Fortinet Blog | News and Threat Research

Personally identifiable information — the words are tossed around constantly in the news, by security folk and, with increasing frequency, by any organization forced to disclose a data breach.

When used in the latter context, personally identifiable information (PII)— data that could be used for identity theft purposes— had somehow been exposed or had gotten into the hands of cybercriminals.

But what does the term mean exactly? What are the implications of its loss these days? And how can it be protected?

At its root, PII simply means any information that can be used to identify, contact or locate a single individual. Naturally, this includes any unique piece of data that can be linked to a specific person—data such as name, address, date of birth, telephone number, Social Security, driver’s license, or medical history.

The term PII has become ingrained in the security vernacular in recent years, largely attributed to its status as a high-stakes target for cybercriminals intent on committing identity theft.

Meanwhile, it goes without saying that identity theft has only continued its upward trajectory as cloud collaboration platforms, social networking, mobility and other IT trends have paved the way for cybercriminals to easily pilfer users’ personal information from the Web.

In addition, compliance regulations over the last decade have also lent new significance to the term PII while lighting a fire under the feet of organizations to bolster security mechanisms that ensure its protection. The implementation of federal and industry-specific compliance mandates such as SOX, HIPAA, HITECH, PCI DSS and others were, in part, a response to the rising tide of identity-theft incidents stemming largely from the increasing availability of PII.

Now, in light of a growing number of data breaches each year, enforcement mechanisms are only becoming more punitive for all sectors, as more organizations routinely handle and store customers’ most sensitive personal information. Jason Clark, Fortinet systems engineering director, U.S. channels, said in a recent interview that he had seen an increase in publicly traded companies requiring SOX certification, banking and financial companies driving tighter GLB regulations and more businesses using credit cards as the primary form of payment.

“Protecting PII data within these types of organizations will become not only critical to the livelihood of their business, but quite frankly, will help keep executives from realizing hefty fines—or worse, jail time,” he said.

And while financial penalties for non-compliance can be upwards of $500,000, these fines can easily be exceeded by the costs of “clean-up” and remediation, should customer PII be either accidentally or maliciously exposed in an actual data breach.

“In cases of account information disclosure, it is first required to notify all potential affected customers via written letters,” he said. “There can be a high cost in material, postage and time associated with the notification process alone.  When taking into consideration manufacturing costs of new credit cards for example, this can be enough to take some organizations out of their market.”

Subsequently, in light of serious public relations and legal consequences for breaches and increasingly stringent compliance penalties, the threat of loss or exposure to PII is enough to strike fear in the hearts of IT administrators and keep the highest ranking C-level executives up at night.

Keep in mind, of course, that data is never 100 percent secure, especially when stored on Web facing servers and undergoing routine transactions on moving applications. However, there are some best practices organizations can apply to shift the odds a little more in their favor.

Management and employee education is a key factor in mitigating an organization’s risk, Clark said–which is where appropriate security tools come into play. In particular, role-based data loss prevention products not only trigger, record and alert IT administrators to such breaches, but also give security personnel the ability to react to them. Those mitigation techniques could range from archiving data transmission, to alerting management to quarantining a user or vector from further transaction until the threat is sufficiently addressed, he added.

But in this case, knowledge empowers, and one of the most important steps an organization can take will be to comprehensively assess the location of all of their risk areas. Essentially, that means companies will need to determine where all of their their PII is stored, who has access to the information and how PII moves, both within and outside the confines of the organization, Clark said. Once that information is discovered and cataloged, the onus will be on IT administrators to implement appropriate security policies protecting that data.

“An updated security policy will help with visibility into new and emerging threat vectors,” Clark said. “Once the security policy is defined, we can now take the necessary steps to deploy an enforcement model to protect our private data.”