Protecting Your PII
Author(s): Dr. Glen E. Newton, Posted on February 26th, 2016
In a previous blog, we looked at the concept of PII—Personally Identifiable Information—and its appearance in several different variations, including sensitive PII, highly restricted personal information, and highly sensitive data.
Regardless of the terms used, protecting PII from unauthorized access is an essential part of every company’s security policies, because when PII is revealed to unauthorized users, it often appears in the news media with a title like,
“Huge data breach at <insert your company name here>.”
The result? Loss of reputation, potentially large fines, loss of customer confidence, disruption of business activities while dealing with the breach, and possible loss of business opportunities.
To help prevent this kind of unfavorable publicity, where do you begin? Your company needs security policies, standard practices, and security training.
We previously looked at steps you can take to implement a security framework for PII protection. Three key steps are:
- Identify all PII residing in your environment.
- Minimize the collection and retention of PII; if you don’t need it, don’t collect it.
- Develop PII protection guidelines that fit into your business processes.
The United States Department of Homeland Security (DHS) Handbook for Safeguarding Sensitive Personally Identifiable Information includes recommendations for protecting PII in electronic form.
Once you’ve decided which PII you must keep because it’s essential to your business, make sure it is well protected. Here are some standard practices, based on the DHS recommendations, which you and your co-workers can incorporate into your daily routines and security policies to protect your PII.
- Encrypt stored PII. (Remember that many data breach laws provide a safe harbor to avoid penalties if stolen data is encrypted.)
- Keep the encryption key for PII separate from the media containing the data.
- Store PII on shared access computer network drives only if permissions settings or passwords restrict access to those with a need to know.
- When connecting to a server that houses PII, use an encrypted connection and server validation.
- Encrypt external portable hard drives and USB flash drives that contain PII.
- Do not return failed hard drives to vendors for warranty repair or replacement if the device was ever used to store unencrypted PII.
Personal computer use
- Lock your computer when you leave your desk.
- Do not permit your computer to remember passwords.
- Protect against “shoulder surfing” by using a privacy screen if you regularly access PII in an unsecured area where those without a need to know or members of the public can see your screen, such as in a reception area.
- If you email PII, use encrypted email.
- When reporting an incident, do not forward compromised information (e.g., SSN, full name, birth date, etc.).
Your ClearPath servers include features that you can use to protect your PII. Take advantage of them and re-examine your security policies, standard practices, and security training to make sure that everyone who accesses your PII does it securely.