When an organization is hacked, the real ouch is when Personal Identifying Information (PII) is compromised. That’s when customers and clients really get upset, and compliance auditors go into a full tizzy.
So, what is PII? It is a bit vague, but chances are you know it when you see it (or lose it!).
According to the U.S. General Services Administration (GSA), "The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available—in any medium and from any source—that, when combined with other available information, could be used to identify an individual."
TechTarget has its own PII take. “Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII,” the website explained. “PII may be used alone or in tandem with other relevant data to identify an individual and may incorporate direct identifiers, such as passport information, that can identify a person uniquely or quasi-identifiers, such as race, that can be combined with other quasi-identifiers, like date of birth, to successfully recognize an individual.”
Not All PII is the Same
Not all PII is sensitive or private, but all sensitive and private PII must be protected. “PII can be labeled sensitive or nonsensitive. Nonsensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. Nonsensitive PII can be easily gathered from public records, phone books, corporate directories, and websites. This might include information such as zip code, race, gender, date of birth and religion—information that, by itself, could not be used to discern an individual's identity,” TechTarget explained. “Sensitive PII is information that, when disclosed, could result in harm to the individual if a data breach occurs. This type of sensitive data often has legal, contractual or ethical requirements for restricted disclosure.”
Protecting Personal Information Guide
PII Rules to Live By
Protecting PII is not just the proper thing to do, it also keeps you on the right side of the law. “While you’re taking stock of the data in your files, take stock of the law, too. Statutes like the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information,” The FTC’s Protecting Personal Information Guide argues. “Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. You can determine the best ways to secure the information only after you’ve traced how it flows.”
Encryption is Essential
The Federal Trade Commission is keen on encryption. “Encrypt sensitive information that you send to third parties over public networks (like the internet) and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business,” the FTC advised.
PII in Records and Files
Folks often think of PII in databases, but it is also often stored in files such as Excel worksheets and even Word Docs. In fact, documents like Microsoft Office docs are where MOST of your company’s sensitive data including PII is held. “Sensitive data is often stored in carefully protected systems with access controls and restrictions on usage. However, once data is exported from these systems—sometimes for valid business uses such as customer segmentation or powering a marketing campaign—it’s easy to lose control over the data. Sending sensitive data in email messages or as attachments, results in a broader attack surface for sensitive data, thus increasing the threatscape if an email account or cloud storage account is compromised,” Osterman Research said in its What Decision-Makers Can Do About Data Protection report.
The FTC noted the importance of encryption for PII wherever it resides. When it comes to files, it is just as critical to encrypt at rest and in transit, which is when the files are transferred.
TechTarget agrees. “Sensitive PII should therefore been crypted in transit and when data is at rest. Such information includes biometric data, medical information covered by Health Insurance Portability and Accountability Act (HIPAA) laws, personally identifiable financial information (PIFI) and unique identifiers, such as passport or Social Security numbers,” the website cautioned.
Why Personal Identifying Information Must be Secure
“Protecting PII is essential for personal privacy, data privacy, data protection, information privacy and information security. With just a few bits of an individual's personal information, thieves can create false accounts in the person's name, incur debt, create a falsified passport or sell a person's identity to a criminal,” TechTarget contends.
PII Breaches Cost Serious Money
The 2020 Cost of a Data Breach Report estimates that the average cost of a loss of PII or other data is $3.86 million globally, and that number jumps to $8.64 million in the United States. The report also found that custom PII data has the highest cost per record lost at $150, while the health care industry had the highest average cost of a data breach at $7.13 million. Also, the average time to pinpoint and contain a data breach was 280 days.
FTP Better Than Email, but Not Nearly Good Enough to Transfer PII
FTP (short for File Transfer Protocol) file transfer solutions beat the pants off email for securely transferring files but have limits no organization that deals with PII should put up with.
The main problem is the lack of a method for encryption during file transport, meaning your sensitive health data could be intercepted during transport. FTP solutions, which rely on manual processing with no native means for automation and integration with business processes, are not scalable. If you want to automate and integrate, you go back to your in-house script jockeys to write customized scripts.
Meanwhile, files stored on an FTP server stay there until someone takes them off. This is a big burden for account administrators that must act for single time setup, deletion or change management process. Finally, FTP solutions lack the great stuff Managed File Transfer features, including connectivity, administration, automation and reporting.
The Managed File Transfer (MFT) Answer
So, how do you encrypt, track and authenticate file transfer users? Managed File Transfer (MFT), that’s how!
Because it can do all these things, MFT is the perfect way to replace all or most of the ways your shop transfers files, except for the ad hoc sending of non-sensitive material.
Even better, MFT is a true IT solution offering a single, secure, manageable and automated solution. And the MFT console gives IT pros a single pane of glass to see all activities, dramatically reducing the risk of file transfers gone wrong or offering answers if they somehow do.
That single solution for secure file transfer and sharing of sensitive files has several benefits. End users and IT are more productive because regularly scheduled file transfers are automated so users don’t have to lift a finger. They are also secure in the knowledge the files will be taken care of properly.
Learn more about secure file transfer by reading Osterman Research’s What Decision-Makers Can Do About Data Protection report.
Doug Barney
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.