In a world where we conduct a significant amount of business and other daily operations online, people are becoming increasingly concerned about their online data privacy and how much institutions know about them. There is a rising concern that, in our digital era, preserving our privacy is almost impossible. Every time a user accesses a website, buys something online, or even interacts with a social media post, their data is collected.<\/p>\n
However, not all collected data falls under the category of personally identifiable information (PII). To better assist customers, it\u2019s essential MSPs understand what constitutes PII and what does not. This guide will explain the difference between PII data types, compare PII vs. personal data, discuss the importance of securing PII data, and provide 12 helpful tips designed to secure PII data.<\/p>\n
The definition of PII, according to the\u00a0National Institute of Standards and Technology (NIST)<\/a>, is as follows:<\/p>\n \u201cPII is any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual\u2018s identity, such as name, social security number, date and place of birth, mother\u2018s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.\u201d<\/p><\/blockquote>\n By this definition, to \u201cdistinguish\u201d an individual involves identifying them by discerning one person from another. To \u201ctrace\u201d an individual is to use key pieces of information to determine a specific aspect of a person\u2019s current status or activities. This defining information might include their name, postal address, email address, personal ID numbers, and phone number. Understanding exactly what constitutes PII is crucial for you to begin adequately securing the appropriate data for customers.<\/p>\n The NIST goes on to define two subcategories of PII\u2014linkable information<\/a>\u00a0and linked information. According to the\u00a0NIST Guide to Protecting the Confidentiality of PII<\/a>, linked information refers to information \u201cthat is logically associated with other information about the individual.\u201d For example, a birth name would be categorized as linked information that could be traced to other information about the individual.<\/p>\n On the other hand, the NIST defines linkable information as \u201cinformation about or related to an individual for which there is\u00a0a possibility of<\/em>\u00a0logical association with other information about the individual.\u201d Because there is only a possibility of association, linkable information would not be enough to enable identification of an individual unless it was combined with another piece of information. If a bad actor were able to gain access to two separate databases that included different PII elements, they may be able to link the information and identify the associated individuals\u2014and then access further information relating to said individuals. For example, a birth date would not be enough information to enable the identification of an individual, but it can be used in combination with another piece of information to do so.<\/p>\n Linked PII data includes, but is not limited to, the following:<\/p>\n Linkable PII data includes, but is not limited to, the following:<\/p>\n The definition of what constitutes sensitive PII data is important because the answer corresponds to the industries that should treat securing PII data with additional care. Organizations often have their own definitions of what constitutes sensitive PII based on assigned impact levels. For example, the\u00a0United States Census Bureau<\/a>\u00a0defines a specific range of topics as sensitive, including but not limited to: illegal conduct; information damaging to financial standing, employability, or reputation; politics; religion, sexual behavior or sexual orientation; taxes; and information leading to social stigmatization or discrimination. The compromise, disclosure, or loss of any sensitive PII can cause increased risk to an individual. The following types of information are generally considered to be sensitive PII:<\/p>\n Some organizations have defined certain types or categories of PII as sensitive and assign higher impact levels to those types of PII. For example, in its\u00a0PIA policy, the Census Bureau\u00a0has defined the following topics as sensitive: abortion; alcohol, drug, or other addictive products; illegal conduct; illegal immigration status; information damaging to financial standing, employability, or reputation; information leading to social stigmatization or discrimination; politics; psychological wellbeing or mental health; religion; same-sex partners; sexual behavior; sexual orientation; taxes; and other information due to specific cultural or other factors.