PII Protection Solution: How to Chose One, Threats & Solutions

Over the last few years, data breaches and the amount of personal information compromised have increased substantially. According to the Identity Theft Research Center, by September of 2021, the number of data breaches exceeded the total number that occurred the year before, in 2020. Another report reveals that reported data breaches in 2021 soared 68% to their highest number ever, and in 2021 these breaches resulted in the theft of an estimated 40 billion records. This sobering statistic illustrates how inevitable data breaches have become.

With data breaches now an inescapable part of life, organizations need to shift their focus towards defending their most sensitive resource – i.e., PII. While the loss of data is already a valid reason to look out for your users’ best interests, money generally drives organizations to take the necessary action to protect PII. There are numerous financial costs that organizations might have to deal with post-breach, including regulatory fines, downtime, post-breach responses, lost business, PR and notifying the customer base, and detection and escalation.

If an organization can prove that the data breach didn’t result in the loss of PII, regulatory bodies will ignore it as they aren’t concerned with the loss of anonymized data. With the proliferation of privacy regulations worldwide and the growth of security and privacy tools, how do you choose the right strategy that best suits your needs? We will explore various options in this article.

What Is PII?

PII (personally identifiable information) is any information or fragment of information that can be used alone or combined with other data to specifically identify an individual or, in several regulations, a household. This includes:

• Direct information such as a unique full name, phone number, physical address, or passport information
• Indirect information can combine to determine one’s identity (such as date of birth, gender, and zip code, which, when combined, can identify over 60% of US citizens)
• Highly sensitive information like credit card numbers and SSN

For additional reading, check our detailed post regarding what PII is.

The Importance of Protecting PII

Our digital identity is intertwined with our physical identity. The loss of sensitive information has severe ramifications on customers. The nightmarish process of clearing your name and credit history and the struggle to get credit or loans, housing, employment, or medical services after a breach can lead to depression, anxiety, and even post-traumatic stress disorder.

“The psychological effects of cyber-attacks may even rival those of traditional terrorism.”

DR. Maria Bada, Research Associate at the Cambridge cybercrime center

The relationship and trust between end customers to any service provider that had a breach will be impacted. In addition to brand impact and customers' lost trust, there are legal and financial implications. According to research done by IBM, the average data breach cost in 2022 rose to $4.35M. The cost of a PII leak comes in many forms: reputation damage, productivity loss, and downtime due to resources spent on damage control, fines, legal fees, and more.

A PII leak has legal ramifications on both a state and federal level in the US and over 130 other countries around the globe, governed by regulations such as the GDPR and CCPA. Failure to comply with security regulations can result in fines and penalties that have the potential to deal a massive financial blow to your organization, and many executives feel this is just the beginning of a new wave of regulations.

To quote Julie Brill, Microsoft’s Chief Privacy Officer and Corporate Vice-President for Global Privacy and Regulatory Affairs, “The regulatory tsunami is coming.” PII protection will keep the involvement of privacy regulators out of the equation in the event of data leaks with non-PII data. Unfortunately, even high-profile information technology companies can become victims of massive data leaks. For example, in April 2022, MailChimp experienced a data breach in which hackers accessed accounts and users’ personal information from over 300 companies. Organizations of all sizes and levels of importance are at risk, including smaller startups.

The cybercrime market is estimated to be worth $6 trillion, and as the value of data continues to grow, data theft is unlikely to stop anytime soon. The numbers speak for themselves, data breaches are here to stay and are inevitable, and every organization, regardless of size, has to prepare for this eventuality, but how?

Where to start? You can quickly create a free Vault account and start using our APIs to protect PII.

How to Establish a PII Protection Strategy

Establishing a PII protection strategy is an organizational collaborative effort involving numerous groups: legal, compliance/audit, engineering, data, and external partners to bridge gaps in knowledge if necessary. The strategy must address the People, Processes, and Technology (PPT) framework guidelines, as building the required strategy is not only a technical challenge; employees' privacy awareness and training alongside processes must complement the technological solution.

As part of our research phase at Piiano, we talked with hundreds of privacy and security professionals. We learned that many organizations face a similar challenge - how to translate the guidelines set out by regulatory bodies into practical technological infrastructure. Having a single empowered focal point, especially in large organizations, is a huge challenge. Once the working team has been established, there are fundamental questions that need to be answered to establish a strategy to protect sensitive information:

• What sensitive information do we collect?
• Where do we currently store this information?
• What is the sensitivity of the information?
• What privacy/security regulations apply to us?
• What measures are we taking to protect the data?
• Who can access the data?
• Will we know if the data is compromised?
• What is the technical interpretation of the legal privacy requirements?

