Blog

Securing the Human Element: A Modern Guide to Effective PII Management and Protection

Author icon
by
Brian Hutchins
,
December 5, 2024
Securing the Human Element: A Modern Guide to Effective PII Management and ProtectionSecuring the Human Element: A Modern Guide to Effective PII Management and Protection
Brian Hutchins
December 5, 2024
Icon - Time needed to read this article

See Nightfall in action

Explore a self-guided tour of Nightfall's product and platform.

Your marketing team just launched a successful lead generation campaign. Sales is processing new contracts. HR is onboarding employees. And your customer support team is handling dozens of account updates. Each of these routine activities involves personally identifiable information (PII). What exactly is PII, why do you have to secure it, and how do you keep this data secure without slowing down your business?

What is PII?

PII or Personally Identifiable Information is any data about an individual that can be tied to that individual’s identity. PII typically includes full name, Social Security Number (SSN) or other national citizenship ID number, passport numbers, credit card number, and financial information like taxpayer ID numbers or routing numbers

Legally codified definitions of PII vary between jurisdictions. For example, in California, in order for a security incident to count as a breach of PII (or personal information as it's defined in Cal. Civ. Code §1798.82) it must impact data containing

An individual’s first name or first initial and last name in combination with any one or more of the following data elements in plaintext:

  • Social security number, tribal membership ID, driver’s license number, California's identification card number, tax identification number passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual, account number or credit or debit card number, in combination with any required: security code, access code, or password that would permit access to an individual’s financial account.
  • Additionally, PII can include medical information, health insurance information, unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image that is used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes. Finally, PII can include information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5, and genetic data.

How can PII be stored in the cloud safely?

To store PII securely in the cloud, organizations should implement the following best practices:

  1. Encryption: Ensure data is encrypted both at rest and in transit to protect it from unauthorized access. Use robust encryption protocols, such as SSL/TLS for data in transit and AES-256 for data at rest. Additionally, consider implementing encryption key management best practices, such as key rotation and secure key storage, to maintain the integrity of encrypted data.
  2. Access controls: Employ strong access controls to limit access to PII to only authorized personnel. Implement role-based access control (RBAC) to assign permissions based on job responsibilities, multi-factor authentication (MFA) to verify users' identities, and the principle of least privilege to ensure users have the minimum necessary access.
  3. Data segregation: Segregate PII from non-sensitive data to reduce the risk of unauthorized access or exposure. Store PII in separate databases, storage accounts, or containers and implement additional access controls to limit access to these segregated areas.
  4. Data retention and disposal: Establish data retention policies to store PII only for the required duration and securely dispose of it when it's no longer needed. Implement secure deletion techniques, such as cryptographic erasure or physical destruction of storage media, to ensure that the deleted data cannot be recovered.
  5. Data Loss Prevention (DLP): Implement DLP solutions to monitor, detect, and prevent the unauthorized transfer or exposure of PII. DLP tools can be configured to identify sensitive data patterns, such as credit card numbers or Social Security numbers, and take appropriate actions to prevent data leakage, such as alerting, blocking, or encrypting the data.
  6. Cloud Security Posture Management (CSPM): Utilize CSPM tools to continuously monitor and assess the security posture of your cloud environment. These tools help identify misconfigurations, compliance violations, and potential threats, enabling organizations to remediate security issues proactively and maintain a robust security posture.
  7. Incident response planning and training: Develop a comprehensive incident response plan to handle potential data breaches or unauthorized access to PII. Conduct regular training sessions and drills to ensure that employees are aware of their responsibilities during a security incident and are prepared to respond effectively.

By implementing these best practices, organizations can improve their security posture and store PII safely within cloud systems.

What regulations do I have to follow to store PII in the cloud?

Several regulations outline requirements for securing PII in the cloud. While each regulation has its nuances, they generally aim to protect individuals' privacy and ensure responsible data handling. Key regulations include:

  1. GDPR (General Data Protection Regulation): GDPR is a comprehensive data protection regulation that applies to organizations processing personal data of individuals in the European Union. The challenge with GDPR compliance lies in the strict requirements around data subject rights, such as the right to be forgotten and data portability, which demand robust data management processes.
  2. CCPA (California Consumer Privacy Act): This data privacy law governs the collection and use of personal information for California residents. Unique challenges under CCPA include the need to provide consumers with the option to opt-out of the sale of their personal information, necessitating a mechanism to track and manage such requests.
  3. HIPAA (Health Insurance Portability and Accountability Act): HIPAA is a U.S. regulation that mandates the protection of sensitive patient health information. The challenge with HIPAA compliance lies in the need to secure not just PII but also Protected Health Information (PHI), requiring additional safeguards and strict access controls.
  4. PIPEDA (Personal Information Protection and Electronic Documents Act): PIPEDA is a Canadian law that governs the collection, use, and disclosure of personal information in private sector organizations. Challenges with PIPEDA compliance include the requirement to obtain consent for the collection and use of personal information, as well as providing individuals access to their data upon request.

