Introduction
Did you ever write down your User ID and Password on a piece of paper that is accessible to the world? Or have you shared your bank account credentials with a stranger at any point in time? Or Did you try to open an attachment in an email without paying attention to the sender? Or have you accidentally shared any business-sensitive information with a friend or relative? When you are promoted to a new role that involves working directly with the customer, who is responsible for accurately classifying, securing, and protecting PII information? Was your bank account compromised at any time? Did you see suspicious activity in your bank or credit card accounts? oh my God, I felt drowned in a pool of questions! But, it is essential to answer these questions: why? let's dig into it!
As technology advanced, so did cyber threats. Have you ever considered your personal information and whether it is safe in the outside world? Nowadays, it has become a common practice to get someone's information without their consent, and it's even getting tough to remove that information from the websites that are selling, even if you opt-out. Have you ever tried to look up your name in Google search? You would be astonished to see how many places you would pop up. It could be just the tip of the iceberg. Where do you think they are getting these details from? what are they doing with that information? Would you be overjoyed to see the information related to you? or would you be concerned about it? I'm curious to know your feedback on this in the comments section.
Hallucination
You may think your Organization might be using the world's top-notch technology, and the business information might not be at risk. We must understand that we can have up-to-date systems and the latest technology in the world, but if we fail to follow our security protocols, the whole system breaks down. Nowadays, an overwhelming number of data breaches are caused mainly by human error and carelessness.
Security threats are not going away; if anything, they are increasing and evolving. With that in mind, you will learn the most dangerous and common security issues employees encounter. Hopefully, this article keeps you and your organization out of trouble.
What is the main focus of this article?
Some of you might be familiar with this topic, while others might not. By the end of this article, you will be able to,
Understand the risks and consequences to you, your organization, and its customers, shareholders, and employees related to safeguarding confidential and proprietary information.
Determine appropriate steps to ensure customers know their rights regarding using their information.
Apply appropriate policies and procedures consistently to reduce risk.
So, let's find out which information is General PII and Sensitive PII from the perspective of an average person and a company. Let's delve into and explore what type of data is sensitive!
What is Personally Identifiable Information (PII)?
Any Information that allows someone to determine a person's identity directly or indirectly. It can include details such as Social Security Number, Full Name, Date of Birth, Address, and so on.
Classifications of PII
Personally Identifiable Information (PII) is classified into various categories, such as,
General PII: Non-public information identifiable to a specific person directly or when combined with other information.
Sensitive PII: Personal Information of an Individual where exposure to unauthorized parties or bad actors may cause significant harm or risk to the customer.
Business Contact Information: Related to an organization or a company's employees and customers.
Protected Health Information: Health information of an Individual.
Examples of PII
PII is any data directly or indirectly related to you and could be used to identify you.
Personal data, such as information about an individual's characteristics (height, weight, eye color), behaviors, and other demographic-related information, must be classified as
General PII. This data is non-public information that is identifiable to a specific person directly, or when combined with other information.
Examples:
Name.
Address.
Telephone Number.
Username.
Email address.
Customer Business Information.
Other personal information.
Personal Information of an individual where exposure to unauthorized parties or bad actors may cause significant harm or risk to the customer must be considered as sensitive PII.
Examples:
Social Security Number.
Drivers License, Passport, or other unique ID-issued identification number.
Full Account number.
Credit or Debit card Number.
Personal Identification number or password that would grant access to the customer's profile or account.
Racial and ethnic origin.
Religious and Philosophical beliefs.
Union membership.
Fingerprint or retina scan.
Protected Health Information (PHI) data.
BCI Examples:
Business Contact Information of employees and contractors is internal information that is used for communication with an individual about their employment, business, or profession. However, if BCI is about one of the customers, then that information is considered as General PII and therefore classified as confidential.
PHI Examples:
Health Status, Provision of health care, or payment for health care is classified as Highly Confidential.
Information Assets
Information Assets are any Information you have access to or learn while on the job regarding the business's customers, employees, and proprietary information.
Customer Information of a concerned business.
Employee Information of a concerned business.
Proprietary Information of a concerned business, including but not limited to
Shareholders.
Business Partners.
Processes.
Policies.
Procedures.
Public Documents.
Classification of the Data (Perspective to a Business)
Data Classification is important because it determines who handles the data and the level of security needed to safely handle the information. Data must be protected both out of respect for the customers and team members. Disclosing confidential data opens a business to regulatory, disciplinary, and financial risk for failing to comply with applicable policies and regulations. This may create negative publicity for the company, and there could be a potential loss of business and might run into litigations.
All Employees, including contractors, as well as the business is responsible for accurately classifying, securing, and protecting PII information. A business should tell all its customers how they collect, share, and protect their personal information. A company's privacy practices send critical information to everyone regarding the company's business ethics and fit for today's online culture. This privacy notice should inform customers why, what, and how they share or don't share personal information, including how a customer can limit the business's information sharing.
PII Data Classification System
PII Data is broadly classified based on levels of privacy and sensitivity. Some documents contain extremely private and sensitive information such as SSN, EIN, TIN numbers to name a few, while other documents contain public information such as business financial documents, corporate reports, and many more. Some of the PII data classification systems are,
Public.
Internal.
Confidential.
Highly Confidential.
Security Measures.
