Ultimately, PII is a legal term, not a technical term. When dealing with PII, legal council should be sought to determine the Federal, Country, and Region laws or industry regulations associated with the datasets being accepted, stored, and transmitted. Ultimately, regardless of specific laws or regulations which can change with geographies and governments, access to PII data should be tightly controlled, protected when stored and transmitted, and all touchpoints be auditable. Defining and adhering to a documented security control baseline helps ensure proper protection of PII data.
Beyond securing the data, an organization must also consider the incident and breach reporting requirements specific to PII exposure. Depending on the data set type and legal course of disclosure, additional reporting requirements may be necessary based on where the data is being stored and how it is being transmitted.
In the “old days” exposing sensitive payment card data resulted in monetary fines and penalties, followed by an exercise of extending free credit card monitoring services to the cardholders and then continuing with business as usual. With stolen PII, the repercussions are far more difficult to amend. PII data sets can be used to create fake personas based on the lives of real people, often resulting in ruined credit ratings, falsified tax returns, even home mortgages used for quick flipping schemes. Is it any wonder that an organization that is careless with PII suffers the wrath of the ultimate victims? Customer trust, corporate branding, and future business can quickly dissipate after a PII exposure.
The Ponemon Institute, an independent research organization, values the cost of each exposed individual PII record at around $178. With the average breach exposing 30,000 records, the financial risk quickly adds up. Moreover, the costs of a breach as described by the Ponemon Institute does not cover “catastrophic” breaches of over 100,000 records. Add in all the indirect costs, lawyers and lawsuits, PR damage control, and attention taken away from business, and it becomes obvious that a PII debacle exacts a heavy toll on any organization.
The FTC (Federal Trade Commission) is now the federal watchdog for data security oversight. The FTC has been able to prove that if an organization has “unreasonable data security” in place to protect their customers’ sensitive information, then they can be subject to fines, class action lawsuits, as well as a public admittance of the breach, due to the long-term damages resulting from breached PII. Moreover, some organizations found not to be in accordance can face up to a 20 year agreement that they would take the necessary steps to obtain compliance certifications. Most importantly, organizations need to implement a comprehensive data security solution that properly protects customer PII data. Tokenization and Cloud Data Vaulting for PII is an ideal solution for keeping data safe and the FTC at bay.