Personally Identifiable Information 101: What You Need to Know to Protect Your Business and Employees

Imagine this. Your company falls victim to a phishing scam and every single one of your employees’ W-2s are compromised. You wake up to find out that you’re being sued to the tune of millions of dollars by virtually every employee on your payroll. The lawsuit states negligent business practices and claims that these negligent practices are directly responsible for the theft and fraudulent use of your employees’ W-2s and the information within them. Sound like a nightmare? A corporate thriller soon to be released? Unfortunately for Seagate, an electronics company based in California, this situation actually happened. A scammer called HR and posed as the CEO, stating that he needed all the W-2s emailed to him so he could prepare the next year’s taxes.  The HR representative immediately sent a file containing the W-2s of over 10,000 employees to the contact information given to her. Now, scammers are actively using this information to file fraudulent tax returns both for the employees and people named on the W-2s, such as spouses and family members. The employees are suing the company, and there’s a good chance they will win. This case study is a perfect example of PII getting into the wrong hands due to lack of employee education, only one of the many weaknesses that your company may have, right now.

What is PII?

PII, Personally Identifiable Information, is not a new term. Most IT professionals already know the term, and everyone knows the importance of keeping the network protected and the information secure. This article is intended to be a useful tool, providing the background and key information about PII all in one place, for reference and for training others. The article begins with the fundamentals and then follows up with some of the more technical aspects. As the name implies, any information that relates to somebody’s identity and/or can be used to identify an individual is considered PII. From your Social Security number to your zip code, there are many forms of PII, and if you’re running a company, or an IT department, you’re in charge of a great deal of personally identifiable information. From your employee’s names to your client’s email addresses, any PII that calls your network home is inherently at risk. The bad news is that no network is ever immune to security breaches, whether accidental or intentional, and serious ramifications can be in store for companies who experience such breaches. However, the good news is that there are procedures you can put in place and steps you can take to ensure any PII on your network is as secure as possible. But it’s not just about protecting you from security breaches. That’s only one threat of PII. Depending upon your organization’s industry, you are likely subject to various laws and/or government regulations regarding what PII you are permitted to keep and in what precise ways the data must be stored and protected. If you fail to comply with a certain law or agency regulation, you can receive some serious fines. These fines are expensive and will happen regardless of whether or not the PII is ever hacked or accidentally released.

Who Has PII?

It’s not just companies that have personally identifiable information, and where companies are concerned it’s not just your employees that you have the PII of. Think about your vendors, business partners, clients, and independent contractors. However, think beyond the office and you’ll soon realize just how prevalent and widespread PII is. Hospitals and doctor’s offices keep medical records. Educational institutions keep student records, up to and including financial documents. Even your local library has enough information on you to cause concern were they ever the victims of a breach (or even if they were just inspected by the applicable government regulator). If you think that’s taking it too far, consider that all it takes to personally identify 87% of the American population is a gender, a zip code, and a date of birth.

Network Storage and Data Security

Data exists everywhere on your network. From the login information your employees use to access various systems to the records stored on any number of computers, data is everywhere, including PII. Many companies (and non-profits) hire on-site or third-party consultants and professionals to help them with their information technology and security tasks. However, even that may not be enough to prevent a data breach. While all data can be defined by an umbrella description, not all data is created equal. There are states of data — and understanding the states of data you possess can help you understand what makes it vulnerable.

Data in Use

One state of data is “in use”. Data in use is any data that exists at a specific point, such as a personal computer, that employees use to do their job. This data is used frequently from that single endpoint or location, but isn’t lying around unused and isn’t being sent across or out of the network.

Data at Rest

SharePoint, exchange servers, web servers, information storage systems, and file servers are all examples of places where data is at rest. It exists at an endpoint in the system, like data in use, but it’s not used. Instead, this data is being stored. Think of it this way: A beautiful, canary yellow ’69 Boss Mustang sits in an automobile museum in Daytona. One day, you decide to drive your new Mustang GT to the museum and check out the cars of yesteryear. For that period of time, both cars are in Daytona, and maybe within 100 yards of each other, one safely locked away and one in the parking lot. They’re both at an endpoint, yet their functions are very different. Your new, sleek, modern machine is in daily use, and the historic muscle car is rarely even started. Data in use is used frequently, and data at rest is stored.

Data In Motion

The final state that data can be in is “in motion”. Data in motion, as the name would imply, is any data that’s being transferred within or out of the network. Emails, file transfers, and many similar operations are all forms of data in motion. As you can imagine, data in motion is, at times, the most vulnerable type of data, especially if it leaves the network. However, all states of data are open to attack.

States of Data and PII

You might be wondering why you should care about the states of data, and that’s a valid question. The answer is that every state of data is important when considering a plan to protect the PII in your network. It’s easy to forget about data at rest. And data in motion is, well, on the move, so you might not consider it as part of your network at all. However, any plan that seeks to protect your employee and company information has to consider every state of data in order to be complete and effective.

Types of Data Loss

Data loss can happen at any moment, and it’s a great cause for concern if you’re not taking steps to continually monitor and protect the PII on your network. Just as there are types of data there are also types of data loss.

Accidental Data Loss

Nobody is immune from the potential of losing data on accident. This kind of data loss occurs when someone is negligent or an oversight happens that results in data being lost or compromised. If a file containing employee or customer PII is left out and it gets into the wrong hands, that’s accidental data loss. There are almost endless ways you could accidentally lose data. That’s why it’s important to have a reliable system in place to prevent such loss.