Relatively, the applicable legal regulations and their legal implications are easier to answer compared to the rest of the questions. It is important to understand that these questions need to be answered continuously and not just once, as regulations and organizations’ data needs change over time.

Privacy is growing more important and beginning to play a significant role within organizations. This shift in priorities can be seen in the increasing amount of staff dedicated to privacy compared to the number focused on security.

The next step involves performing a security and privacy risk assessment and evaluating the security and privacy framework, which can provide further guidelines and building blocks to a holistic strategy. Below, we’ll explore the challenges around PII storage management and look at some of the best practices regarding privacy.

PII Storage and Management

One of the most important aspects of protecting data is storing and managing it properly. Proper storage minimization and management practices can prevent wasted time and energy on storing data that’s no longer needed while ensuring that sensitive data is prioritized for protection. The first step is to understand what PII you have by identifying the PII data scattered throughout your environment and what it means by classifying it (whether it is personal information or not) and implementing data tagging.

This process is called PII discovery and is crucial to data visibility. There are various ways an organization can handle PII discovery, like using data cataloging tools, which require access to databases in use. An alternative is to use an advanced tool like the Piiano Flows, which analyzes the organization's source code to understand what PII is collected and processed.

Some forms of PII can change (e.g., last name, address, phone number, etc.) - ensuring all of your stored data is up to date avoids the unnecessary compliance and security risk of storing data that's no longer in use. It is also important to note that the GDPR requires that data be kept for a defined amount of time per the purpose it is being used for. When protecting data, customer PII should be your top priority, which makes understanding where and how it's stored critical.

Data States and Storage

In most organizations, PII is distributed across several systems, from general data storage locations such as on-premises to cloud environments or endpoint devices. There are several common environments across businesses: analytics, production, and organizational environments like endpoints and Office 365.

Each of these environments requires different management practices and staff. Production is especially challenging as developers tend to have data duplications, which doubles the risk. Sensitive data needs to be protected in all locations and states. There are three states of data:

• Data in Motion/Data in Transit: Data in motion normally refers to data that is in the process of being transferred over the network. This data state generally exists when data is regularly accessed by individuals or applications.
• Data in Use/Data in Process: Data in use is data that applications need to access and process from a database or file storage. The application or device collects the data from its original location, making the data reliant on the device or application’s security. If the software or device is breached, the data becomes vulnerable.
• Data at Rest: Data at rest is all the data kept in some form of storage that is not currently in use. Data at rest is usually stored encrypted on hard drives and is considered the most vulnerable state for data to be in.

PII Protection Practices

Protecting PII is critical, and choosing the most effective protection method for your organization is just as important. Different organizations may have different use cases around data usage and associated protection techniques, which is why it’s important to use the right ones to ensure your customers’ PII remains protected at all times. This includes:

Encryption

Encryption helps ensure that data remains unusable when a breach happens. Encryption is a process in which data is transformed from its original form (plaintext) to a form called ciphertext using a key. The ciphertext is unreadable to anyone without the key, protecting the original data from hackers' use even if they breach the system.

Some PII protection regulations require encryption, and the U.S. government even designed its encryption technique to serve as an industry standard. For safety's sake, encryption should be used with other data protection methods.

Tokenization

Tokenization replaces a specific piece of sensitive data with a random string of characters (a token) that serves as a placeholder for the original data, thus reducing its sensitivity so that the privacy risk is eliminated if it's compromised.

The token is not personal data as it can’t be associated with an individual and is meaningless to any malicious actors that access it. The token maps back to the sensitive data through a tokenization system. The original data can only be recovered by entities with the right access privileges to convert it back to its original form. Tokenization can be leveraged to pseudonymize data sets, replacing sensitive information with tokens.

Privacy-by-Design

While security-by-design takes a proactive approach to security, privacy-by-design takes a proactive approach to privacy by transforming privacy protection into a core principle of the product design and development process and dictating how data should be stored, processed, and shared.

This puts the responsibility of implementing privacy measures and architecture into the hands of the developers, who must implement it at every stage of the product lifecycle. Privacy-by-design and security-by-design are complementary methods but not interchangeable.

