The Meaning and Value of Personally Identifiable Information
NIST Special Publication 800-122 defines Personally Identifiable Information (PII) as any information gathered, stored, and processed by an organization about any individual (customers, guests, clients, and subscribers). It further gave the information to PII includes the following:
• Information that can be utilized in isolating and differentiating the identity of any individual efficiently. This includes personal information such as social security number, place and date of birth, given name, driver’s license number, passport number, taxpayer ID, financial account, or credit card number, paternal or maternal names, or legal alias and any other personal means of Identification.
• Information that is traceable to an individual; including educational, medical, financial, and employment history of an individual.
• Personal biological trait of an individual, including fingerprints, photographic image (especially of face or another identifying characteristic), handwriting, or other biometric data such as retina scan, voice signature, and facial geometry
It is essential for corporate bodies to identify the type of data that is necessary as a vital security tool when profiling individuals. The information collected should be in line with the requirements of PII best practices, which are widely used in different organizations, jurisdictions, and legal firms. Only data needed for optimum information should be collected, processed, and stored appropriately.
The risk of losing a PII to a crime syndicate is grievous. Since PII is contained in the database of any given organization, unscrupulous elements have now focused their target on PII to lay their hands on valuable data. Identity theft can be achieved easily by cyber-criminals through a breached PII which will yield a complete virtual identity of an individual. In fact, information such as social security number, date of birth, employment history – which are readily available on PII data sets – can be used to hacked credit cards, email phishing, illegal purchases and credit card transactions, altering bank details, and in a worst case scenario, a terrorist attack.
In light of the severe damages that can be caused by a stolen PII, the Federal Trade Commission has proactively ruled that victims of data theft can sue an organization for long-term damages caused by PII that has been stolen from an organization’s business database. Thus, the aftermath of PII theft is more complicated than mere deactivation of the credit card account involved and subsequent offering of free credit reporting for a year. Instead, it is not an uncommon scene to see class-action lawsuits against organizations that are careless enough to have their security and privacy statements violated through compromised PII data sets.
What are the PII compliance obligations by an Organization?
PII is a legal term, not a technical term. Hence, issues that involve PII require awareness of compliance with applicable Federal, State, and County laws and regulations, as well as International and Regional laws or industry regulations associated with the datasets being accepted, stored and transmitted. Since the applicable laws and regulations can vary by region and/or system of government, legal advice should be sought from the local legal institution of the region involved. However, variation in location and region should not by any means affect the confidential nature of PII data. Access to the data collected must be strictly monitored, protected and transmitted with an efficient account of all the touch points through audition. An unbiased adherence to a stipulated security protocol control baseline ensures that PII data are properly secured.
Aside from protecting the collected data, it is pertinent for an organization to also utilize some routine checks that are specific to PII exposure to ensure the data secured cannot be easily breached. The nature of the data set and the legal course should also determine whether there will be any need for further reporting on the way and manner the data is stored and transmitted.
Failing To Protect PII Presents Risk To Your Organization
In the recent past, a lackadaisical attitude that could expose sensitive payment card data attracted some level of penalties, which could include monetary fines followed by a free credit card monitoring services to the cardholders to ensure the safety of their funds afterward. Vulnerable PII data sets – in the wrong hands – can be used to tarnish the image and integrity of real people, which can lead to ruined credit ratings, a stained crime record, and other legal violations. Assuredly, any organization that fails to properly secure its PII should be ready to face the full wrath of the law as invoked by the victims of their inactions. Also, individuals and corporate establishments will have little or no confidence in such an organization, which will lead to a drastic decline in patronage and popularity.
The Ponemon Institute, an independent research organization, has estimated the cost of every exposed individual PII record to be $178 per record. Additional research has also shown that 30,000 records are typically exposed in an average breach, which has a great financial implication rapidly. Interestingly, the Ponemon Institute description of the cost of a breach says that “catastrophic” breaches of over 100,000 records are not covered in the breach cost evaluation. Rather, a careful calculation of all the direct and indirect expenses of a breach, which range from attorneys’ fees and lawsuit damages and, PR damage control to the loss of customer confidence, makes it crystal clear that a PII breach can literarily cause a major setback to any organization.
The Oversight Duty Of the Federal Trade Commission Over PII Breaches
The Federal Trade Commission (FTC) has assumed an oversight function for data security at the federal level. As a monitoring body, the FTC has been able to adequately substantiate that any organization with “unreasonable data security” processes and procedures to protect sensitive customer information will be potentially liable to face some for stringent sanctions which could be in the form of fines, class action lawsuits, as well as a public admittance of the breach that are proportional to the long-term damages caused by the PII breach. More so, breached organizations can be required to enter into a 20-year agreement to ensure the organization maintains the proper data security processes and procedures going forward.
It is imperative for organizations to implement a comprehensive data security solution that efficiently protects customer PII data. To achieve this feat, Tokenization and Cloud Data Vaulting for PII offer ideal solutions for keeping data safe and the FTC at bay.
Benefits of Tokenizing PII with NXT-Security
• Unlimited token storage; only pay per transaction
• Autonomous control over your reports, security, and tokens
• Complete customizable tokenization schemes to fit the type of data being secured
• SLA-backed Lightning speeds of API request ensuring no site slow down or business impact
• Multi-Language support for tokens
• Global reach with redundancies built in for every geographical region
Keywords: PII, personal, identifiable, information, data, security, secure, protect, meaning, value, understanding, define