Personal Identifiable Information (PII) Explained

If data is the diesel that powers today’s economic engine, personal identifiable information (PII) is the rocket fuel launching it to stratospheric heights. More data means more power, acceleration, and speed in the never-ending battle for engagement, influence, and market dominance.

But this comes with incredible volatility. Even a small leak can trigger an explosive chain reaction that can irreparably damage everything in its path. And yet, many organizations are failing to adequately manage the growing —and increasingly consequential — data security and privacy risks.

PII includes any factual or subjective data about an individual, recorded or not, including:

  • Name
  • Age
  • Identification numbers
  • Ethnic origin
  • Blood type
  • Income
  • Credit records
  • Medical records
  • Employee records
  • Disciplinary actions
  • Criminal records
  • Complaints or disputes
  • Opinions
  • Evaluations
  • Comments
  • Social status
  • Relationship status
  • Purchase intentions
  • Employment intentions

Growing Regulatory Complexity

Governments are cracking down on how organizations collect, share and use PII. Most G20 countries have either passed or are in the process of enacting strict new data privacy  legislation. Organizations that either do business within these jurisdictions or transact with clients who live there will have to comply or risk significant penalties.

Not only do organizations now need to be wary of the potential consequences for non-compliance, but also how to align privacy policies, processes and controls against numerous laws around the world. 

Growing Organizational and Technological Complexity

The number of uses for PII keeps growing by the day. But increased PII collection, analysis, and distribution creates a growing number of risks. The more applications a single data point touches — e.g. cloud, analytics, internet of things, AI, etc. — the more challenges and complexity it invariably creates. As organizations adopt more third-party and cloud-based applications, they also need to consider each vendors’ policies, procedures, and security controls. It doesn’t matter where a breach or regulatory violation originates, most regulations hold the organization that collected the data accountable.

Similar concerns surround growing secondary and tertiary uses for transactional data to create value for customers and stakeholders. While best practices are to de-identify this information (i.e. eliminate the possibility for it to be traced back to an individual), this still adds yet another complexity. More steps, more regulations, more applications, more opportunities for something to go wrong.

More Frequent (and More Costly) Cyber Attacks

Cyber criminals are also cashing in on the data rush, with the number of attacks and breaches increasing year over year. Critically, the PII hackers gain access to doesn’t even have to be of value to anyone but the target organization. Criminals know organizations will pay a hefty price to restore business operations, and avoid regulatory fines/ lasting reputational damage. That puts everyone at risk.

Just as the attacks themselves keep rising, so is the cost of a breach. And it’s not just ransoms organizations need to consider. Consider the potential costs of:

  • Finding the source and cause of the breach
  • Remediating the breach and restoring operations
  • Identifying and notifying affected parties
  • Ongoing monitoring for additional damage (e.g. identity theft)
  • Regulatory fines and sanctions
  • Lawsuits
  • Reputational damage and lost business

A Ponemon Institute report revealed the average breach cost Canadian businesses $4.4 million in 2019 — at an average of $187 for every lost record. The U.S. nearly doubled that at $8.2 million and $242 respectively. These numbers will keep rising as organizations as continue collecting more information, face stricter regulatory scrutiny, and encounter more attacks.

Keeping Pace With a Growing Number of Cyber and Privacy Risks

Demands for transparency

Customers and employees need to be comfortable with how organizations are collecting, using, and sharing their information.

Data breaches

Organizations that collect too much information or don’t adequately protect the information they collect are particularly vulnerable.

Cyber fraud

The more operations that move online, the more opportunities and means for fraudsters and cyber criminals to misappropriate information — and cover up their actions.

Adapting to evolving regulatory demands

Organizations need to stay informed about their obligations and continually adapt processes and procedures to avoid fines, penalties, and reputational damage.

Rising third-party risks

Organizations are responsible for the shortfalls of their vendors. Technology partners must meet or exceed stringent data security practices and standards.

Ensuring insiders manage risk effectively

Employee awareness and vigilance is critical.

It only takes one negligent technology or network user to compromise the whole system.

Difficulty Balancing Adaptability and Accountability

Many privacy officers face an uphill battle in convincing decisionmakers to prioritize data security at least as much as speed and agility. Nobody wants to slow down when everyone else is focused on securing the first move advantage.

Disruption remains one of the most fearsome (or frightening) buzzwords in the current environment. It’s too easy for some to downplay the consequences of a breach compared to the risk of getting outflanked by the competition. 