‍Privacy protection focuses on specific data such as PII and personal information, complying with privacy regulations, and understanding the different types of data being handled. Security, on the other hand, does not differentiate between different types of data and focuses on protecting all data equally, despite not all data being equally important.

With the privacy-by-design approach, PII protection is the driving principle behind decisions made at every stage of the development process and product lifecycle. Some of the decisions that fall under privacy-by-design include how to utilize data securely, how long to store data, and which data operations have been approved by the data owner (your user). Privacy-by-design involves:

• Protecting data to minimize damage caused by breaches before they occur
• Making privacy an embedded part of the design process as opposed to an afterthought
• Keeping privacy a central priority throughout the product’s entire lifecycle

Unfortunately, many organizations take the less comprehensive approach of prioritizing security, leaving their most valuable assets vulnerable. Adopting the privacy-by-design approach not only helps mitigate the damage of a data leak or breach, but also makes it easier to comply with privacy regulations.

Proper PII Tracking and Management

Proper data management is essential for compliance with legal privacy regulations. Data management is a broad term used for general knowledge of where and how you store your data within your data stores. It is critical to understand how your database is structured and what data it contains in order to classify the data (whether it is sensitive data or not), store the more sensitive parts securely, and be able to facilitate privacy user rights requests, such as data subject access request (DSAR), the right to be forgotten (RTBF), or the right to rectification.

Having a regularly updated and well-maintained inventory of your various data assets (aka data catalog) is essential for adequately managing PII. Knowing what data is currently in use also helps you identify data that can be (and in some cases - must be) erased, which is required to comply with privacy regulations (such as the GDPR’s RTBF) and helps you avoid wasting resources on protecting data you no longer need.

Knowing where new or high-priority data is stored allows you to monitor its security and ensure it remains safe. Additionally, tracking PII is essential to detecting possible breaches and identifying what data was compromised. Proper data management practices seem logical and straightforward, but many organizations struggle with implementation.

This leads to critical PII being unmonitored and scattered across various databases and organizations with no consistent process for easy identification, tracking, and securing of PII data. In addition, developers aren’t educated to keep PII in (virtually) one place, thus over time, PII becomes fragmented and hard to track again.

Multi-Layered Security

Using multiple security defense tools together can create stacked security layers, making it more difficult for attackers to access the data, as they must penetrate every layer. This makes hacking much harder and gives organizations more time to identify the intrusion.

DIY

Why privacy and not security? The DIY option is typically used for privacy because the market for security solutions is saturated. With data breaches on the rise, privacy is essential to help reduce the damage. Unfortunately, it’s easier to find a good security solution that works for your organization and not quite so easy to find privacy solutions, pushing some organizations to try to develop their own.

Creating your own solution comes with high costs, including the original cost of building a solution from the ground up, maintaining and upgrading the system, the infrastructure costs of operating the solution, and the compliance costs required to get your solution certified. All these costs raise your product’s TCOO (total cost of ownership), not to mention the extra expertise required and learning the laws.

You’ll also need to modify your solution as new regulations are introduced and existing regulations are updated. In addition to these costs, building the software will delay your other projects as you divert human resources to focus on designing a privacy solution.

PII Vault

A PII vault, also called a data privacy vault, is the advanced take on data management. Rather than investing human resources in tracking your data manually, a vault allows you to store all your sensitive data in one secure location within your environment. A vault provides the best of both worlds by leaving your data easily accessible only to users and applications with verified permission to access it.

This measure prevents the data from leaking or falling into the wrong hands. Vaults also encrypt/tokenize your data, making it unreadable to outsiders who may try and intercept it while it's at rest or in motion. The Piiano Vault is an extremely versatile solution that can be used to protect PII and any other sensitive data. Additionally, the vault includes protective measures to prevent data leaks by inside jobs and bad actors, such as retaining all access records, detecting unusual activities, and only allowing access to users who can provide a legitimate reason for accessing the data.

The PII vault combines many of the benefits of the other solutions by tokenizing data, managing it, and ensuring that it is stored securely. By deploying a PII vault, you can select which sensitive information you want to store in it, allowing you to move more or fewer data into the vault according to your organization’s needs. For example, you can start by moving only SSN data to the vault.

The Piiano Vault combines encryption, granular access controls, access rate limits, and a tokenization engine in one solution. It goes beyond just privacy compliance and ensures that your customers' most sensitive data remains safe, even in the event of a breach.