Privacy is a hot topic, and it seems that increasing exposures to identity theft and data breaches occur daily. As organizations struggle to keep their personally identifiable information (PII) secure, it's becoming alarmingly clear that every employee has a role to play in protecting their privacy.
It's important to remember that personal information is not just a social security number or credit card number. PII contains information that can be used individually or in combination to identify a particular individual. One-to-one identifiers (license numbers, fingerprints, insurance policy numbers, etc.) can be linked to individuals, but one-to-many identifiers (data points such as first name, job title, place of residence, surname, etc.) — in combination, do the same.
An estimated 87% of the US population can be identified using three PIIs: gender, zip code, and date of birth. It’s clear that even a seemingly small amount of data is worth a price. If you want to contact, collect, or store personal data for your colleagues or customers, here are four tips to help you protect your personal data.
Some PII is more sensitive than others. A list of customer names and email addresses doesn’t need the same security defenses as a list of customer names and credit card numbers. You would logically want to keep the latter list very secure and only share that information on a need-to-know basis. That doesn’t mean the list of names and email addresses should be shared freely with anyone and everyone. It’s certainly not information you’d like to put in the hands of competitors, for example.
To gauge the level of sensitivity associated with PII, think about the consequences in the event of a data breach. The more sensitive the data, the more intense the protections should be.
There are several reasons an organization might collect data from its customers: for mailing lists (email or snail mail), billing, shipping, etc. Sometimes, as in the case of medical offices, collecting information is simply the starting point of a service relationship.
But it’s important to think about the information you truly need to have and limit collection to business-critical items. For example, if you’re building a mailing list, think about whether you need anything beyond an email address. If you don’t do hard-copy mailings or calling campaigns, there’s no reason to collect mailing addresses and phone numbers. Think about the information you need before you ask for it.
Similar to the cautions associated with collecting PII, special considerations should be taken when storing PII. The more PII there is on an organization’s network, the more vulnerable that organization is in the event of a breach. Before you store it, consider if it’s business-critical. If not, securely dispose of it. If so, apply the appropriate safeguards (including physical security measures for paper files and encryption and secure server storage for electronic files). In addition, be sure to revisit stored data and purge that which is out of date or no longer business-critical.
Keep common-sense best practices in mind when dealing with PII because they add an important layer of security. Password protecting secure systems is a must, as is keeping your passwords private. Do not let unauthorized individuals access secure areas or systems, and don’t be too quick to disclose personal data about yourself, your coworkers, or your customers over the phone or on social media.
At the end of the day, it’s about recognizing PII and keeping security and privacy top of mind as you use, collect, and store personal data. Also be sure to familiarize yourself with any corporate or industry policies that govern handling of PII.
Source: https://dataprivacylab.org/projects/identifiability/paper1.pdf