Financial services businesses must protect PII. DLP can help
Each industry has its own standards for protecting against data loss. We’ve written about the importance of using data loss prevention (DLP) for healthcare compliance regimes like HIPAA. Like the healthcare industry, there are strict guidelines that dictate how people working with sensitive data in the financial services and technology industries, like PCI-DSS and GLBA.
With the massive amount of data moving between devices, databases, and the cloud, it’s hard for individuals to stick to regulations and policies that protect data. Apps and platforms may not always come with the security features required for your company’s data governance and compliance policies. Some industries, including financial services, are more prone to cybersecurity threats and data loss — in 2018, 10% of breaches involved financial services businesses, while the banking industry incurred the highest cybercrime costs at $18.3 million.
The financial services and technology sector requires reliable tools to protect customer data, with personally identifiable information (PII) being the main category of data at risk. A good DLP solution can protect the data from being lost or altered.
We created this blog post to explain what the different types of PII are, what’s really at stake when this data is at risk, and how laws only do some of the work needed to keep data safe. By the end of this post, it will be clear how DLP eliminates the risk of data exfiltration and why organizations need a security strategy that includes a DLP solution.
Know what PII is and why organizations must protect this data
Investopedia’s definition of PII shows that it’s not always easy to know what PII is and isn’t. The basic definition calls PII “information that, when used alone or with other relevant data, can identify an individual.” Among the many types of PII are direct identifiers (e.g. passport information) that can identify a person uniquely, or quasi-identifiers (e.g. race) that can be combined with other quasi-identifiers (e.g. date of birth) to successfully recognize an individual.
It gets more complicated when considering sensitive and non-sensitive PII. The difference in non-sensitive PII is that it’s accessible from public sources like phonebooks, the Internet, and corporate directories — which is why organizations should rethink posting phone number and email address data for individual employees on their websites.
Sensitive PII includes information like:
- Full name
- Social Security Number (SSN)
- Passport numbers
- Credit card number
- Financial information like taxpayer ID numbers or routing numbers
Non-sensitive (also known as indirect PII) can include the following data:
- Date of birth
- Place of birth
Sometimes what is classified as sensitive and non-sensitive PII within regulations isn’t always clear. Some sources list ZIP code under non-sensitive PII, but the California State Supreme Court ruled in 2011 that a person’s ZIP code is PII. The Massachusetts Supreme Court made a similar ruling in 2013.
The term “non-sensitive” PII diminishes the importance of keeping this data safe. This data can be released to the public and while it cannot be used alone to determine an individual’s identity, it is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual.
Organizations have an even greater obligation to protect PII in today’s world, where data is everywhere and used in a multitude of applications and functions. Risk includes not just losing the data, but losing the trust of your customer base and losing millions of dollars — the average data breach costs an organization $3.9 million. The next section covers some common data loss vectors and how compromised PII can be used once it’s lost.
The risks of data exfiltration
Companies that share data about their clients should use anonymization techniques to encrypt the PII so the information can travel around and be stored in networks in a non-personally identifiable form. But the reality is that’s not always the case. Users can leave their organization’s PII at risk every day without even knowing the ramifications of their actions.
Experian shares a few causes of data exfiltration and the associated risk of lost PII:
Unsecure internet activity isn’t just unsecured wifi connections or sites that contain malware. This can include collaboration apps that don’t have built-in data security measures, like Slack, Github, or the Confluence suite. None of these popular workplace collaboration apps are secure out of the box, and many people don’t think twice about the ramifications of sharing sensitive data across their organization through these channels.
A data breach can be catastrophic, so it’s important to use secure apps and systems to support any compliance and privacy regimes that apply to your business.
Social media is where most non-sensitive PII can be found. From there, it’s easy for thieves or bad actors to piece this information with sensitive PII to wreak havoc, like stealing identities. Synthetic identity theft thrives on these social engineering schemes: a thief creates a fictitious identity by grabbing various pieces of information from different sources or people. By merging fake and real data, they can easily mask their activity and make it harder to track down or identify the theft.
Think about the last time you checked the privacy settings on your social media apps. The default settings aren’t designed in the best interests of the user — they’re focused on data collection. Bad actors know this, and they’re well versed in how to exploit these blindspots.
Protecting PII requires many considerations: where data loss happens and which laws and regulations govern practices for data collection and use. Get familiar with compliance standards to help shore up your data protection.
Compliance is an important first step
Knowing the laws that govern financial technology compliance is the first step to protecting customer PII. Companies must also make sure their actions, policies, and processes follow these laws.
We mentioned GLBA above, which stands for the Gramm-Leach-Billey Act. GLBA promotes consumer privacy with regulations to limit the ways in which companies handle and share financial data. The act includes rules that state financial institutions must create privacy policies and inform customers of those policies, specifically disclose to customers the conditions in which policy exceptions would allow financial information to be distributed to unaffiliated third parties, and provide an opt-out option to allow customers the ability to prevent private information to be disclosed.
GLBA compliance protects PII and also gives each customer better tools to manage and monitor their own data.
The Fair Credit Reporting Act (FCRA) regulates how consumer reporting agencies use credit information. The goal of the act is to promote fair and secure handling of consumer PII. Under FCRA, credit reports can only be made available to those with “legitimate business needs” as defined by the law, and the subject of the report (the owner of the PII potentially exposed within the report) must be notified of any request for their information. The FRCA also includes multiple measures to promote compliance, like unauthorized access to a file or receiving a report under false pretext resulting in a criminal offense, while holding reporting agencies and those using the reports liable for any noncompliance.
The responsibility of data loss prevention extends to any organization that has access to PII. As stated in the FCRA, businesses that access or use PII are also responsible for any activity using the data improperly. A DLP solution can offer total protection for financial institutions that handle PII: for their customers, for the organization itself, and any vendors or partners that could be exposed to the data.
How DLP brings it all together: confidence in data protection and compliance
Maintaining protections for PII and other business-critical data is a challenging and evolving process. Keeping current on your compliance standards is a lot easier with a compliant DLP solution. A good DLP solution that can detect, classify, and protect business-critical data like PII can prevent the devastating losses from information leaks.
Nightfall’s DLP platform can handle all your data protection needs and help your organization stay in compliance with common regimes like HIPAA, GLBA, and a lot more. No matter how well versed your security team is on privacy laws and policies, unsecured data is still a massive risk to your company. Start thinking about how to protect your organization on multiple fronts with DLP.
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack and GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.