Shifting Organizational Priorities

The economic shutdown forced numerous organizations to face their own mortality — especially any non-essential services that could not easily transition to remote work. That meant funneling significant resources into continuity efforts like layoffs, applying for government subsidies, negotiating rent deferrals, and preserving cash flow; often at the expense of data privacy and security.

At the same time, the threat of breaches and misconduct began skyrocketed. It’s too early to know the true number of cyber attacks and breaches between March and June, let alone how many were attributable to employees and leaders letting their guard down. But as many as 200,000 COVID-19-related phishing attacks were reported in February alone.

It’s also feasible many organizations failed to adequately revoke access privileges for team members who were either laid off or furloughed. This exposed many networks and applications to negligent, stressed, or even malicious individuals looking to cash out or settle a score. Such vulnerabilities may still exist in some organizations.

Rapid Transition to Remote Work

We’re in the midst of the single largest remote work experiment ever conducted. Millions of workers suddenly found themselves video conferencing, accessing company servers, and sharing documents and information from their homes. Thousands of organizations also had to rapidly procure, implement, and onboard their team members on new remote working applications — trying to strike a balance between getting it right and minimizing downtime.

This introduced three major data and privacy concerns:

  1. Increased number of attack points: The potential for endpoint compromise rises exponentially with the number of people connecting to enterprise resources outside perimeter controls. It’s not just home networks, but also home computers and home phones.
  2. Lack of knowledge around remote working polices, procedures, and best practices: Employees’ responsibility for protecting sensitive data has become significanty greater in the months since COVID-19 emerged. Organizations need to consider not only the transition to remote work but how that has altered workflows, pocesses, and responsibilities. Ongoing privacy and security training must be a priority, along with continuous employee involvement in the security and privacy program.
  1. New and / or unproven platforms: COVID-19 put a spotlight on remote networking applications, and the conversation has not always been complimentary. Security experts were quick to point out some glaring vulnerabilities across several platforms which developers were not always quick to address.

Compounding that is the lack of comparison shopping, due diligence, and onboarding by organizations who needed to quickly get up and running on new platforms. Risk and security teams lacked time to evaluate the vulnerabilities or consequences, let alone what additional controls and resources might be necessary.

New Customer Engagement Processes and Technologies

Rapidly shifting business and customer engagement models was the only way many organizations could survive the COVID-19 shutdown. Brick and mortar stores needed to move online. Dine in restaurants needed to offer food delivery. Other businesses needed to rapidly retool and refocus entire supply chains to cater to new clients and industries.

The common denominator here is either the widespread adoption of new technologies (e.g. apps, websites, etc.), or significant changes inthe use of existing technologies (e.g. adding secondary or tertiary uses for existing data). This typically requires a long planning horizon to consider the risks involved. What could normally take months was condensed into weeks or even days.

The potential risks are still present for clients who patronized these organizations and surrendered information for use in unproven customer relationship management (CRM) platforms, Enterprise Resource Planning (ERP) systems, apps, websites, and analytics tools. And they will continue to worsen unless organizations step back to audit their privacy and security measures and put the necessary controls in place.

Collecting Highly Sensitive Information to Meet Safety Demands

COVID-19 has necessitated data collection about employees’ and customers’ health, whereabouts, and relationships that seemed unfathomable heading into 2020. But it would be almost impossible for services to stay open without these contact and test tracing applications — let alone for employees to return to the workplace safely.

Organizations cannot downplay the risks involved with developing these new applications or collecting additional sensitive PII. While some exceptions may have applied during the pandemic to meet employee’s safety needs, regulators and stakeholders expect PII will be handled with care and within regulatory requirements.

We’ve discussed the challenges, but what are some solutions?

In our whitepaper, Beyond Regulation, MNP’s Adriana Gliga-Belavic examines some solutions to the challenges presented as a result of COVID-19, including the role of privacy audits and effective internal controls.

Connect with an MNP advisor to discuss your data privacy and security needs.



 

Author: Adriana Gliga-Belavic

Adriana Gliga-Belavic, CISSP, CIPM, PCIP, is a Partner, member of the Firm’s Cyber Security team and Privacy Leader with MNP in Toronto. Passionate about security and privacy, Adriana helps public and private clients build pragmatic strategies and privacy programs to maintain customer trust and find the right balance between business results, proactive cyber resiliency and enhanced privacy.