Understanding PII
Personally identifiable information (PII) is important data in your enterprise, as it enables you to manage digital identities. PII includes data that can identify a person, such as a social security number, or birth dates or locations. Mishandling PII can lead to identity theft, affecting your users or customers. This can also lead to significant fines and reputation damage for your organization.
Most likely, avoiding the handling of PII altogether is not a feasible option for your organization. Instead, you need proper practices and systems in place to ensure the proper handling of PII. In this post, we’ll look more closely at PII. We’ll look at relevant data protection laws, consider common threats to PII, and provide guidance for how your organization can take protective measures.
What is PII?
PII encompasses any data that can be used to specifically identify an individual. This data is categorized into two types: direct and indirect identifiers.
Direct identifiers can explicitly identify a person. They include data such as:
- Social security numbers
- Passport numbers
- Driver's license numbers
These identifiers are often unique to the individual. As such, they can directly reveal a person’s identity without the need for any additional context.
Indirect identifiers, on the other hand, might not identify a person on their own, but they can do so when combined with other data. For example, consider a date of birth and a place of birth. Individually, they may not be enough to reveal a person’s identity. However, when linked, they can.
Expanding on these concepts, it’s important to understand that non-PII data can also become PII data, depending on the context of its use or if it is aggregated with other information. As an example, we know that a zip code alone may not be PII. However, when combined with an individual’s job title and employer it might narrow down identities, particularly in less populated areas.
The Complete Guide to Building an Identity Protection Strategy
Take the first step toward a resilient identity security posture and download the Complete Guide to Building an Identity Protection Strategy to protect your organization’s digital identity landscape today.
Download NowLegal and regulatory frameworks
How you manage and handle PII is governed by several key data privacy laws and regulations that aim to protect individual privacy. Here’s a look at some of the most significant regulations:
The General Data Protection Regulation (GDPR) in the European Union (EU) is one of the most stringent data privacy laws in the world. It imposes obligations onto organizations anywhere in the world, so long as they target or collect data related to EU residents. The GDPR emphasizes transparency, security, and accountability by any entities that process this data, while also granting individuals significant rights over their data.
Similar to the GDPR, the California Consumer Privacy Act (CCPA) provides California residents with specific rights about their data:
- The right to know what personal data is being collected about them
- The right to request the deletion of their data
- The right to opt out of the sale of their personal information
The CCPA also requires businesses to protect Californians’ data with reasonable security measures.
Finally, the Health Insurance Portability and Accountability Act (HIPAA) in the United States protects all "individually identifiable health information" held or transmitted by covered entities or their business associates. This act requires the protection and confidential handling of protected health information.
Non-compliance with these laws can lead to severe penalties. Organizations may face legal repercussions, fines, and damage to the company’s reputation. If your organization handles PII, then you must understand these regulations and implement the necessary policies and procedures to ensure compliance.
Threats to PII
Today’s cyber attacks threaten the security of your PII. Understanding these threats is important, so that your organization can implement effective security measures. Common threats to PII include:
- Data breaches: When sensitive, protected, or confidential data is accessed or disclosed without authorization. Data breaches might be the result of sophisticated cyberattacks, or they might just stem from simple human error. However, the impact of a data breach can be incredibly widespread, leading to significant financial and reputational damage.
- Phishing attacks: Deceptive attempts—typically carried out via email—to obtain sensitive information by pretending to be a trustworthy entity. Often, the goal of a phishing attack is to extract PII such as usernames, passwords, or credit card details. Phishing is one of the most common methods used by attackers to gather PII for malicious purposes.
Malware: Any software intentionally designed to damage a computer, server, client, or computer network. As cybercriminals infect a system with malware, they can inflict follow-up damage, such as stealing PII, locking out legitimate users, or other harmful actions.
Best practices for protecting PII
Your organization should implement the following data protection best practices to safeguard PII against the above cyber threats and others.
Data minimization
Collect only the data that is necessary for the intended purpose. If you don’t have a good reason for collecting a certain piece of data, then don’t collect it. The less sensitive information you handle, the less you might accidentally expose. In addition, this keeps your compliance footprint as small as possible, simplifying your task of complying with data protection regulations.
Data anonymization and pseudonymization
Whenever possible, anonymize or pseudonymize data to enhance privacy. Anonymization, also known as de-identification, involves stripping data of personally identifiable elements. This makes it impossible to identify the subject without additional information.
Pseudonymization replaces identifiers with fictitious labels. This allows data to be processed without revealing personal identities.
Encryption
Use encryption to protect data at rest, in motion, and in usage. By doing so, you ensure that data remains unreadable by anyone without the proper decryption key, if data is intercepted.
Secure storage
Employ secure storage solutions, such as secure databases or cloud storage buckets to protect data from unauthorized access and breaches. Ensure that you secure these storage solutions with proper access controls.
Regular security audits
Conduct regular security audits and vulnerability assessments to identify and mitigate potential security gaps in the system.
Adopting these practices helps ensure that your PII is protected from unauthorized access and misuse. This will reduce your risk of data breaches as well as help you comply with privacy laws.
CrowdStrike Falcon® Data Protection Data Sheet
Download this data sheet to learn how CrowdStrike Falcon® Data Protection stops data theft with policy enforcement that automatically follows content, not files.
Download Falcon Data Protection Data SheetCrowdStrike's approach to PII protection
In this post, we’ve covered PII, the regulations governing its protection, and the threats it faces. We also looked at best practices to guide you in safeguarding your organization’s PII.
Crowdstrike Falcon® Data Protection provides continuous monitoring and real-time visibility into the sensitive data in your cloud-native applications and systems. It helps you track down where PII is stored and how it's being accessed across your organization. As an AI-native platform providing continuous security, CrowdStrike Falcon® Data Protection enforces data security policies dynamically, adjusting its protective measures as new threats are detected or as data moves within the network.
Ryan Terry is a Senior Product Marketing Manager at CrowdStrike focused on identity security. Ryan has more than 10 years of product marketing experience in cybersecurity and previously worked at Symantec, Proofpoint, and Okta. Ryan has a Master's of Business Administration (MBA) from Brigham Young University.
