Personally Identifiable Information | A Handbook
Personally Identifiable Information (or “PII” for short) refers to any data that can possibly identify a specific person and differentiate that individual from others. This data is extremely important, as organizations are held accountable for the safeguarded storage and safe transmission of PII. MSPs and IT professionals need comprehensive tools to help them protect and secure their clients sensitive stored data.
Sensitive and Non-Sensitive PII
Personally identifiable information can be organized into two categories: sensitive and non-sensitive.
Sensitive PII is private information that can harm an individual if disclosed. Examples include financial, medical and biometric information as well as unique identifiers such as a credit card number, Social Security number, medical record number, home address, email address, passport, facial characteristics or fingerprints.
- Non-sensitive PII refers to data in the public domain. Non-sensitive data can be collected from repositories such as public records, phone books, websites and corporate directories. Because this data is readily available from public sources, its disclosure is not likely to breach a person’s privacy and, as a result, is considered to be less harmful than the leaking of sensitive PII.
Protecting Sensitive PII
Because the release of sensitive PII can cause significant harm to individuals, there are many standards and regulations in place that relate to the protection of PII data. Most of them govern the use of data while it is in use, in motion and at rest:
- Data in use refers to information on endpoint devices such as computers, servers and Bring Your Own Devices (BYODs) that individuals use to perform their jobs.
- Data in motion refers to information traversing a network.
- Data at rest refers to information stored on endpoint devices that is not being used or in motion.
Most regulations for protecting PII organize data into the following categories:
Examples of business data that must be kept private include trade secrets, research and business intelligence data, management reports, customer information and sales data.
Types of financial data usually include credit card numbers, bank account numbers, and other financial information on individuals and businesses.
Military and government data
Data related to government programs and military operations is stringently regulated. Military or government data leaks can jeopardize national security and place people and organizations in danger by revealing the identity of covert intelligence agents or compromising individuals placed in a witness-protection program.
Personal health data
Sensitive patient health data includes insurance information, medical information and patient data such as Social Security numbers and other sensitive information that is not in the public domain.
Private individual data
Private personal data includes Social Security numbers, tax-related data, addresses, telephone numbers and any other PII that could be used for illegal activities.
Understanding the Impact of Data Breaches
The Department of Defense (DoD) defines a data breach as personal information that "is lost, disclosed to, accessed by, or potentially exposed to unauthorized individuals, or compromised in a way where the subjects of the information are negatively affected." A data breach can leave individuals and businesses vulnerable to identity theft or other fraudulent activity.
Data breaches can be intentional or accidental:
- Intentional breaches are perpetrated by hackers or disgruntled employees intent on breaking into a secure repository to obtain sensitive information illegally.
- Accidental breaches are usually the result of an accident, mistake, negligence or lost or stolen devices that contain sensitive data.
Until recently, accidental breaches were the leading cause of data breaches. As more and more cyber criminals target and exploit organizations, however, criminal attacks have become the No. 1 cause of data breaches in the healthcare sector alone, with a 125% growth in malicious attacks over the last five years.
Data breaches are occurring more frequently and are having a devastating impact. Hackers have been successful in not only stealing a massive amount of data, but they've also been able to get ahold of extremely sensitive information, even from the government.
2015 was bad year. Experts predict 2016 to be even worse.
Industry experts recognize several critical facts that are driving this increase in attacks:
- Organizations by nature handle a lot of personally identifiable information that could be profitable.
- Organizations are usually ill-equipped to protect PII and head off threats and attacks.
- Organizations are vulnerable to attack from criminals who know how take advantage of their many access points to get ahold of PII.
Recently, a number of intentional attacks against high-profile companies — including Sony, Target, and Home Depot — made headlines around the world:
- December 2013: Target confirms that hackers ripped off an estimated 40 million credit and debit card numbers via the store's payment card reader system during the busy holiday shopping rush.
- January 2014: Target announces it was hit again. This time, the contact information of approximately 70 million customers — names, email addresses, physical addresses and telephone numbers — is compromised.
- September 2014: Home Depot says that its point-of-sale system had been hacked in April or May, with over 56 million customer credit and debit cards compromised.
- November 2014: Sony Pictures Entertainment computers are hacked by unknown assailants. All sorts of data — from Social Security numbers, to passwords, to unreleased films — start showing up on file-sharing sites. 6,800 Sony employees and approximately 40,000 other people are impacted.
- Early 2015: A breach at health insurance company Anthem Blue Cross exposed the personal information of 80 million subscribers. Another 11 million individuals were exposed in a separate breach of Premera Blue Cross just a few months earlier.
- February to mid-May 2015: Get Transcript, an online IRS tax-form service, was hacked. Thieves made off with nearly 100,000 transcripts containing Social Security information, dates of birth, tax filing status and street addresses of the victims.
- 2016: A Verizon Enterprise Solutions database was breached, resulting in the theft of records from 1.5 million customers.
Not all breaches have to be of this magnitude to inflict harm. Even an initial attack that seems to be minor can morph into a larger breach — similar to the Home Depot and Target attacks mentioned above.
The Cost of Data Breaches Gets Even Higher
The cost of a data breach is even higher when you consider the associated clean-up costs:
- Hartland Payment Systems paid $8 million in lawsuit settlements after 130 million credit and debit card numbers were compromised.