The Daily Reality of PII Management

Every business day, your organization handles countless pieces of sensitive personally identifiable information (PII)–from tax forms collected and used by HR teams, to finance teams who process credit card payment information, to customer email addresses used to send monthly. In fact, without the ability to collect and store PII, many business operations that fuel productivity and profitability would grind to a halt.

Since businesses can't do without PII, but are obligated to protect every piece of PII collected and stored in their systems, a proactive approach is required alongside reactive technologies to help govern and protect sensitive data from security breaches

Let's explore how to make PII security and strict regulatory requirements work in real-world scenarios.

Common Workflows That Need PII Protection

Marketing Automation and Lead Handling

Many marketers don't consider data security in their zeal to deliver more leads to hungry sales teams, yet customer records and CRMs remain attractive targets for threat actors. In July, the popular marketing automation platform HubSpot experienced yet another breach of customer accounts. As a result, impacted organizations had to contact their own customers to explain that they have been exposed to the risk of identity theft, social engineering attacks, and other scenarios that don't exactly inspire trust with customers.

What to do: 3rd Party Vendor Reviews & Policy Enforcement

What can you do to mitigate risks surrounding mission critical marketing and sales tools? First, when shopping vendors, it's vital to review all documentation of their internal security measures, like role-based access control for their own employees, in addition to security controls they provide you and your team to protect your accounts. Additionally, review their documentation around secure storage. If a vendor balks at your request to review documentation or tells you it's private information, that's a significant red flag.

Second, you can mitigate a number of security threats by updating your own security policies and maintaining strict access controls. Third, you can implement a tool that monitors and enforces user compliance in apps like Salesforce. We'll explore that more later.

Internal Data Handling Errors in SaaS

While key in your risk mitigation strategy, CRMs are actually not the most significant threat vector to your data. A number of common employee practices put sensitive data in harm's way. For example, most employees don't consider it risky to share CRM exports, spreadsheets, and other files that contain client names, email addresses, phone numbers, and other PII across internal collaboration SaaS, including messenger apps like Teams and Slack, project management and support apps like Jiraand ZenDesk, or collaboration and work enablement apps like Confluence or Google Workspace.

While invite-only SaaS may feel private and secure, breach after massive breach proves that getting unauthorized access to an organization's SaaS is not a difficult task for attackers. All it takes is one phishing email or one set of leaked credentials, and suddenly organizations who may have extremely robust security programs find themselves facing legal consequences, noncompliance fines, and loss of customer trust as errant PII falls into the wrong hands. You could replace your SaaS with another tool, but that doesn't really address data sprawl and security teams' lack of visibility into policy violations.

What to do: Data Detection and Response & Exfiltration Prevention

DDR has become non-optional for organizations who truly want to avoid insider threats to–and external theft of–sensitive corporate data. Proper DDR tools enable you to identify and protect sensitive data like credentials, PII, and IP across the enterprise attack surface using AI-powered detectors that operate both in real-time and retrospectively, ensuring that nothing slips through the cracks. Learn more.

Human Resources Business Processes Carry Inherent Risk

As a core part of their role, HR professionals HR handles some of your most sensitive data. They procure and store information on employees' health insurance, ensure paychecks are delivered to the right financial institutions, and handle many other tasks that carry a great deal of legal liability. For that reason, a great deal of training is required for most HR professionals surrounding security best practices and privacy policies. From Social Security numbers to medical records, this data needs to be protected from potential threats that can occur during processing activities.

What to do: Protect, Monitor, and Enable Secure Sharing

  • Deploy secure document upload systems and monitor for potential security risks.
  • Create robust data security measures (like encrypted storage) for employee files.
  • Establish clear off-boarding data procedures and add departing employees to high-risk monitoring profiles.
  • Monitor your security posture in cloud workspaces with a security solution like Nightfall AI that tracks file sharing and allows you to see and remediate access changes in near real time.
  • Set up secure sharing with benefit providers, such as email encryption that can be turned on for sensitive communications with a simple browser plugin. (Keep in mind that the easier your email security is to use, the more likely your employees are to follow protocols–and vice versa.)

