The deluge of data in today’s digital environments can leave many information security teams struggling to stay afloat. Tracking all of the sensitive information in your internal systems—much less, keeping it secure—requires a Herculean effort with the necessary resources to match. Whether you’re in the initial stages of a data discovery project or re-evaluating your existing security practices, it’s critical to operate with an understanding of different data types and how each should be handled.
One of these crucial data types is personally identifiable information (PII). Organizations need to know how to protect personally identifiable information to comply with the industry standards and international regulations that comprise today’s privacy landscape. This task, however arduous, can improve data governance and security practices while protecting customers and building consumer trust.
What is personally identifiable information?
Not to be confused with personal data, which the EU’s General Data Protection Regulation (GDPR) defines as any information “related to an identified or identifiable natural person,” personally identifiable information (PII) is data that can be used to determine a person’s identity. That might seem like a small distinction, but in practice, it’s fairly significant. Not all data related to a person has the capacity to identify an individual, so only data from which a person’s identity can be derived falls under the umbrella of what is personally identifiable information.
If that isn’t complicated enough, existing regulations offer varying definitions and terms for PII. However, the above description serves as a solid, general baseline. In regard to how the term is used in specific regulations, let’s look at the California Consumer Privacy Act’s (CCPA) take on a personally identifiable information definition since CCPA will mostly affect U.S. businesses.
Personally Identifiable Information Definition
The CCPA uses the term personal information instead of personally identifiable information to refer to “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual….” In some cases, this can include information shared on social media. Here are some examples of these identifiers.
According to the CCPA, any organization that has a gross annual revenue of over $25 million, processes at least 50,000 California residents’ records for commercial purposes, or can attribute half of its revenue to the selling of personal information must follow the requirements of the CCPA—or risk facing substantial fines and other penalties.
How to Protect PII in Your Organization
The first step in protecting PII within your organization’s data environment is understanding how to define PII. Once you’ve familiarized yourself with the type of information you need to secure, you can start thinking about how best to execute a security strategy to meet the relevant regulatory compliance obligations.
1. Identify all of your PII
Before PII protection can be achieved, you need to know which types of your data are PII. As stated earlier, this can vary depending on factors such as which country you’re located or doing business in—and what industry standards and regulations you’re subject to as a result. Once you’ve established an appropriate definition for PII, you can match it to the relevant data types in your possession.
2. Discover where PII is stored
Similar to the implementation of a data governance program, one of the first steps for how to protect personally identifiable information is to perform a data discovery, or mapping, exercise. This allows you to locate PII within your network and other environments and see where it travels throughout your organization. Once you’ve mapped the flow of data, you should know where your PII resides and how to isolate or segment those systems from the rest of your environment.
3. Minimize your PII
This practice isn’t specific to PII compliance, but it’s just as effective with PII as it is with any other type of data. Data minimization is nothing new for security practitioners and for good reason—you don’t have to worry about data that you don’t process or store. Simply minimizing the amount of PII in your systems can be an easy and effective way to reduce the security controls and compliance scope of your data environment.
4. Monitor your accounts
Another effective method for protecting PII is the use of access control measures to limit access to the data to only the specific individuals within your organization whose roles require them to view or interact with that data. This reduces the risk of data exposure by preventing unnecessary access to sensitive data. Only those with a business-need-to-know should be authorized, and even then, that access should be restricted and monitored. Monitoring access also makes it easier to determine how a breach occurred in the instance that data does become exposed.
5. Secure your data with tokenization
One of the most effective solutions for how to protect personally identifiable information is tokenization. This security technology obfuscates data by exchanging the original sensitive information for a randomized, nonsensitive placeholder value known as a token. The token is irreversible and has no direct relationship to the original data, which is stored in a cloud outside of the tokenized environment. Because tokenization removes sensitive data and stores it off-site, it virtually eliminates the risk of data theft. Even if a breach were to occur, no sensitive data would be exposed—only the nonsensitive placeholder tokens.
How to Protect Personally Identifiable Information from Data Breaches Without Data Loss
Security practices such as encryption obfuscate sensitive data to the point of limiting its value for business purposes. Tokenization offers greater flexibility by preserving much of the original data’s utility. By using format- and length-preserving token schemes, tokenization can retain elements of the original data—such as the first six and/or last four digits of credit card number—so that those values can be protected but still used for analytics and other purposes.
This maintenance of a data’s business utility—and your organization’s agility—is just one example of tokenization’s flexibility in protecting personally identifiable information for maximum security and PII compliance. For more information about how tokenization can help your organization protect PII, contact us today.