Malicious Data Loss

Malicious data loss occurs when someone intentionally steals, manipulates, inappropriately disperses, or otherwise tampers with PII or other data. This form of data loss could happen due to someone hacking your system and stealing PII, a more common scenario that one might think of when considering malicious data loss. However, accidental oversights could also lead to malicious data loss. For instance, if you accidentally leave a computer screen showing employee PII up when you have an office visitor, that visitor might use the information for malicious purposes. That being said, for the sake of simplicity, malicious data loss typically refers to purposeful action on the part of a person or group of people seeking to tamper with or steal PII.

Creating Acceptable Use Policies (AUPs)

If you’re reading all of this with a growing sense of panic, that may be a sign that you need to put more time and/or resources into the handling of PII.  But it’s not all bad news. While there are legitimate reasons for concern, there are also some best practices that can help you avoid accidental or malicious data loss and keep your company PII safe. The most common way to protect your company’s and employees’ PII is to create acceptable use policies that define and meticulously describe the forms of data within the company and the appropriate, approved ways that data can be handled, used, and transferred.

 

What is an AUP?

An acceptable use policy is basically a way to balance the need for your employees to access and use data with the necessity of keeping that data safe and controlled. Since you can’t shut off access to PII across the board and still expect to run an efficient business, you can create policies, or a protocol, to ensure that data is being used and managed in the safest way possible. In the same way that you blow out candles before going to bed and follow similar rules to protect your home from a fire, following AUP guidelines will help you protect your network from data loss.

Why is an AUP Necessary?

You might think that it would be enough to tell your employees to be careful with the data they utilize and security issues would be solved. Unfortunately, that’s not how it works. An acceptable use policy ensures that everyone is using and managing data in the exact same way and that the protocol you’ve determined to have the best chance of success is understood and utilized by everyone in the company. Essentially, it’s a standard that holds everyone accountable and increases the chances of securing your data.

How to Develop an AUP

It sounds like a daunting task to create a single policy that will cover all the security bases required to keep your company safe. However, if you follow five general steps you should be able to arrive at a policy that addresses pertinent issues and common areas of weakness and keeps your company secure.

Step 1: Identify

The first step to creating an effective and thorough AUP is to identify all the personally identifiable information on your network. Don’t forget to cover the main types of data, including data not in use and data in motion. Make a list of all the locations where PII can be found throughout your network.

Step 2: Prioritize

Once you have your list of PII, the next step is to prioritize it. While there are multiple ways to do this, it’s best if you prioritize it from most sensitive to least sensitive. In other words, the SSNs of your clients and employees would be extremely sensitive while the corporate email addresses of your employees might not be so critical. Keep in mind, however, that just because certain PII is lower on the list of concerns doesn’t mean you don’t have to protect it. For this step, it may help for you to consult whatever industry regulations you are subject to. For example, if you are in health care, I probably don’t have to tell you that the Health Insurance Portability and Accountability Act (HIPAA) would be applicable.

Step 3: Locate

Now you know all the PII you have on your network and you’ve prioritized it from most sensitive to least sensitive. The next step is to actually locate all the PII you identified in step one. Document the location of all the PII on your network, then move to the next step. LinkTek is developing software that can help with this. Depending on when you are reading this article, it may be available.

Step 4: Creation

While AUP creation can be an extensive process, the entirety of which can’t be covered in a single article, if you’ve followed steps one through three you’ve got a great foundation on which to build an AUP. Make sure you list out the types of PII on your network, how important each is, and the location where it can be found. Create best practices and rules of engagement and management for each location and type of data, including which data shouldn’t be transferred or sent out of network. This is where finding and using any and all applicable industry regulations is more than just a good idea, it is vital. I already mentioned HIPAA (for those in healthcare), but there are a host of others, any one or two of which may apply to your field. For example, your company, agency or non-profit may be subject to the GSA Privacy Act. (GSA, which stands for “General Services Administration”, is one of many U.S. Federal government agencies.) While not necessarily applicable to other types of organizations, this is an example of an AUP for Johns Hopkins University. This is one place where Information Technology and Information Management (IM) can and should work together. At the least, there should be some sort of Legal Officer in your organization that should be (or become) knowledgeable as to what regulatory bodies you come under and what they require in the area of storing, securing, handling and protecting PII.

Step 5: Education

Once your AUP is in place it’s important to train and educate all your employees on how to handle this information. Make sure every section of your AUP is covered, and do some in-person examples so your employees truly know what’s appropriate and what’s not when it comes to handling, using, viewing, transferring, and managing the various types of PII on your network.

Step 6: Execution

Now you have to carry out your AUP and keep it in place. When you first start, this may involve IT and/or IM actually making changes to where and how your data is stored and also transferred. This is another place that technology gets involved, and would be the subject of another article all by itself.

Understanding Liability

Going through the process of creating an AUP and training your employees might sound time-consuming, and it can be. But if an accident occurs or someone manages to break into your system and data loss is the result, you’re going to want to be able to show some proof that you did your due diligence and made every possible effort to ensure the security of PII on your network. Companies have lost millions, even billions, of dollars due to lawsuits resulting from data loss, and some companies have even gone out of business entirely, crumbling under the weight of legal and financial ramifications that occurred because of data loss. Take the time now to ensure the security of the data on your network, and you’ll be able to rest easier and show that you did your part if the unfortunate event of data loss ever does happen.

The least you need to know is that PII is everywhere, it’s incredibly important, and securing it should be your top priority. Make sure you know the various types of PII you have on your network, and do your part to create acceptable use policies that clearly state your expectations for how employees use and manage this data. While no system of PII protection is ever perfect, with an AUP in place you’ll be able to demonstrate that you understand how important it is to protect the PII on your network and that you took steps to ensure its security. Putting in the work today can help you save time, money, and even your business. As an added bonus, you’ll help improve your reputation and secure the trust of your clients, as well.

Try Now!