By: Nihad Hassan
August 10, 2021
What Is PII Data And How To Secure It?
By: Nihad Hassan
August 10, 2021
As society continues to digitize rapidly, technology has become integrated into our everyday lives, from work, study, and reaching to entertainment. Technology has made people's lives easier and more productive. The proliferation of internet technology and the spread of cheap computing devices such as smartphones and tablets will undoubtedly boost technology adoption among the public worldwide.
According to Statista, in January 2021, there were 4.66 billion active internet users worldwide; this is equal to 59.5 percent of the global population. To utilize the internet, a user needs to own a personal computing device, such as a computer, a laptop, or a smartphone. According to oberlo, in 2020, the number of global smartphone users has reached 3.6 billion, equal to a 9.3 percent increase from 2019.
Many internet users will generate massive digital data from their online interactions (e.g., social media interactions, posting reviews, sending emails, and more). The internet's borderless nature that allows anyone from anywhere on earth to communicate and share information opens new horizons; however, it also introduces different security challenges.
Almost every week, we hear about a significant data breach occupying the news headline; people are increasingly becoming concerned about data privacy and are now more eager to know what major websites know about their personal lives and online habits. There is one fact that all people should know. Preserving your online privacy is almost impossible, every time a user interacts with a post (e.g., provide comments, to like or share) on social media platforms, use search engines to look for something, buy some products/services from online merchants, or register in other online services, these online services will collect some information about the user.
Anyway, not all online users gathered information fall under the private category of personally identifiable information (PII). Other information types cannot be used alone to identify an online user. This article will shed light on PII, mention its types, and suggest primary measures to secure it.
Personally identifiable information (PII) or sensitive personal information (SPI) is any information that can be used alone or with other information to identify or locate a single person. Under this definition, the following information can be considered PII that can be used to identify a person directly:
- Name (First and Last name)
- Social security number
- Passport number or national ID number
- Driver's license number
- Combination of father and mother names
- Email address
- Mail address
- Phone number
- Credit card numbers
Digital technology has extended the list of PII to include more data types such as:
- Login credentials (user name)
- Internet Protocol (IP) address
- Biometric data
- Video and digital images
- Social media posts
- Geolocation data acquired from social media platforms and some online Apps
There are other types of information that cannot distinguish an individual on its own; however, it can be used to identify a person when combining with other data elements. Example of such information includes:
- Place and Date of birth
- Country, state, and city
- Work position and company name
PII is considered the main target of cyberattacks. Compromising such data by malicious actors can have catastrophic consequences on the affected organization, ranging from reputational and financial loss, paying heavy fines for regulatory compliance bodies (such as GDPR and PCI DSS), and individual lawsuits raised by affected people.
The following section will mention the best defense methods to secure this data.
Protecting PII data
Strict security measures and controls must be enforced by any organization storing or processing PII information. As we said before, there are many PII types; however, the most important ones are related to people personal life such as:
- Medical information
- Financial information
The other types of PII are also important; however, exposing medical or financial information can severely damage their freedom rights and negatively affect their ability to have equal opportunities in different areas in society.
Utilize data encryption to protect PII from unauthorized access. Many regulatory compliance frameworks already impose encrypting sensitive PII information, such as the PCI DSS.
Secure online accounts and other resources within your IT environment using strong passwords. Make sure to use a long password (+11 characters) and contains a combination of letters, numbers, and symbols, and change the password once every three months.
Use advanced authentication systems such as biometrics to secure access to sensitive systems. Two-factor authentication (2FA) must be utilized to protect all accounts and databases containing PII. With 2FA, a user will be authenticated using two factors: a traditional username & password and a passcode sent via SMS to the user's mobile phone.
Do not keep sensitive data when it is no longer needed. When choosing to destroy sensitive data, you must do this securely using a paper shredder (for paper documents) and utilizing data wiping tools for digital data. Data destruction policy is essential in this situation. It is covered in detail in the "Data Destruction Policy" blog post.
Apply best security practices when allowing employees to work remotely and when accessing corporate resources. Organizations should not allow remote employees to access PII data, and it is better to store PII in a separate network segment with strict access control.
As the number of cyberattacks continues to increase, the need to protect PII data becomes a top priority for management and IT professionals, especially with the continual adoption of various data protection regulations concerning internet users' privacy worldwide. This article introduced the term PII and suggested protection measures for securing it from unauthorized access.