Hardly a day goes by without a media report about a data breach that involves exposed personally identifiable information (PII). In the same way an organization takes care of its employees, customers, and finances, it also needs to ensure its sensitive data, such as PII, is well protected. Let’s explore what constitutes as PII, the consequences of it being exposed, and what organizations can do to make sure it is properly protected.
What is PII and Why Does it Need to be Protected?
In general, PII, also known as Personal Data, includes any information that can be used to identify a particular person directly or indirectly. Examples of PII include, but are not limited to, the following:
- Full name
- Social Security number
- Passport number
- Credit card number
- Email address
There is also a type of information called quasi-identifiers, or linkable information, which while not PII on their own, if combined together either with other linkable information or PII, can be used to identify an individual and qualify as PII. Examples of linkable information include, but are not limited to:
- Race and Gender
- Age or birth date
- Place of birth
- Education information
- Business telephone number
When trying to determine if data is PII, a good rule of thumb is to ask yourself if disclosing that information would result in damage to the individual’s privacy. If the answer is yes, then it is likely PII and needs to be protected because, if exposed to the public, it has the potential to infringe on an individual’s private life, and even do harm, especially if combined with linkable information. Information Commissioner Elizabeth Denham summed it up well saying, “When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives.” This is one of the main reasons why many countries and regions are now implementing data privacy laws.
Consequences of Exposed PII
Much of the news regarding data breaches focuses on the harm to affected individuals, but data breaches are also very harmful to the organizations experiencing them. A breach of PII can result in the following:
Regulatory Violations and Fines
Regulatory violations have some of the most dire consequences for organizations including, but not limited to, hefty fines. A serious violation of the GDPR, for example, exposes organizations to fines of up to €20 million, or 4% of their annual global turnover (whichever is higher). Another example is the CCPA, which imposes civil penalties limited to $2,500 per violation or up to $7,500 per each intentional violation. Additionally, violating entities can be subject to an injunction. While not all countries or regions currently have data privacy regulations, Gartner predicts that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population.
Loss of Reputation and Consumer Trust
Consumer trust is a huge factor to business success, and once broken, can be very difficult to get back. Nothing compromises consumer trust faster than misuse of customer’s valuable personal data. A survey conducted by Salesforce found that 48% of consumers said they had lost trust in brands during the pandemic due to misuse of personal information.
In addition to regulatory fines and consequences, affected individuals can take the matter of exposed PII into their own hands through litigation. In 2018, British Airways was hit with a €20 million GDPR fine when a breach exposed the PII of over 400,000 customers. In addition to the fines, in April of 2020, a group action litigation was filed by over 16,000 claimants seeking compensating for the exposure of their personal data. It was announced in July 2021 that British Airways reached a settlement with a number of those claimants and payouts were speculated to be up to €2,000 per person.
Impact on Future Earning Capacity
Data breaches can have consequences for many years after they happen, even after all the dust settles. IBM’s Cost of a Data Breach Report 2021 found that lost business represented the largest share of a data breach costs at 38%. This included increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation.
Protect PII with Data Classification
In order to avoid the detrimental consequences of exposed PII, organizations must know what PII they have and where it is at all times, so it can be properly protected. A data classification solution aids organizations in protecting PII and other sensitive data by allowing users to assign visual and metadata labels to the data they create or save according to its sensitivity and value to the organization. The metadata labels allow the data security solutions, such as Data Loss Prevention (DLP) and Digital Rights Management (DRM), to understand what data is sensitive and if it requires further protection based on the organizational policy. Not only does classifying data let you know exactly what you have and where it is, it also provides the following benefits regarding the protection of PII:
Limit Access to PII
By knowing what data you have and where it is, you can limit who can access that data. Sensitive information, such as PII, should only be accessible to those who absolutely need it to do their job. A 2021 study conducted by IBM found that Individuals with elevated access to critical assets, including PII, can pose a significantly higher risk than those with more limited privilege. Limiting access also keeps linkable information from combining with other information that could potentially be used to identify a person.
See Who Has Accessed PII
Not only can data classification limit access to PII, the reporting capabilities provided by data classification let you know who has accessed PII (or any data for that matter), and what they were doing with it (such downgrading the classification levels or downloading it to their computer). In the event of a breach or insider attack, this allows for the incident to be detected much quicker and lets the organization see what data was exposed, so the proper actions can be taken immediately.
Aids Downstream Security Solutions
Once data is classified, your downstream security solutions, such as DLP, can look at the metadata properties to determine how a piece of data should be handled and stop data labeled as PII from leaving the organization’s network. Most PII is very easy to protect using a DLP solution, given much of it is numeric (bank/credit card numbers, birthdays, ID numbers), and DLP solutions are very good at working with numeration patterns because they don’t require additional context.
Taking Precautionary Measures
Having data classified drastically mitigates the chances of PII being exposed. But what if by chance a data breach including PII happened to occur anyway – would all this classification be for nothing? Absolutely not! Precautionary measures are taken into account with regulations and in litigations. Under the GDPR, for example, when determining a fine, one of the things regulators will look at is the amount of technical and organizational preparation done to maintain compliance, as well as past history. Having all the proper precautionary measures in place results in much lower fines and consequences and helps save reputation as people know the organization was not careless with their data.
With people more concerned about their personal data than ever, and privacy regulations on the rise globally, now is the perfect time to examine what steps your organization is taking and should be taking to protect its PII. It is much easier to take the precautions now, rather than trying to catch up every time there is a new regulation, or worse, deal with the cost and consequences of exposed PII.