Customer Support Meetings & Documentation

Every good client support team needs quick access to customer information. They need to access records, share customer data internally with engineers or other product team members, create detailed financial reports, and more. If you add the presence of a contact / call center, the risk increases exponentially.

Call centers mean recorded conversations that are often rife with sensitive PII. Because of this, attackers will go to great lengths to find and steal phone call recordings, transcripts, and customer records. A major call center in the Middle East recently lost millions of records to hackers who not only stole their data, but offered any and everyone paid access to those records on the black market. Regulatory fines, repairing damage to customer service reputation, and dealing with legal fallout will be an ongoing process for them now.

What to do: Don't just create policies–enforce them.

  • Monitor and protect all sensitive data call center employees handle or access.
  • Implement and enforce strong data security standards in the form of internal policies.
  • Create audit trails for data access changes over time, maintaining  activity logs.
  • Track and monitor data handling and file history to proactively identify sharing and access changes to sensitive files–and the users who made them.
  • Use secure note-taking and call recording systems, rather than leaving customer information in Teams or Slack channels, or a Notes app, or other SaaS.
  • Protect all data sharing channels to secure sensitive communications, using data detection and response to identify and remediate non-compliant data sharing.

Steps Every Business Needs to Take Today

The Federal Trade Commission offers a clear-cut process to securing PII in the form of 5 steps that are rooted in vital best practices for risk mitigation, including data minimization, governance, and incident response planning:

  1. TAKE STOCK. Know what personal information you have in your files and on your computers.
  2. SCALE DOWN. Keep only what you need for your business.
  3. LOCK IT. Protect the information that you keep, continually removing any users with unnecessary access.
  4. PITCH IT. Properly dispose of what you no longer need.
  5. PLAN AHEAD. Create a plan to respond to security incidents.

Why It Doesn't Happen

IT and security professionals are typically fully bought-in on best practices for mitigating risk to PII. Without tools to help automate and speed these steps up, however, most teams don't have enough time to even accomplish Step 1 with any degree of accuracy or timeliness. Visibility into where every email address, active API key, or exported spreadsheet of customer data lives in your environment simply isn't realistic without the right tools.

Not only would manual searches be time prohibitive but every business workflow happening daily changes the attack surface again. So, it's important to provide budget to security teams, so they can implement the tools they need to enforce data handling and regulatory compliance policies.

Making Security Work for Your Teams, Not the Reverse

Taking a comprehensive approach to protecting sensitive data is key to avoiding the potential consequences of a data breach. In today's risk landscape, mitigating cyber threats requires teams to surpass yesterday's risk assessments, encryption solutions, and the use of complex passwords. Today's security technologies need to be realistic–fast, easy, and effective.

  1. Smart Tools for Daily Tasks

If you want to ensure your security team is able to see and stop suspicious activities, giving them the right tools for real-time monitoring and visibility is essential.

Look for solutions that speed up your security team's protection efforts, rather than making every layer of protection time and labor-intensive.

  • Auto-classify sensitive documents. Literally no one has time to scour every digital file 24/7. Get a tool that automates this for you. You'll never look back.
  • Enable secure ways for your teams to share necessary files with external partners, like implementing privacy settings that require recipients to use strong passwords to reverse bank-grade encryption each time they want to access or read a file.
  • Monitor all digital collaboration spaces to the point that you know what data lives in every file and who has access to it at all times, enforcing privacy measures with automated workflows to find and remediate unnecessary or unsecured sharing of PII.
  • Automate compliance checks and policy enforcement to ensure you not only comply with data protection laws and privacy laws designed to protect PII, but

2. Create and Speed Up Efficient Workflows

Create and automate processes that make secure behavior the easy choice:

  • One-click secure sharing options can automatically prevent sensitive file recipients from sending to other, unauthorized users with a simple file encryption feature users can toggle on or off with a browser plugin.
  • Automate encryption for sensitive data.
  • Create clear data handling guidelines, and automate messages to users that help them correct their own data handling mistakes. This not only reduces your security team's work load, but has the benefit of highly effective, on-the-job security awareness training.
  • Create simple compliance checkpoints using real-time monitoring tools that help identify and remediate noncompliant activity at every step: when files are created or uploaded to SaaS apps in your environment, when messages or attachments are posted, the moment after a user hits send and before the email leaves the corporate environment, etc.
  • Provide security teams with all the information they need to conduct data security investigations in a single pane of glass: impacted digital assets, actions taken, actors, date and time stamp, etc.

