Research from Gartner suggests that, by 2023, more than 60% of the world’s population will be covered by some form of personal data protection legislation. From GDPR to CalPRA, privacy regulations are on the rise.
These compliance regimes aim to protect a user’s rights to their data and include measures to dictate how a company should collect, store, process, and erase an individual’s personal information. In practice, these compliance regimes encourage businesses to implement more effective, stringent approaches to data security.
PII compliance is not a monolith: rather, it’s made up of different regulations and best practices that help keep private information secure. Here’s what the current landscape of PII compliance looks like, and how businesses can take concrete steps to implement PII compliance best practices.
[Read more: Understand How User Privacy Can Improve Cybersecurity]
What is PII compliance?
PII stands for personally identifiable information — any data that can be used to identify a specific person. The most common forms of PII include things like Social Security numbers, email addresses, and phone numbers. PII can also refer to digital identifiers, such as biometric data, geolocation, user IDs, and an IP address.
PII compliance is a complex ecosystem. Unlike Protected Health Information (PHI), which is primarily governed by HIPAA, there is a network of regulations all over the world that aim to enforce PII compliance.
Broadly speaking, PII compliance can be organized into industry data protection standards or geographical data protection standards. Industry standards dictate how PII should be treated in a certain market, while geographical criteria includes added requirements concerning where data is stored and where those who access the data are located.
For instance, in the U.S., the National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information defines “personally identifiable” as information like name, Social Security number, and biometric records, which can be used to distinguish or trace an individual’s identity.
The EU relies on the General Data Protection Regulation (GDPR), which aims to protect consumer privacy by mandating companies to be transparent about the data they collect, regulate how companies process data, and improve reporting of data breaches.
In Australia, the Privacy Act 1988 defines “personal information” as information or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained—a much broader definition than in most other countries.
These are just a few of the PII compliance standards in existence worldwide. More laws come into effect every year, such as the California Privacy Rights Act and the California Consumer Privacy Act. For the health industry and the financial sector, HIPAA and PCI DSS govern the use of PHI and PII, respectively.
Clearly, protecting PII is a top priority for governments and consumers. How can your enterprise meet PII compliance standards?
PII data classification: sensitive PII and non-sensitive PII
First, it’s important to differentiate between sensitive PII and non-sensitive PII. This distinction helps you prioritize your security tools and processes to ensure you are meeting minimum PII compliance standards.
Sensitive PII refers to any information that has “legal, contractual, or ethical requirements for restricted disclosure,” according to Experian. This includes things like Social Security numbers, passport information, bank details or a credit card number, and medical records covered under HIPAA.
Non-sensitive PII is any information that can be found in the public record, such as in a phone book or in an online directory like LinkedIn. Non-sensitive PII includes things like date of birth, address, religion, ethnicity, or a business phone number.
PII compliance requires protecting both types of PII data. Sensitive data, for obvious reasons, should be encrypted due to the potential damage that could result if the information is compromised. Non-sensitive data is less of a risk; but, when combined with sensitive data, this PII can still be used to commit fraud or identity theft.
For this reason, it’s important to include both sensitive and non-sensitive data in your PII compliance measures.
PII compliance checklist
Because PII compliance regulations vary worldwide, you should check with an IT security expert or an attorney to find out if your security measures adhere to regulations. Nevertheless, taking these PII compliance steps will help you meet most minimum PII compliance requirements.
Step 1: Identify and classify PII
First, establish what PII your organization collects and where it is stored. This is an iterative process that should be carried out periodically to ensure all PII is being properly identified, stored and protected.
Determine what definition of PII applies to your particular industry or location. For instance, if you are operating in California, you will need to use the PII definition in the CCPA. This definition informs what you will scan your operating environment for.
Once you have a clear picture of the types of PII you will need to protect, find out where that data is stored. This includes gaining visibility into your data at rest, data in motion, and data in use. To do this, use regular expressions, keyword sets, or both to locate and match PII. Reduce false positives in your data discovery scans by deploying compound term processing and proximity scanning.
You may have PII stored in non-machine readable formats, such as images or hand-written notes. Here, a tool like Nightfall can help: Nightfall scans unstructured data and parses text from 100+ file types, including customer chat logs, JSON objects, application logs, spreadsheets, PDFs, images, and screenshots.
Once you’ve uncovered PII, it’s time to audit the security protocols that are already in place and create a system for classifying data.
Step 2: Create a PII compliance policy
Next, create a PII policy that governs working with personal data. The GDPR offers six core principles for data processing. Even if you aren’t governed by the GDPR regulation, these principles offer a good foundation for building your own PII policy.
