What is Personally Identifiable Information (PII) and How to Guard It

If you remember the film Pirates of the Caribbean: Dead Man’s Chest, the villain Davy Jones cuts his heart from his chest and locks it away, hiding it from the world and protecting it from the ravages of grief.

Bit of a drastic action if you ask us, but we—like most people—can understand taking serious lengths to protect the things we care about. That includes information. In this day and age of the Internet, where so much of life takes place, it can be tough to safeguard such data, especially when malicious attackers are constantly seeking to steal it and take advantage.

For organizations entrusted with their customers’ sensitive information, protecting privacy is and must be paramount. You are promising to keep their personally identifiable information (PII) safe, and that’s a promise you need to keep.

In that, we’re going to help you in getting started. As providers of a broad suite of privacy compliance services, we’re well-versed in what it takes for an organization to adequately safeguard PII. In this article, we’re going to pass on some of that insight.

We’ll define what can be classified as PII before providing six things you can do to protect the information against possible breaches. These won’t involve locking away vital organs a la Davy Jones, but you will be able to sleep better at night knowing you’re taking necessary steps to keep your privacy promises.

What is PII?

Before you can protect it, you need to know what PII is.

Broadly considered as any information that can be used to distinguish or trace an individual’s identity, examples include but are not limited to:

• Name
• Social Security Number (SSN), passport number, driver’s license number, financial account number, or any other personal identification numbers (PINs)
• Street or e-mail address
• Phone number
• Associated data—or, data that when alone may not be able to identify an individual but when associated with other data leads to identification (e.g., an IP address) 

Should any of this type of data leak, not only are the individuals affected looking at identity theft and inconvenience, but if you’re responsible for said breach, you face losing public support, legal liability, and the costs associated with containment, remediation, and notification.

6 Ways You Can Protect PII

You can potentially avoid all that if you commit to a few simple things. Here are 6 ways you can protect the PII you’re accountable for while simultaneously decreasing the likelihood of a breach.

1. Routinely Identify All PII

We mentioned before that you can’t protect PII if you don’t know what it is, but you also need to know where it lives in your systems—at all times.

As part of your privacy program, get into the habit of periodically reviewing and auditing your environment for PII. Sweep for both internally sourced PII (e.g., employee PII) as well as any PII created, received, maintained, or transmitted on behalf of your customers and business partners.

2. Confirm Your Obligations

Not only do you need to understand your promises regarding privacy, but you also need to be aware of any laws or regulations your organization is bound to regarding the protection of PII. Common obligations include but are not limited to:

• Health Insurance Portability and Accountability Act (HIPAA)
• General Data Protection Regulation (GDPR)
• Asia-Pacific Economic Corporation (APEC) Cross Border Privacy Rules
• California Consumer Privacy Act (CCPA)
• Gramm-Leach Bliley Act (GLBA)
• Children’s Online Privacy Protection Act (COPPA)

You should also look into any applicable state and local laws that may affect your management of PII.

3. Perform a Risk Assessment

No matter which legislation(s) you may be subject to, a central component of many privacy compliance standards and regulations is a risk assessment, which is also essential for your good corporate governance.

These should also be performed on at least an annual basis and in the context of safeguarding PII, your risk assessment should address at least the following:

• Identification of regulated PII
• Identification of other sensitive data that may or may not be explicitly regulated but may pose other types of risks (reputational risk, competitive risk, etc.)
• Identification of the applicable commitments and requirements necessary to comply with the applicable laws and regulations described earlier
• Threats to compliance with the external and internal commitments and compliance objectives
• Assessment of the likelihood of the identified threats
• Risk management strategies (including avoidance, sharing, mitigation, and acceptance):
• Commonly involves implementation of control procedures and safeguards based on your risk management strategy.

Two more key aspects of your will be to ensure that:

• Your various stakeholders participate when appropriate.
• Your risk assessment procedure adapts to changes in the regulatory and business environment.

4. Regulate Collection and Retention

While it may be very tempting for you to collect as much data as you can, this approach may not only affect how efficient you can be in managing usable data, but it also introduces more risk as it pertains to use, notice, and collection of regulated PII.

For this reason, only collect and retain information that is necessary to perform the business function related to its collection.

5. Categorize by Confidentiality and Privacy Impact

Of course, some PII may be inherently less risky to collect and retain than others. Here are some examples of such distinctions:

• Lower confidentiality and privacy impact: A customer listing containing opted-in names and e-mail addresses.
• Higher confidentiality and privacy impact: A listing of social security or credit card numbers.

Each organization is different and it’s ultimately your decision on how to categorize your PII, but given the varying associated risk, it would prove beneficial to understand where your higher security priorities should be.

(An effective risk assessment can significantly assist with this.)

6. Create Safeguards Based on Confidentiality and Privacy Impact

Once you’ve classified everything, you’ll then need to implement protections, and these too should be centered on potential associated consequences should a breach of PII occur.

Using your risk assessment to help, these safeguards should clearly reflect your risk mitigation strategy. They should also be evaluated periodically for design and operational effectiveness and be revised accordingly. Here are a few basic things you can do to protect PII:

• Create Privacy Policies and Procedures: You should have documented policies for the collection, use, retention, disclosure, and destruction of PII, which should be adopted across your organization and communicated to employees.

• Train Your Team: To reduce the likelihood of a breach, instruct your people on how to protect and handle PII.

• Look for De-Identification Opportunities: Removing PII where it may no longer be needed is a great way to safeguard data.

• Use Encryption: Encrypt databases and repositories where PII is stored.

Next Steps for Protecting PII

The fictional pirate Davy Jones may have needed to cut out his heart to protect it, but you won’t need to do that to safeguard your customers’ most sensitive data. Now, you have six steps you can take to protect PII, setting yourself up to reduce both breaches themselves and their impact.

Taking these strides will help, but if you’re interested in further assurances, you can engage a third party to double check your work on these privacy measures. Schellman offers many different services in this sector that could serve your specific needs, including a comprehensive privacy program assessment.

Our clients can attest that our initial approach is always to offer guidance, so please feel free to reach out to us with any questions you may have.