3. Make Training Practical, Accessible, and Applicable

Build a security-aware culture through relevant training:

  • Real-world scenario workshops can be helpful, as can hands-on activities like a physical escape room where employees must complete a series of cybersecurity tasks in order to "win" the game.
  • Team-specific security guidelines can help tailor practices to people's day-to-day jobs. These kinds of policies are much more effective than general anti-phishing campaigns that often have little or no effect on users' ability to catch malicious activity in the wild.
  • Quick reference guides can help ensure employees have a place to go when they need to review a security policy. Giving them the ability to get right to the information they need, rather than sift through dozens of pages of policy to find it, is essential to making sure it gets used. Apps like Notion can help with this.
  • Regular refresher sessions can be delivered as periodic formal trainings, or as automated invitations and reminders for employees to remediate their own mistakes.

Best Practices That Actually Work

  1. Make Security Intuitive
  • Use single sign-on wherever possible to reduce time spent logging in and increase productive time.
  • Create clear data handling workflows to automate robust security measures.
  • Talk to your security engineers. They will tell you exactly what to look for in tools that provide
  • Let teams use SaaS applications they love to make their jobs and lives easier–just secure them with robust controls and automated security workflows. Tools like Nightfall AI help retrain users with better data handling policies while also preventing data leaks.
  1. Enable Productive Collaboration
  • Secure the data sharing and collaboration channels employees already use. Rather than enabling complex sharing channels that require separate portal logins and extra steps for employees, just automate data security that works across Slack, Teams, Google Drive, etc.
  • Enable secure external communication with strong email encryption tools.
  • Implement smart access controls that will automatically restrict access based on a file's classification, ideally with a tool that can also scan files to assign classification based on contents–not just history. This combination ensures that if sensitive data is added to a file that was previously innocuous, low-access users won't be able to see that data just because it's in a new location.
  • Align your data security monitoring strategy to riskier user groups. Integrations with apps like Okta and Microsoft Entra ID help you automatically move users to different monitoring profiles when their role or employee status changes. That way, you can use stricter monitoring settings for people with more access, or who may present increased insider risk.
  1. Support Business Growth
  • Ensure your security tools can scale with your business. If you implement tools you're bound to outgrow, you're setting up the security and IT teams for a future rip-and-replace headache.
  • Adapt protection levels to data sensitivity using an automated scan-and-classification DLP tool.
  • Create flexible yet secure workflows that allow you to automatically stop risky data sharing activities, while also allowing for business justified one-offs.
  • Enable safe innovation using a DDR tool that can not only secure the rest of your data, but will also protect your IP and source code in apps like GitHub.

Building for the Future

Your security strategy should support growth while protecting data. Consider:

Technology Integration & Ease of Use

  • Connect security tools with daily workflows to reduce portal overload, minimize the amount of dashboards security teams have to manage, and increase likelihood of compliance.
  • Maximize security tool use across multiple channels with tools that have multiple integrations. For example, using in-app security tool like Slack DLP or Google DLP will mean your security analysts will have to manage policy creation and enforcement, as well as a separate dashboard, for every SaaS app in your environment. Instead, choose a solution that lets you manage policies and enforcement across every mission critical SaaS app.
  • Automate routine security tasks like redaction, blocking, or classification updates to reduce the amount of time your teams spend on manual activities.
  • Enable secure cross-platform operations. Similar to streamlining your security solutions, integrations and workflows
  • Support remote work by focusing infrastructure on cloud accessible tools, from workspaces to SaaS. Advanced data security solutions can handle nuanced security needs that come with the cloud. If legacy security tools can't handle your DLP needs, ditch them for modern solutions that can. One thing you won't be able to ditch in today's dispersed workforce environment is cloud-first IT. You just need cloud-first security to go with it.

Key Takeaways

Look for solutions that not only speed up reactive security, but also promote proactive security practices to elevate your security culture. To keep up with the never-ending potential for suspicious behavior, you also need continuous data monitoring of your data and digital assets to mitigate the risk of both external and internal threats.

  • Security can enhance productivity
  • Smart tools make protection easier
  • Clear processes support compliance
  • Team engagement drives success

Your business handles sensitive data every day. Make that handling both secure and efficient. Start with one area, demonstrate success, and build from there. Your teams—and your customers—will appreciate the thoughtful approach to protecting their information.

Remember: Good security enables business. It doesn't block it.

On this page

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo
Nightfall Brand Logo
Newsletter

Subscribe to our newsletter to receive the latest content and updates from Nightfall

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

By registering, you agree to the processing of your personal data by Nightfall as described in the Privacy Policy.

Compatible with

© 2024 Nightfall. All Rights Reserved.

Terms of ServicePrivacy PolicySecurity
Twitter LogoFacebook LogoLinkedIn Logo