<\/p>\n Understandably, if information of this nature went missing or was exploited, it could have a negative impact on the individual to which the information pertains. That\u2019s why it\u2019s critical that businesses in the pharmaceutical, financial, and educational industries secure PII especially carefully. PII security is particularly pertinent to MSPs, because you\u2019re likely to be responsible for securing PII data for customers across industries.<\/p>\n While it\u2019s important to properly secure any customer data, it\u2019s especially important to secure PII because it can often come with greater consequences if compromised. For example, you could be held liable and face hefty fees if you lose PII because it\u2019s is highly regulated in some industries. While this is not an exhaustive list, here are 12 key measures you should consider when protecting PII data.<\/p>\n Complying with the specific PII data encryption requirements pertinent to your customers\u2019 industry, jurisdiction, and technical frameworks is one of the best ways to secure PII data.\u00a0Encryption<\/a>\u00a0helps protect your business and your customers from cybercriminals hoping to steal your data, as it makes it difficult for bad actors to decipher the information even if it falls into the wrong hands. All data has a lifecycle\u2014at rest, in motion, and in use\u2014so you should encrypt your data at all stages.<\/p>\n <\/p>\n Strong passwords are crucial to keeping your data and sensitive information safe. Strong passwords are usually at least eight characters long. They include special characters, upper case letters, and lowercase letters. Avoid using common phrases or personal information in your passwords and have a\u00a0policy<\/a>\u00a0in place for users to immediately change their passwords if any suspicious activity is detected. You should have a unique password for every system, site, and platform and never use the same password twice.<\/p>\n Two-factor or multifactor authentication adds an extra layer of security to the standard online identification system (account name and password). With two-factor authentication, you\u2019re prompted to provide additional verification that helps confirm your identity. For example, two-factor authentication might involve entering an SMS code that gets sent to your device or using biometric data such as a fingerprint scan.<\/p>\n Backups are a crucial part of helping to secure your PII data. The\u00a03-2-1 backup rule<\/a>\u00a0is a useful and simple place to start. This rule entails keeping three different copies of your data on at least two different media types, with one copy in an off-site location.<\/p>\n Data disposal and destruction is a fundamental step to protecting sensitive information. When PII data is no longer needed for the specific purpose for which it was collected, it should be destroyed to help prevent unnecessarily exposing it to risk of being compromised. Various industries have different regulations around minimum retention times or data destruction, so make sure to work with your customers to create customized policies to properly dispose of data when appropriate. Establish a\u00a0well-documented<\/a>\u00a0security policy and ensure your technicians fully understand the data destruction process so they know how to dispose of data securely.<\/p>\n Updates seem like an obvious and simple step towards protecting sensitive data but keeping on top of all of them can become overwhelming when dealing with hundreds or thousands of programs and devices across an entire MSP\u2019s customer base. Despite this potentially daunting task, failing to update devices and systems creates vulnerabilities that hackers can exploit. To help ensure you don\u2019t miss an update or a patch, MSP patch management software\u2014designed for this specific purpose\u2014can go a long way in simplifying this process.<\/p>\n As remote working becomes increasingly prevalent, it\u2019s important organizations ensure employees follow secure best practices even when they\u2019re off-premises. For example, cybercriminals often target public Wi-Fi spots to steal PII and sensitive information. To keep your data safe, all employees should avoid using public Wi-Fi when working remotely. Secure Wi-Fi is much harder for cybercriminals to exploit and is just one easy precaution users can take when working from home or another location.<\/p>\n For additional security, make sure your employees are encouraged to take advantage of a\u00a0Virtual Private Network (VPN)<\/a>\u00a0application. It will encrypt your connection to the server and allow you to access a private network while sharing data remotely via the public network. This should be a last resort if public Wi-Fi is absolutely necessary.