In a world where we conduct a significant amount of business and other daily operations online, people are becoming increasingly concerned about their online data privacy and how much institutions know about them. There is a rising concern that, in our digital era, preserving our privacy is almost impossible. Every time a user accesses a website, buys something online, or even interacts with a social media post, their data is collected.
However, not all collected data falls under the category of personally identifiable information (PII). To better assist customers, it’s essential MSPs understand what constitutes PII and what does not. This guide will explain the difference between PII data types, compare PII vs. personal data, discuss the importance of securing PII data, and provide 12 helpful tips designed to secure PII data.
What is PII data?
The definition of PII, according to the National Institute of Standards and Technology (NIST), is as follows:
“PII is any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
By this definition, to “distinguish” an individual involves identifying them by discerning one person from another. To “trace” an individual is to use key pieces of information to determine a specific aspect of a person’s current status or activities. This defining information might include their name, postal address, email address, personal ID numbers, and phone number. Understanding exactly what constitutes PII is crucial for you to begin adequately securing the appropriate data for customers.
PII data types
The NIST goes on to define two subcategories of PII—linkable information and linked information. According to the NIST Guide to Protecting the Confidentiality of PII, linked information refers to information “that is logically associated with other information about the individual.” For example, a birth name would be categorized as linked information that could be traced to other information about the individual.
On the other hand, the NIST defines linkable information as “information about or related to an individual for which there is a possibility of logical association with other information about the individual.” Because there is only a possibility of association, linkable information would not be enough to enable identification of an individual unless it was combined with another piece of information. If a bad actor were able to gain access to two separate databases that included different PII elements, they may be able to link the information and identify the associated individuals—and then access further information relating to said individuals. For example, a birth date would not be enough information to enable the identification of an individual, but it can be used in combination with another piece of information to do so.
Linked PII data includes, but is not limited to, the following:
- Full name
- Home address
- Social Security number
- Email address
- Passport number
- Driver’s license number
- Telephone number
- Login details
- Credit card numbers
Linkable PII data includes, but is not limited to, the following:
- First or last name
- Non-specific age
- Job position and workplace
What is Sensitive PII Data?
The definition of what constitutes sensitive PII data is important because the answer corresponds to the industries that should treat securing PII data with additional care. Organizations often have their own definitions of what constitutes sensitive PII based on assigned impact levels. For example, the United States Census Bureau defines a specific range of topics as sensitive, including but not limited to: illegal conduct; information damaging to financial standing, employability, or reputation; politics; religion, sexual behavior or sexual orientation; taxes; and information leading to social stigmatization or discrimination. The compromise, disclosure, or loss of any sensitive PII can cause increased risk to an individual. The following types of information are generally considered to be sensitive PII:
- Employment information
Some organizations have defined certain types or categories of PII as sensitive and assign higher impact levels to those types of PII. For example, in its PIA policy, the Census Bureau has defined the following topics as sensitive: abortion; alcohol, drug, or other addictive products; illegal conduct; illegal immigration status; information damaging to financial standing, employability, or reputation; information leading to social stigmatization or discrimination; politics; psychological wellbeing or mental health; religion; same-sex partners; sexual behavior; sexual orientation; taxes; and other information due to specific cultural or other factors.
Understandably, if information of this nature went missing or was exploited, it could have a negative impact on the individual to which the information pertains. That’s why it’s critical that businesses in the pharmaceutical, financial, and educational industries secure PII especially carefully. PII security is particularly pertinent to MSPs, because you’re likely to be responsible for securing PII data for customers across industries.
How to secure PII data
While it’s important to properly secure any customer data, it’s especially important to secure PII because it can often come with greater consequences if compromised. For example, you could be held liable and face hefty fees if you lose PII because it’s is highly regulated in some industries. While this is not an exhaustive list, here are 12 key measures you should consider when protecting PII data.
1. ENCRYPT PII DATA
Complying with the specific PII data encryption requirements pertinent to your customers’ industry, jurisdiction, and technical frameworks is one of the best ways to secure PII data. Encryption helps protect your business and your customers from cybercriminals hoping to steal your data, as it makes it difficult for bad actors to decipher the information even if it falls into the wrong hands. All data has a lifecycle—at rest, in motion, and in use—so you should encrypt your data at all stages.
2. CREATE A STRONG PASSWORD POLICY
Strong passwords are crucial to keeping your data and sensitive information safe. Strong passwords are usually at least eight characters long. They include special characters, upper case letters, and lowercase letters. Avoid using common phrases or personal information in your passwords and have a policy in place for users to immediately change their passwords if any suspicious activity is detected. You should have a unique password for every system, site, and platform and never use the same password twice.
3. UTILIZE MULTIFACTOR AUTHENTICATION
Two-factor or multifactor authentication adds an extra layer of security to the standard online identification system (account name and password). With two-factor authentication, you’re prompted to provide additional verification that helps confirm your identity. For example, two-factor authentication might involve entering an SMS code that gets sent to your device or using biometric data such as a fingerprint scan.
