Personally identifiable information (PII) is any data that can be used independently or in tandem with other information to directly or indirectly trace an individual's identity. PII includes names, Social Security numbers, credit card information, IP addresses, license details, and biometric details. Stolen PII is valuable and can be sold on the dark web, used in social engineering attacks, or used to commit identity theft. This is why most data protection regulations, including the GDPR and CCPA, mandate strict laws on how PII should be securely collected, stored, and processed. Implement the best practices listed below to protect the PII your organization houses.
Scour through various data repositories including file servers, cloud apps, databases, and more to discover scattered PII. Match regular expressions and keyword strings to locate all types of PII. An inventory of your organization's PII with details on where it is stored and who owns it is a vital prerequisite to securing it.
Use a data classification taxonomy to categorize PII based on both content and contextual parameters. The common classification taxonomy uses four classification labels, i.e., public, internal, confidential, and highly confidential. Either the data owners can classify the files manually, or a comprehensive data classification solution can categorize files automatically based on their risk scores.
Data minimization, which is the practice of limiting the collection, storage, and processing of PII to what is strictly necessary for business operations, is vital to ensure the security of the PII stored. Old, stale, and expired PII stored past its lawful usage period should be disposed of, including its copies that could reside in your backups.
Encrypt, pseudonymize, or anonymize PII stored in files in motion, at rest, and wherever possible. This renders the PII completely useless even if perpetrators manage to steal it. Use encryption technology that is strong and widely used. The National Institute for Standards and Technology recommends using AES.
DPIA is an ongoing process that helps identify and address the various security risks arising from processing personal data collected. The most important steps in conducting a DPIA includes assessing how a data breach would impact data subjects, scrutinizing the various security threats that could compromise the daily operations, and identifying measures and solutions that will help mitigate these security risks.
Establish the PoLP and provide only the bare minimum privileges required by employees for carrying out their daily operations. Files open to everyone and those that allow full control access leaves PII vulnerable to malicious insiders. Moreover, the PoLP helps minimize the attack surface, reduces unwanted access to PII, and limits the proliferation of ransomware.
Dedicated DLP software is the last line of defense against data theft, leak, and exposure. Prevent devastating loss incurred after a data breach by closely tracking and restricting unwarranted movements of files and folders containing PII via web apps, local devices, printers, and email.
Ensure your employees are aware of the security standards in place for accessing and processing PII. Training should include study materials on relevant technical measures and best practices for securely processing PII, various security threats to PII from internal and external factors, and more.
Devise an overall plan on how to quickly spot and respond to information security events that involve PII. Use an automated threat response mechanism that will cut off the attack and mitigate the security event, analyze the scope and risk, and communicate the incident to all stakeholders.
Prevent inappropriate use of PII that could expose the organization to a bevy of issues like compliance violation penalties and sensitive data exposure by enforcing a data usage policy. Draw up guidelines on who can access your files containing PII along with when and how they can be processed and stored.