Make sure your PII policy sets forth who can access PII, as well as the (limited) acceptable ways in which PII can be used for business purposes. This policy should provide the framework for implementing tools to reinforce user access.
A strong PII policy will include the following sections.
- An acceptable data usage policy: Outline which roles or individuals have a legitimate business need to access files and folders containing PII. Set forth rules to how PII can be used.
- Detailed audit trails: Records that keep track of all file accesses and modifications with detailed information on who accessed what, when, and from where.
- A schedule for periodic training and retraining: Set forth rules around periodic security awareness training centered around PII protection.
- Breach notification procedures: Determine the steps to take if a personal data breach does occur, how and when to notify the individuals, authorities, and any other partners.
- A data flow map: Create a map that enables IT security admins to track and scrutinize the movement of files and folders containing PII.
These sections are a good starting point for your PII compliance policies, which should also meet geographic or industry-specific compliance regime requirements.
Step 3: Implement data security tools
Securing PII takes a layered approach to security, which is detailed in the final section. Your data security tools should aim to reduce the risk of data leaks and unauthorized individuals accessing sensitive and non-sensitive PII. This includes using encryption, endpoint security, and cloud data loss protection.
Data security and PII compliance tools fall under five broad categories: governance, risk, and compliance; protection of data from loss or tampering; the ability to respond to data subject access requests; the processing and storage of logs for compliance auditing; and cookie consent.
Governance, risk and compliance tools are those that can be set up to comply with a specific standard, such as SOX or GDPR. These tools can be adapted automatically to track compliance to that standard or configured for a specific need. GRC tools help identify both internal risk and external risk.
Data loss prevention (DLP) tools classify, detect, and protect information (data) in three states: data in use, data at rest, and data in motion. The purpose of DLP is to enforce corporate data security policies that govern where data does (and doesn’t) belong.
A data subject access request (DSAR) is a mechanism defined in GDPR and cited in other geographically-based PII security regimes. It’s simply a way for a consumer to ask and receive the information (data) that your company holds about them, and to modify or remove inappropriate data if that person wishes. Your company should have tools in place to make responding to and complying with DSARs easy.
Most PII security regulations require companies document all security events on a network and its endpoints for audit purposes. You may wish to install security event and information management (SIEM) systems to achieve this step.
Finally, GDPR and most other regulations require cookie consent. GDPR and CCPA consider certain cookies to be PII. As a result, your business should seek to limit exposure to these PII compliance requirements by getting extensive permission from the site visitor up-front. Cookie consent tools can help.
Step 4: Practice IAM
Identity and access management (IAM) the practice of defining and managing user roles and access for individuals within an organization, ensuring that the right people have the right level of access to the right information. IAM requires creating and proactively managing role-based access controls. This practice ensures that only those who need to have it can access PII, lowering the risk of an insider threat or accidental leak.
[Read more: 5 Identity and Access Management Best Practices]
Step 5: Monitor + respond
Finally, part of your PII compliance checklist should include a business continuity and recovery plan. This plan outlines how to recover from a data leak and how to protect the business in the event of an attack.
Likewise, include a schedule and system for regularly monitoring your PII. “Most PII breaches happen without anyone noticing. It takes an average of 207 days for most companies to identify and repair a breach, which gives cybercriminals plenty of time to exploit the stolen data,” wrote the experts at XPlenty.
How to protect PII
Tools like Nightfall can take on the monitoring responsibility, automating some of the more time-consuming tasks of PII compliance. Nightfall is a cloud-native DLP platform that helps maintain data security. Nightfall specifically uses machine learning detectors that are capable of object character recognition (OCR) and natural language processing (NLP) to classify strings, files, and images that contain PII, PHI, and a wide variety of sensitive data. From there. we implement rules that let you monitor who has access to this data and control when to redact or remove it.
In addition to Nightfall, organizations should implement to following tools to achieve PII security compliance.
- Endpoint management: Endpoint protection is a broad category that includes everything from managing device firmware and monitoring hardware activity to providing on-device security in the form of antivirus protection.
- 2FA or MFA: 2FA and MFA are part of IAM, and can help verify that a user logging in is who they say they are.
- Encryption: Encryption is key for working with data in motion and data at rest (e.g., data that’s being transferred via email as well as any PII that’s being stored securely). Find an encryption tool that also allows you to decrypt data as needed.
- Storage: Secure storage could come in the form of an offsite server, encrypted hard drive, or any cloud storage system that uses cloud DLP software.
[Read more: DLP helps organizations stay compliant and protected]
Protecting PII isn’t just a matter of compliance; it’s good for building trust with your clients and customers. Learn more about PII compliance in our security guide for remote first organizations. And, to get started with Nightfall, schedule a demo at the link below.