In 2021, IBM’s annual Cost of a Data Breach report evaluated that the average financial loss associated with a data breach rose from $3.86 million in 2020 to $4.24 million in 2021, marking the single highest year-over increase in the 17-year history of the report. With personally identifiable information being the target in 67% of criminal attempts to breach data, this trend has captured even the attention of Congress.
In June 2022, representatives introduced draft legislation that aimed to modernize existing regulations for the handling of personal financial information to realign industry practices with “our evolving technological landscape.” As the financial risks involved in data breaches continue to rise against a background of potentially enhanced legal liabilities for organizations entrusted with sensitive information, financial service institutions should prioritize understanding personally identifiable financial information and the best practices to protect against disclosing it.
What Is Personally Identifiable Financial Information?
Personally identifiable financial information (PIFI) is a subset of personally identifiable information (PII) and refers specifically to any information consumers or clients provide to a financial institution that should not be disclosed publicly and accessed only by authorized users within the institution. As with PII generally, PIFI does not comprise a specifically enumerated list of information types. Rather, financial institutions consider PIFI to be any information that could – as a single data point or in combination with other data – enable the identification of an individual.
PIFI includes both the personal information individuals disclose to financial institutions to validate their identities and information financial institutions create such as account numbers, IDs, and pins.
10 Most Common Types of PIFI
Neither the financial industry nor any applicable regulation specifies the limits of what may constitute PIFI. Nevertheless, the 10 most common types consist of the information an individual would likely have to disclose to create accounts with a financial institution and – subsequently – the information contained in and associated with those accounts.
- Names: full, maiden, mother’s maiden names, and other aliases
- Personal identification numbers: Social Security, passport, driver’s license, and taxpayer identification numbers
- Personal contact information: home addresses, email, phone numbers, and corresponding work information
- Personal characteristic or biometric data: photographs, fingerprints, signatures, retina scans, and voice recordings
- Personal property information: VINs and title numbers
- Asset information such as internet protocol (IP) addresses and media access control (MAC) addresses reliably linked to a specific individual
- Bank account numbers
- Credit card numbers
- Account IDs
How Is Personally Identifiable Financial Information Regulated?
In the United States, the federal government has enacted several laws that protect personally identifiable financial information that is collected by companies. The most significant of these laws is the Gramm-Leach-Bliley Act (GLBA), which was enacted in 1999.
The GLBA requires financial institutions to protect the privacy of their customers' personal and financial information. While requirements vary depending on the type of financial institution, in general the GLBA requires financial institutions to:
- Develop and implement a written information security policy that describes the measures they will take to protect customer information
- Provide notice to customers about their information-sharing practices, including the types of information they collect, the types of third parties with whom they share that information, and the choices that customers have regarding the sharing of their information
- Limit the sharing of customer information with third parties, unless the customer has given their consent or the sharing is otherwise permitted by law
- Protect customer information against unauthorized access or use, whether through physical, electronic, or other means
- Dispose of customer information in a secure manner when it is no longer needed
- Provide customers with access to their personal information and allow them to correct any inaccuracies
- Train employees on their responsibilities for protecting customer information
While the GLBA is specific to financial institutions, here are a number of tips for organizations to follow - even if they are not a financial institution.
3 Tips for Organizations to Manage Personally Identifiable Financial Information
The current U.S. regulation most applicable to PIFI – the Gramm-Leach-Bliley Act – states that financial institutions must inform their customers of any changes to their existing privacy policies and avoid disclosing customers’ nonpublic personal information without expressed consent. Nevertheless, the law does not specify – beyond privacy policies – exactly what steps are required for institutions to fulfill their obligations.
In practice, due diligence in avoiding unauthorized disclosures of PIFI involves the following:
1. Being Transparent to Customers Through Privacy Policies
Privacy policies are a kind of documentation financial institutions must provide customers. These policies must disclose how the institution uses PIFI and must also give customers options to restrict that use.
The law requires institutions to use privacy policies to ensure that customer consent controls the use of PIFI. Additionally, privacy policies include instructions to customers on how to access and delete their PIFI when terminating accounts with an institution.
2. Securing Internal Practices Through PII Policies
While privacy policies cover a financial institution’s external agreements with customers, PII policies focus on how organizations handle PIFI internally, regardless of individual customer consent. PII policies specify how staff who have access to customer PIFI can store and transmit information to minimize the risk of unauthorized exposure. Although the details of any particular PII policy will depend partially on the technologies and applications an organization uses, common best practices will minimally include the following stipulations:
- Staff must not store PIFI on any publicly accessible email or web server.
- Staff must only store PIFI on databases configured for industry-standard access and authentication regulations
- Throughout the organization, there must be oversight of all online data and document collection, retrieval, and application requests on PIFI.
- In-house IT and security staff are responsible for identifying and removing any applications and data handling methods that risk PIFI exposure.
3. Using Best Practices for Securing PIFI
Privacy and PII policies regulate activities to protect PIFI. Beyond observing these policies, organizations can further mitigate the risk of PIFI exposure by taking advantage of the most current technologies. In the financial industry, document collection processes often represent a significant weak point in secure data handling.
There are several best practices that organizations should follow in order to protect personally identifiable financial information. These include:
- Encrypting the data: Encrypting data makes it unreadable to anyone who does not have the decryption key. This can prevent unauthorized access to the data and protect it from being stolen or misused.
- Implementing access controls: Access controls restrict access to sensitive data to only those who are authorized to see it. This can help prevent unauthorized access to the data and ensure that only authorized individuals are able to view or modify it.
- Regularly updating security measures: Regularly updating security measures, such as installing security patches and updating software, can help protect against known vulnerabilities and prevent unauthorized access to sensitive data.
- Conducting regular security audits: Regular security audits can help identify weaknesses in an organization's security measures and provide guidance on how to address them. This can help ensure that sensitive data is properly protected.
Many institutions still rely on ad hoc collection methods involving email, paper documents, and digital documents uploaded through different applications. Adopting an integrated document collection platform with secure client portals for all submissions eliminates nearly all the risks associated with these processes while simultaneously reducing the time and effort involved for staff.
PIFI and Secure Document Collection with FileInvite
FileInvite gives your clients access to a single, secure document portal for documentation, making the collection process for loan applications both easier and safer. Running on bank-grade, SOC 2 Type 2 security, FileInvite radically improves loan processing efficiency while giving you the peace of mind that your clients’ PIFI is thoroughly protected.