<\/p>\n There are three key ways a criminal can access your data with minimal effort\u2014that is, without even needing to use sophisticated digital methods. These three ways are:<\/p>\n Encouraging your technicians and customers to be as threat-aware as possible can help decrease the chances of PII data being stolen without their knowledge. Ensuring any documents that discuss PII data are properly disposed of (for example, if it\u2019s a physical document\u2014use a paper shredder!) can make all the difference.<\/p>\n Somewhat related to raising threat awareness, device locking is important because it assumes there is always a potential threat\u2014especially if your device is left unattended for any period of time. For example, if you leave your laptop in the office overnight, make sure you\u2019ve locked it so it\u2019s password-protected before you leave. Bad actors will take any opportunity to infiltrate your device\u2014enabling a simple auto-locking feature on a device can help prevent data loss.<\/p>\n Users are often the weakest link when it comes to security. It only takes one user\u2019s mistake for a cybercriminal to infiltrate the network. For example, phishing scams are highly preventable if you know what to look out for\u2014but many users are unable to distinguish a sophisticated phishing attempt from a legitimate request. Conducting\u00a0staff awareness training<\/a>\u00a0(or customer awareness training) can help better prepare your users to recognize a scam.<\/p>\n There are many tools available on the market today designed to maximize an organization\u2019s security in the face of increased cybercrime. Such tools can include firewalls,\u00a0antivirus software<\/a>,\u00a0antimalware software<\/a>, and much more. When securing data on behalf of your customers, such tools can make a big difference in allowing you to provide efficient and effective service. Taking your time to research your options and find tools that meet your specific needs can allow you to achieve a more comprehensive approach to security.<\/p>\n With so many tools to choose from, choosing an all-in-one remote monitoring and management solution is a great option that allows you to accomplish a multitude of tasks from one dashboard. Especially as you strive to provide exceptional service, choosing a tool that compiles the power of multiple tools into one can help increase productivity and keep customers happier.<\/p>\n If you\u2019re looking to get up and running as fast as possible, N‑sight\u00a0Remote Monitoring and Management (RMM) software can help. This software provides an all-in-one suite of tools designed to help you maintain and augment your customers\u2019 IT systems, making it easier to help secure PII data on their behalf. RMM is a powerful tool with a user-friendly dashboard that makes it easy for technicians to highlight issues and prioritize tasks. RMM includes fast remote access, patch management, managed antivirus, web protection, data-breach risk intelligence, and backup capabilities. To learn more, access a 30-day free trial\u00a0here<\/a>.<\/p>\n If you\u2019re an MSP that\u2019s more interested in expanding your customer base and offering them powerful, customized capabilities, N‑central\u00ae<\/sup>\u00a0might be the better fit for you. On top of the same robust security features as RMM, N‑central<\/a> also offers PSA integrations, a script editor to reduce the need for coding, and layered automation capabilities to free up your technicians\u2019 time. These all-in-one capabilities make it easier for your technicians to maximize security across your diverse customer base and help protect PII data, regardless of the industry. A\u00a030-day free trial<\/a>\u00a0is available for MSPs who want to learn more.<\/p>\n","protected":false},"excerpt":{"rendered":" Find out how your MSP can help secure PII data, why it\u2019s important for your industry, and how certain software can help you achieve optimal PII data security.<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5283","post","type-post","status-publish","format-standard","hentry","topic-security"],"acf":[],"yoast_head":"\nPII data types<\/h2>\n
\n
\n
What is Sensitive PII Data?<\/h2>\n
\n
How to secure PII data<\/h2>\n
1. ENCRYPT PII DATA<\/h3>\n
2. CREATE A STRONG PASSWORD POLICY<\/h3>\n
3. UTILIZE MULTIFACTOR AUTHENTICATION<\/h3>\n
4. CREATE BACKUPS<\/h3>\n
5. PRACTICE SMART DATA DISPOSAL PRACTICES<\/h3>\n
6. STAY ON TOP OF UPDATES<\/h3>\n
7. ESTABLISH SECURE REMOTE WORK POLICIES<\/h3>\n
8. OFFER A SECURE VPN<\/h3>\n
9. RAISE THREAT AWARENESS<\/h3>\n
\n
10. PRACTICE DEVICE LOCKING<\/h3>\n
11. CONDUCT REGULAR STAFF SECURITY TRAINING<\/h3>\n
12. USE THE APPROPRIATE TOOLS TO MAXIMIZE SECURITY<\/h3>\n
The right tools for securing PII data<\/b><\/h2>\n