Data - PII Tokenization
Personally Identifiable Information
PII is now center stage as the most valuable data set to steal. Using pilfered PII, a cyber-criminal can build a complete virtual identity. PII data sets—such as social security, date of birth, employment history—are used to create a fraudulent personas with which a fraudster can buy goods and services, open lines of credit, change bank account access, and a plethora of other illegal activities. The damage stolen PII can do to victims has caught the attention of the Federal Trade Commission, which has ruled that people can sue for long-term damages when their PII is stolen from an organization’s business systems. Legal firms are all too ready to work with groups of victims to file massive class-action lawsuits against organizations that are negligent in securing PII. This trend is a lot more expensive than just shutting off a credit card and offering credit reporting for a year. Class-action lawsuits can be potentially ruinous for organizations that are found guilty of violating their security and privacy statements when PII goes missing.
What is PII?
NIST Special Publication 800-122 defines Personally Identifiable Information (PII) as any information about an individual maintained by an agency, including
- Information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number, mother’s maiden name, or alias.
- Information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
- Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry).
The term is widely used in different contexts in many different industries, jurisdictions, and legal settings.
What are the PII compliance obligations?
Ultimately, PII is a legal term, not a technical term. When dealing with PII, legal council should be sought to determine the State or Federal laws or industry regulations associated with the datasets being accepted, stored, and transmitted. Ultimately, regardless of the specific law or regulation, PII data should be tightly controlled, protected, and auditable. Defining and adhering to a documented security control baseline helps ensure proper protection of PII data.
Beyond securing the data, an organization must also consider the incident or breach reporting requirements specific to PII exposure. Depending on the data set type and legal course of disclosure, additional reporting requirements may be necessary based on where the data is being stored and how it is being transmitted.
Benefits of PII Tokenization
- The Tokenization process is no different than PCI
- Low Overhead- The More You PII you Store, your per record cost decreases
- Fully Customized PII Tokenization Schedule
- Fully Customized Tokenization Schemes to match the data type you want to secure
- Keep certain portions of tokenized PII for Big Data analytics
- Use Secured Data for never before seen insight into customer behavior, internal environment behavior, establish trends, stay ahead with business intelligence
- Use a phased tokenization approach with different PII datasets
- Secure Your Rewards programs, so you never expose valuable customer data
How TokenEx secures PII
TokenEx helps organizations secure PII by offering a controlled, auditable method of securely storing and interacting with sensitive information. In many cases, organizations need not transact directly with PII, but instead can interact with a token that represents the PII. The actual sensitive data is stored in a TokenEx Secure Cloud Data Vault, enabling organizations to minimize the scope and risk associated with handling PII.
Examples of PII Tokenization
With TokenEx’s unique tokenization processes, any data type can be vaulted and tokenized. This flexibility gives organizations the ability to secure sensitive data such as Social Security Numbers that would otherwise be stored in a database, as well as electronic forms in a document management system that contain sensitive personal information.