Social Security Number. Address. Birthdate. Driver's License Information. Is your business doing all it can to protect Personally Identifiable Information (PII)? Is your organization trustworthy?
Did you hear that the Chartered Institute of Marketing's (CIM) survey of more than 2,500 consumers and marketers reveals that 57% of consumers do not trust a business with their data?
Why? It appears the biggest concern is that the data they provide a business may be shared with third parties without their consent (40%). More than half of consumers said they had received communications from organizations they felt had misused their data while 31% said they have no idea how and where their data is used. The study, Whose Data is it Anyway?, questions whether enough is being done by companies to protect and assure customers. The survey reveals two thirds (68%) of the marketers surveyed said they are reluctant to share their own data as a consumer because they know how organizations will use it.
Unfortunately, most people lack the understanding of how companies utilize personal data.
Personally Identifiable Information (PII) is an attractive target for hackers and cyber criminals because it is easy to obtain - or more accurately, steal.
Protecting PII is a challenge for individuals and enterprises alike. Every business is built on people and processes - clients, customers, partner, vendors, employees. As such, every business is responsible for the actions of its staff and the effectiveness of its processes and best practices when it comes to protecting PII.
The Department of Homeland Security (DHS) offers a factsheet intended to help individuals, as well as organizations, to safeguard PII in paper and electronic form during everyday work activities.
According to the factsheet, DHS employees, contractors, consultants, and detailees are required by law to properly collect, access, use, share, and dispose of PII in order to protect the privacy of individuals.
Some key tips offered by the DHS factsheet include the following cautionary advice to DHS personnel - also excellent tips for any business or organization looking to scrutinize and improve PII best practices to elevate governance activities.
- If you are collecting or maintaining sensitive PII electronically, be sure your database or information technology system has an approved Privacy Impact Assessment.
- Before collecting sensitive PII, be sure that you have the authority to do so based on either the Privacy Act System of Records Notice (SORN) or a Standard Operating Procedure (SOP). Access to sensitive PII is based upon your having a "need to know" classification within your organization.
- Ensure documents are not accessible to casual visitors, passersby, or other individuals within the office without a “need to know.” If you leave your work area for any reason, activate your computer’s screen saver. At the end of your shift, either log off or activate a password-protected lock on your computer. • Ensure privacy while having intra-office or telephone conversations regarding Sensitive PII.
- PII, including that found in archived emails, must be disposed of when no longer required, consistent with the applicable records disposition schedules. If destruction is required, take the following steps: Shred paper containing sensitive PII; do not recycle or place in garbage containers; be especially alert during office moves and times of transition when large numbers of records are at risk.
Sensitive PII is PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some categories of PII are sensitive as stand-alone data elements, for example: Social Security Number (SSN), driver’s license or state identification number, passport number, Alien Registration Number, or financial account number. Other data elements such as citizenship or immigration status, medical information, ethnic, religious, sexual orientation, or lifestyle information, and account passwords, in conjunction with the identity of an individual (directly or indirectly inferred), are also sensitive PII.
For businesses today, protecting customer data such as credit card information, log-in credentials, and other personally identifiable information is one of the top priorities for both security and risk leaders.