Information.Governance.Yahoo.Data.Breach.2016.jpgThe loss of Personally Identifiable Information (PII) can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Businesses today have an obligation to protect the sensitive data of their employees and customers and, in doing so, protect their company value, reputations and futures.

As data breaches are gradually accepted, if not tolerated, as an increasingly common reality of corporate life in the digital age, the drive to protect Personally Identifiable Information (PII) has risen for organizations in all markets. 

Still, data breaches impact all walks of business today. 

The latest example? As reported on December 16, 2016 by Reuters, Yahoo came under fire by federal investigators and lawmakers after disclosing the largest known data breach in history - Yahoo has one billion user accounts at risk - causing Verizon to demand better terms for its anticipated purchase of Yahoo's internet business. 

Yahoo isn't alone in making recent data breach headlines. 

According to the New York Times, Yahoo customers are encouraged to change their Yahoo passwords, as well as scour through other services to confirm passwords used on different sites are not similar to their Yahoo login information. Additionally, they will have to treat everything they receive online, such as email, with great caution and suspicion. Yahoo recommends that its customers use Yahoo Account Key, an authentication tool that verifies a user’s identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Information.Governance.Yahoo.Data.Breach.Results.jpgWhat Is Personally Identifiable Information?

According to the United States Department of Labor (DOL), Personally Identifiable Information (PII) is defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. According to the DOL, PII can do the following:

  • Directly identify an individual, including name, address, social security number or other identifying number or code, telephone number, email address.
  • Specify individuals in conjunction with other data elements, i.e., indirect identification. These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
  • Permit the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

Today, organizations must limit the use, collection, and retention of PII to only what is critically necessary for organizational purposes. Many times, for many enterprises in all markets, it is not readily known what information is stored and where it is located to effectively manage and protect it. In order for an organization to effectively manage information, it is important for the organization to have a true understanding of its PII. Optimizing PII traceability and management will benefit an enterpries in key ways:

  • Full assessment of enterprise systems and operations to identify all PII being processed, accessed or stored in electronic or physical forms.
  • Reduction of overall volume of PII and creation of defined best practices to avoid PII storage unless critically necessary.
  • Risk assessment and periodic reviews to ensure company policies, procedures and practices adhere to best practices and standards for management of PII.

How Are Businesses Reacting?

The proliferation of mobile devices and mobile preferences among today’s consumers present new challenges in protecting one’s confidential information in the age of the Internet of Things (IoT).  

According to the Federal Trade Commission, when making purchases online individuals should be sure to keep their browsers secure by encrypting their data and also keeping passwords private. Additionally, individuals should avoid phishing emails, use security software and be wise about where they opt to access public wireless networks.

In looking at the insurance market, for example, insurance companies today understand they need stricter measures, including classification, data mapping, and long-term digital preservation, as well as strict governance over the management of (PII) and Protected Health Information (PHI). 

Strategy, planning and coordination among the many facets of information governance allows insurance companies to make effective use of all information, regardless of ownership and at all stages of the information life cycle.

Information assets, records and data, have recently become the most valuable corporate asset - including PII.

Information governance is a framework, a set of processes and procedures, bound by policy and with clear ownership and accountability, designed to ensure that essential corporate data and record assets are properly created maintained, managed and destroyed throughout the enterprise.

Information governance is seen by many cross-market information management experts as the most vital component in enterprise digital transformation as businesses scramble to become data-driven organizations in today's global economy.

3 Reasons You Need an Information Governance Program