- Health Net of the Northeast Inc. gave away two years of free credit monitoring to 1.5 million customers after their information was misplaced on a lost hard drive.
- Sony provided free identity theft services to customers affected by its 2011 data breaches.
Data beaches continue to get more expensive. Juniper Research predicts a single data breach will cost more than $150 million in 2020. Globally, they'll cost $2.1 trillion by 2019.
What’s An Organization to Do?
As technology has advanced, the types of PII have proliferated significantly. And PII affects more than corporations and businesses. Government organizations, stores, schools, hospitals and doctors' offices, and other organizations are now responsible for safeguarding personal data.
Data breaches aren't just a problem for large corporations like those listed in the examples above. Attackers are targeting small and midsize businesses (SMBs) with more and more frequency. It's estimated that 60% of all cyberattacks in 2014 hit SMBs. And the impact on these organizations can be catastrophic — more than half of the SMBs that fall victim to an attack end up closing their doors within six months.
Yet despite the amount of attention given to data breaches, many organizations still do not have PII security measures in place. And because of this, companies may never know that their sensitive assets were breached.
Given the damage resulting from embarrassing headlines, regulatory fines and loss of market share, organizations can no longer afford to remain unaware or under-protected. The first step toward fixing the problem is acknowledging that the problem exists. The second step is finding the right solution that can keep PII secure and away from unauthorized users.
Finding the appropriate solution can be a daunting task — especially for SMBs. Many solutions are directed toward enterprise businesses and may seem out of reach. So while the objectives are relatively clear, the means to achieving those objectives can be elusive while the industry learns to adapt to the ever-changing threats of today’s sophisticated hackers.
MSP Risk Intelligence to the Rescue!
Sometimes seeing is believing in order for businesses to grasp how vital security is. MSP Risk Intelligence from SolarWinds MSP (formerly LOGICnow) drives home the cost of data breaches by assigning real dollars to an organization’s data-breach risk.
MSP Risk Intelligence can find your unprotected data and potential weak spots. After detecting the vulnerability posture of unauthorized access to data, MSP Risk Intelligence calculates and quantifies the financial risk in dollars to produce actionable risk intelligence insights.
MSP Risk Intelligence detects vulnerabilities that could cause a breach. Then it will enhance your security to prevent the worst from happening, no matter the source.
MSP Risk Intelligence also satisfies a host of regulatory compliance requirements including Health Insurance Portability and Accountability Act of 1996 (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and Financial Industry Regulatory Authority, Inc. (FINRA).
Key features of MSP Risk Intelligence include:
- Dollar-based risk assessment
- Sensitive data discovery
- Deep vulnerability scanning
- Risk trending reports
- Inappropriate access discovery and alerts
- PCI compliance scans
MSP Risk Intelligence empowers MSPs to clearly state the value of their services to their clients, and help them understand their liability if a data breach occurs. MSP Risk Intelligence truly opens the door to potential clients by demonstrating cost savings and ROI.
How Well Does MSP Risk Intelligence Work?
Don’t take our word for how well MSP Risk Intelligence works. In 2014, iScan Online (now MSP Risk Intelligence) was awarded SC Magazine's Security Industry Innovator of the Year. Most recently, it was recognized by CIO Review magazine as a Top 20 Enterprise Security Company.
The First Step Toward Comprehensive Layered Security
MSP Risk Intelligence is just one part of SolarWinds MSP's total Layered Security solution. Let's face it — to guard against today's sophisticated cyberthreats, you need more than antivirus software and a firewall. You need the most comprehensive toolbox on the market today.
In addition to all of the benefits of MSP Risk Intelligence, you get:
- Proactive Security – Get out in front of breaches with web protection, robust patch management and email security.
- Detective Security – If you do face a threat, rest easy knowing that the most advanced managed antivirus solution, failed login checks and rules, and active device discovery have your back.
- Reactive Security – Sometimes a threat may still get through. Backup and disaster recovery, virtual server recovery, local backup, local speed vault and hybrid cloud recovery all help you restore order quickly after an attack.
- LOGICcards – Keep a watchful eye on irregularities across your network and receive insights backed by machine learning and big data analytics.
About SolarWinds MSP
SolarWinds MSP delivers the only 100 percent SaaS, fully cloud-based IT service management (ITSM) platform, backed by collective intelligence and the highest levels of layered security. SolarWinds MSP products — including Risk Intelligence, Remote Management, Backup & Disaster Recovery, Mail and Service Desk — comprise the market’s most widely-trusted integrated solution.
Deployed on millions of endpoints across hundreds of thousands of networks, the platform has the industry vision to define and deliver the future of the market. SolarWinds MSP provides the most comprehensive IT security available as well as LOGICcards, the first ever IT notification feature powered by prescriptive analytics and machine learning.
SolarWinds MSP's passion is helping IT professionals secure and manage their systems and data through actionable insights, rewriting the rules of IT.
Military Health System: http://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties/Breaches-of-PII-and-PHI?type=Policies
IT Business Edge: http://www.itbusinessedge.com/slideshows/2016-security-trends-whats-next-for-data-breaches-07.html
Tom's Guide: http://www.tomsguide.com/us/biggest-data-breaches,news-19083.html
Juniper Research: http://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion