Security Standard (PCI-DSS), the Sarbanes-Oxley (SOX) Act, the PCI-DSS, etc. If it fails to do so, it will be exposed to punitive fines running into millions of dollars.<\/p> Context also determines whether something is considered PII at all. For example, aggregated anonymous geolocation data is often seen as generic personal data because the identity of any single user can’t be isolated. However, individual records of anonymous geolocation data can become PII, as demonstrated by a recent\u00a0Federal Trade Commission (FTC) lawsuit<\/a>\u00a0(link resides outside ibm.com). <\/p> The FTC argues that the data broker Kochava was selling geolocation data that counted as PII because “the company’s customized data feeds allow purchasers to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity.”<\/p> Advances in technology are also making it easier to identify people with fewer pieces of information, potentially lowering the threshold for what is considered PII in general. For example, researchers at IBM and the University of Maryland\u00a0devised an algorithm<\/a> for identifying specific individuals by combining anonymous location data with publicly available information from social networking sites.<\/p> Several retailers, health-related organizations, financial institutions — including banks and credit reporting agencies — and federal agencies, such as the Office of Personnel Management (OPM) and the Department of Homeland Security (DHS), have experienced data breaches that put individuals’ PII at risk, leaving them potentially vulnerable to identity theft.<\/p> The kind of information identity thieves are after will change depending on what cybercriminals are trying to gain. By hacking and accessing computers and other digital files, they can open bank accounts or file fraudulent claims with the right stolen information.<\/p> In some cases, criminals can open accounts with just an email address. Others require a name, address, date of birth, Social Security number and more information. Some accounts can even be opened over the phone or on the internet.<\/p> Additionally, users can lose physical files — such as bills, receipts, physical copies of birth certificates, Social Security cards or lease information — in the event of a burglary. Thieves can sell PII for a significant profit. Criminals may use victims’ information without their realizing it. While thieves may not use victims’ credit cards, they may open new, separate accounts using their victims’ information.<\/p> As the amount of structured and unstructured data available keeps mushrooming, the number of data breaches and cyberattacks by actors who realize the value of PII continues to climb. As a result, concerns have been raised over how public and private organizations\u00a0handle sensitive information.<\/p> Government agencies and other organizations must have strict policies about collecting PII through the web, customer surveys or user research. Regulatory bodies are creating new laws to protect consumer data. Users are also looking for more anonymous ways to stay digital.<\/p> The European Union’s (EU) General Data Protection Regulation (GDPR) is one of a growing number of regulations and privacy laws that affect how organizations conduct business. GDPR, which applies to any organization that collects PII in the EU, has become a de facto standard worldwide. GDPR holds these organizations fully accountable for protecting PII data, no matter where they might be headquartered.<\/p> As organizations continuously collect, store, and distribute PII and other sensitive data, employees, administrators and third-party contractors need to understand the repercussions of mishandled data and be held accountable.\u00a0Predictive analytics\u00a0and artificial intelligence (AI) are in use at organizations to sift through large data sets so that any data stored is compliant with all PII rules.<\/p> Additionally, organizations establishing procedures for access control can prevent inadvertent disclosure of PII. Other best practices include using strong encryption, secure passwords, and two-factor (2FA) and multifactor authentication (MFA).<\/p> Other recommendations for protecting PII are:<\/p> To protect PII, individuals should:<\/p> Individuals should also make sure to make online purchases or browse financials on secure HTTP Secure (HTTPS) sites; watch out for shoulder surfing,\u00a0tailgating\u00a0or dumpster diving; be careful about uploading sensitive documents to the cloud; and lock devices when not in use.<\/p>Understanding PII in cybersecurity<\/strong><\/span><\/h2>
Personally Identifiable Information (PII) in Privacy Law<\/strong><\/h3>
Examples of PII<\/strong><\/h3>
Who is responsible for protecting PII?<\/strong><\/span><\/h3>
Sensitive vs. non-sensitive PII<\/strong><\/h2>
When does sensitive information become PII?<\/strong><\/h2>
How PII is used in identity theft<\/strong><\/h2>
PII laws and regulations<\/strong><\/h2>
PII security best practices<\/strong><\/h2>
Recommended Articles <\/strong><\/span><\/h2>
References<\/strong><\/span><\/h2>