4. CREATE BACKUPS
Backups are a crucial part of helping to secure your PII data. The 3-2-1 backup rule is a useful and simple place to start. This rule entails keeping three different copies of your data on at least two different media types, with one copy in an off-site location.
5. PRACTICE SMART DATA DISPOSAL PRACTICES
Data disposal and destruction is a fundamental step to protecting sensitive information. When PII data is no longer needed for the specific purpose for which it was collected, it should be destroyed to help prevent unnecessarily exposing it to risk of being compromised. Various industries have different regulations around minimum retention times or data destruction, so make sure to work with your customers to create customized policies to properly dispose of data when appropriate. Establish a well-documented security policy and ensure your technicians fully understand the data destruction process so they know how to dispose of data securely.
6. STAY ON TOP OF UPDATES
Updates seem like an obvious and simple step towards protecting sensitive data but keeping on top of all of them can become overwhelming when dealing with hundreds or thousands of programs and devices across an entire MSP’s customer base. Despite this potentially daunting task, failing to update devices and systems creates vulnerabilities that hackers can exploit. To help ensure you don’t miss an update or a patch, MSP patch management software—designed for this specific purpose—can go a long way in simplifying this process.
7. ESTABLISH SECURE REMOTE WORK POLICIES
As remote working becomes increasingly prevalent, it’s important organizations ensure employees follow secure best practices even when they’re off-premises. For example, cybercriminals often target public Wi-Fi spots to steal PII and sensitive information. To keep your data safe, all employees should avoid using public Wi-Fi when working remotely. Secure Wi-Fi is much harder for cybercriminals to exploit and is just one easy precaution users can take when working from home or another location.
8. OFFER A SECURE VPN
For additional security, make sure your employees are encouraged to take advantage of a Virtual Private Network (VPN) application. It will encrypt your connection to the server and allow you to access a private network while sharing data remotely via the public network. This should be a last resort if public Wi-Fi is absolutely necessary.
9. RAISE THREAT AWARENESS
There are three key ways a criminal can access your data with minimal effort—that is, without even needing to use sophisticated digital methods. These three ways are:
- Shoulder surfing: when a threat actor accesses your data by simply looking over your shoulder to see information on your computer screen or tablet
- Tailgating: when a cybercriminal tries to gain access to your physical location by using your credentials
- Dumpster diving: when cybercriminals go through the physical garbage of an organization in the hope of finding PII data
Encouraging your technicians and customers to be as threat-aware as possible can help decrease the chances of PII data being stolen without their knowledge. Ensuring any documents that discuss PII data are properly disposed of (for example, if it’s a physical document—use a paper shredder!) can make all the difference.
10. PRACTICE DEVICE LOCKING
Somewhat related to raising threat awareness, device locking is important because it assumes there is always a potential threat—especially if your device is left unattended for any period of time. For example, if you leave your laptop in the office overnight, make sure you’ve locked it so it’s password-protected before you leave. Bad actors will take any opportunity to infiltrate your device—enabling a simple auto-locking feature on a device can help prevent data loss.
11. CONDUCT REGULAR STAFF SECURITY TRAINING
Users are often the weakest link when it comes to security. It only takes one user’s mistake for a cybercriminal to infiltrate the network. For example, phishing scams are highly preventable if you know what to look out for—but many users are unable to distinguish a sophisticated phishing attempt from a legitimate request. Conducting staff awareness training (or customer awareness training) can help better prepare your users to recognize a scam.
12. USE THE APPROPRIATE TOOLS TO MAXIMIZE SECURITY
There are many tools available on the market today designed to maximize an organization’s security in the face of increased cybercrime. Such tools can include firewalls, antivirus software, antimalware software, and much more. When securing data on behalf of your customers, such tools can make a big difference in allowing you to provide efficient and effective service. Taking your time to research your options and find tools that meet your specific needs can allow you to achieve a more comprehensive approach to security.
The right tools for securing PII data
With so many tools to choose from, choosing an all-in-one remote monitoring and management solution is a great option that allows you to accomplish a multitude of tasks from one dashboard. Especially as you strive to provide exceptional service, choosing a tool that compiles the power of multiple tools into one can help increase productivity and keep customers happier.
If you’re looking to get up and running as fast as possible, SolarWinds® Remote Monitoring and Management (RMM) software can help. This software provides an all-in-one suite of tools designed to help you maintain and augment your customers’ IT systems, making it easier to help secure PII data on their behalf. RMM is a powerful tool with a user-friendly dashboard that makes it easy for technicians to highlight issues and prioritize tasks. RMM includes fast remote access, patch management, managed antivirus, web protection, data-breach risk intelligence, and backup capabilities. To learn more, access a 30-day free trial here.
If you’re an MSP that’s more interested in expanding your customer base and offering them powerful, customized capabilities, SolarWinds N-central® might be the better fit for you. On top of the same robust security features as RMM, N-central also offers PSA integrations, a script editor to reduce the need for coding, and layered automation capabilities to free up your technicians’ time. These all-in-one capabilities make it easier for your technicians to maximize security across your diverse customer base and help protect PII data, regardless of the industry. A 30-day free trial is available for MSPs who want to learn more.