Public Information:
The least sensitive category is public information. This data is available in the public domain.
Examples
Corporate announcements.
News Releases.
Marketing brochures.
Annual Reports.
Internal Information
Internal Information is used by Internal employees on a day-to-day basis.
Examples
Commonly shared, such as operating system procedures and policies.
Corporate telephone numbers.
Organizational Charts.
Policies, Standards, and guidance documents.
Confidential Information
Information that could affect an organization's reputation.
Examples
Customer or personal data.
General PII.
Non-public personal information, such as Payroll information, Intellectual property.
Highly Confidential:
Information that could affect an organization and it's customers heavily.
Examples
Account Numbers and Client Numbers.
SSN
Sensitive PII
PHI
Strategic business plans
Insider Information.
What happens when a customer's information is inaccurate?
When a customer contacts the business to check the accuracy of the information, the business should verify the customer's identity and determine whether the customer's information is correct. It means the customer can determine their information with the business and contest its accuracy if they believe it is incorrect.
Note that authenticating the customer and verifying their identity ties directly to the concept of Integrity. However, the employees of a business should be aware of the bad actors who tries to present themselves as employees of the same company, but calling from a different branch office location.
What happens if there is a Data Breach?
Serious Consequences may include if there is a Data Breach. Data Breach could be either by the human error or bad actors pretending to be the employees of the company to steal the PII data, or, because of the malicious softwares, or, virus. When that happens, there will be,
Disciplinary action against the employee, including dismissal from the company.
If the employee stole any sensitive information and committed potential fraud/theft, then potential criminal charges will be enforced.
Regulatory/Law enforcement actions on the company.
Negative publicity on the company.
The company may lose business opportunities due to loss of public trust.
Litigations against the company.
Threat actors relentlessly target organizations to mine for high-value data such as customers' and employees' personally identifiable information (PII), passwords, and proprietary information.
As bad actors look to exploit employees to access data and systems, the organization needs you to help shore up the defenses against these attacks. Reducing the risk of human error is essential to securing a business. Recent Reports from multiple industries finds many data breaches involve human elements. Ensuring that everyone in an organization is responsible for security is one of the most effective ways of protecting you and the organization.
How to secure Confidential Information (from an Organization's perspective)
Awareness
As a Business continues to expand its international geographic footprint, compliance with International privacy Regulations is of greatest importance. International privacy regulations require businesses to adhere to strict privacy requirements when they collect and/or process the data of International data subjects. Noncompliance carries severe consequences. Awareness is critical.
Training
Employees must be trained to avoid using unacceptable methods of handling PII.
Emailing, Sharing, Processing, or disclosing PII without proper approvals.
During client presentations, employees must exercise caution about compromising any PII-related data.
Security Measures
If an employee sees something suspicious, report it to their manager and file a complaint or equivalent with the security department and line of business as soon as they can.
Ensure they are as detailed as possible and as narrative when describing the issue.
The consequences of not submitting a complaint or its equivalent can open Pandora's box.
Privacy Policies
Privacy policies are the legal documents that tell how an enterprise handles a customer, employee and client's information. The company must issue privacy notices describing how they collect the data and plan to use that data. Some of the well-known and standard privacy policies are mentioned below.
Enterprise Privacy Policy
The Enterprise Privacy Policy Provides the basis for compliance with US and Canada privacy and data protection requirements. It provides compliance with the Gramm-Leach-Billey Act (GLBA) as well as compliance with the Personal Information Protection and Electronic Document Act (PIPEDA) and Canadian Anti-Spam Legislation (CASL).
European Privacy Policy
The European Privacy Policy applies to the use and management of European PII and supports General Data Protection Regulation (GDPR) compliance. It also discusses PII data management for individuals in Germany and the UK.
The California Consumer Privacy Act of 2018 (CCPA)
California became the first state in the nation to pass a law giving people more control over their digital data. The CCPA was recently amended by the CPRA (California Privacy Rights Act), which went into effect on January 01, 2023. The CCPA/CPRA provides stringent protection of consumer privacy for CA consumers.
California consumers have the,
Right to Request to disclose certain information over 12 months.
Right to Request a copy of collected personal information in the prior 12 months.
Right to Request the right to know if their personal information is sold or disclosed and to whom.
Right to Request to delete any personal information they have collected.
Right to request to update any inaccurate information.
Privacy and Data Protection Acts
US CAN-SPAM Act
Canadian Anti-Spam Legislation (CASL); CASL/CAN-SPAM lookup database.
Telephone Consumer Protection Act (TCPA).
The Junk Fax Prevention Act (JFPA).
The Children's Online Privacy Protection Act (COPPA).
Reverse Solicitation Exemption (RSE).
Existing Business Relationship (EBR).
Conclusion
Companies have started implementing security measures to educate their employees on preventing human elements from creating security threats and following specific security protocols to safeguard PII information. As the saying goes, Nothing is perfect. The more advanced the technology is, the greater the security issues. Protecting PII is your responsibility.
To remediate and keep your PII safe, use MFA (Multi-factor authentication), use a trustworthy password manager, and try not to browse on public Wi-Fi, but if you do, use a well-known VPN software. Subscribe to identity theft protection programs and, regularly monitor your SSN profile, and do the same for your family members. Limit what you share online and, periodically check where your details pop up, and unsubscribe from those unwanted websites.
Comments