Which of the following actions should you take to protect personally identifiable information PII?

The deluge of data in today’s digital environments can leave many information security teams struggling to stay afloat. Tracking all of the sensitive information in your internal systems—much less, keeping it secure—requires a Herculean effort with the necessary resources to match. Whether you’re in the initial stages of a data discovery project or re-evaluating your existing security practices, it’s critical to operate with an understanding of different data types and how each should be handled.

One of these crucial data types is personally identifiable information (PII). Organizations need to know how to protect personally identifiable information to comply with the industry standards and international regulations that comprise today’s privacy landscape. This task, however arduous, can improve data governance and security practices while protecting customers and building consumer trust.

What is personally identifiable information?

Not to be confused with personal data, which the EU’s General Data Protection Regulation (GDPR) defines as any information “related to an identified or identifiable natural person,” personally identifiable information (PII) is data that can be used to determine a person’s identity. That might seem like a small distinction, but in practice, it’s fairly significant. Not all data related to a person has the capacity to identify an individual, so only data from which a person’s identity can be derived falls under the umbrella of what is personally identifiable information.

If that isn’t complicated enough, existing regulations offer varying definitions and terms for PII. However, the above description serves as a solid, general baseline. In regard to how the term is used in specific regulations, let’s look at the California Consumer Privacy Act’s (CCPA) take on a personally identifiable information definition since CCPA will mostly affect U.S. businesses.

Which of the following actions should you take to protect personally identifiable information PII?

Personally Identifiable Information Definition

The CCPA uses the term personal information instead of personally identifiable information to refer to “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual….” In some cases, this can include information shared on social media. Here are some examples of these identifiers.

Which of the following actions should you take to protect personally identifiable information PII?

According to the CCPA, any organization that has a gross annual revenue of over $25 million, processes at least 50,000 California residents’ records for commercial purposes, or can attribute half of its revenue to the selling of personal information must follow the requirements of the CCPA—or risk facing substantial fines and other penalties.

How to Protect PII in Your Organization

The first step in protecting PII within your organization’s data environment is understanding how to define PII. Once you’ve familiarized yourself with the type of information you need to secure, you can start thinking about how best to execute a security strategy to meet the relevant regulatory compliance obligations.

1. Identify All of Your PII

Before PII protection can be achieved, you need to know which types of your data are PII. As stated earlier, this can vary depending on factors such as which country you’re located or doing business in—and what industry standards and regulations you’re subject to as a result. Once you’ve established an appropriate definition for PII, you can match it to the relevant data types in your possession.

2. Discover Where PII is Stored

Similar to the implementation of a data governance program, one of the first steps for how to protect personally identifiable information is to perform a data discovery, or mapping, exercise. This allows you to locate PII within your network and other environments and see where it travels throughout your organization. Once you've mapped the flow of data, you should know where your PII resides and how to isolate or segment those systems from the rest of your environment.

Which of the following actions should you take to protect personally identifiable information PII?

3. Minimize Your PII

This practice isn’t specific to PII compliance, but it’s just as effective with PII as it is with any other type of data. Data minimization is nothing new for security practitioners and for good reason—you don’t have to worry about data that you don’t process or store. Simply minimizing the amount of PII in your systems can be an easy and effective way to reduce the security controls and compliance scope of your data environment.

4. Monitor Your Accounts

Another effective method for protecting PII is the use of access control measures to limit access to the data to only the specific individuals within your organization whose roles require them to view or interact with that data. This reduces the risk of data exposure by preventing unnecessary access to sensitive data. Only those with a business-need-to-know should be authorized, and even then, that access should be restricted and monitored. Monitoring access also makes it easier to determine how a breach occurred in the instance that data does become exposed.

5. Secure Your Data with Tokenization

One of the most effective solutions for how to protect personally identifiable information is tokenization. This security technology obfuscates data by exchanging the original sensitive information for a randomized, nonsensitive placeholder value known as a token. The token is irreversible and has no direct relationship to the original data, which is stored in a cloud outside of the tokenized environment. Because tokenization removes sensitive data and stores it off-site, it virtually eliminates the risk of data theft. Even if a breach were to occur, no sensitive data would be exposed—only the nonsensitive placeholder tokens.

Which of the following actions should you take to protect personally identifiable information PII?

How to Protect Personally Identifiable Information from Data Breaches Without Data Loss

Security practices such as encryption obfuscate sensitive data to the point of limiting its value for business purposes. Tokenization offers greater flexibility by preserving much of the original data’s utility. By using format- and length-preserving token schemes, tokenization can retain elements of the original data—such as the first six and/or last four digits of credit card number—so that those values can be protected but still used for analytics and other purposes.

This maintenance of a data’s business utility—and your organization’s agility—is just one example of tokenization’s flexibility in protecting personally identifiable information for maximum security and PII compliance. For more information about how tokenization can help your organization protect PII, contact us today.

Which of the following actions should you take to protect personally identifiable information PII?

Topic(s): PII

How do you protect personally identifiable information PII?

Secure Sensitive PII in a locked desk drawer, file cabinet, or similar locked enclosure when not in use. When using Sensitive PII, keep it in an area where access is controlled and limited to persons with an official need to know. Avoid faxing Sensitive PII, if at all possible.

Which of the following actions should you take to protect personally identifiable information?

To protect personally identifiable information:.
Identify What PII You Collect and Where It Is Stored. ... .
Identify What Compliance Regulations You Must Follow. ... .
Perform a Personally Identifiable Information Risk Assessment. ... .
Securely Delete Personally Identifiable Information That's Not Necessary to Business..

What are the top three actions you need to follow to help protect PII?

Protecting your PII protects your identity and privacy.
1) Use a complete security platform that can also protect your privacy..
2) Use a VPN..
3) Keep a close grip on your Social Security Number..
4) Protect your files..
5) Steer clear of those internet “quizzes”.
6) Be on the lookout for phishing attacks..

What is the first step in protecting PII?

Similar to the implementation of a data governance program, one of the first steps for how to protect personally identifiable information is to perform a data discovery, or mapping, exercise. This allows you to locate PII within your network and other environments and see where it travels throughout your organization.