For organizations that persist in sharing PII over email, there are three information security protocols you should enforce to minimize risk and liability.
Data breaches involving clients’ personally identifiable information (PII) are on the rise for the third consecutive year. According to the IBM report - Cost of a Data Breach Report 2023, the average cost of a data breach in 2023 was USD 4.45 million. That's a 15% increase compared to the previous three years. Among breach vectors, email remains particularly problematic, with 3/4 of companies have experienced an increase in email-based threats.
If your organization still exchanges PII over email and email attachments, you should be aware of the risks involved and what steps you can take to mitigate them while preparing an alternative solution.
In the United States, the General Services Agency (GSA) – an independent support agency for operations in other federal agencies – loosely defines PII to be any information pertaining to an individual that a third party could possibly use to trace and pinpoint that specific individual’s identity. PII may consist of single data points or aggregates of multiple data points from which a successful inference can be made.
The GSA’s definition of PII is open by design. Rather than listing a fixed catalogue of information types as PII, the federal government takes the position that organizations who handle PII should take reasonable steps to identify it and protect it from breach or disclosure.
You can learn more about specific types of PII here.
In regulated industries such as financial services and healthcare, public disclosures of PII – either inadvertently or through malicious third-party activity – can result in legal consequences through federal compliance regulations like the Gramm-Leach-Bliley Act or HIPAA.
In other industries, potential legal ramifications are also possible where international business falls under foreign regulations such as the E.U.’s General Data Privacy Regulation (GDPR).
To mitigate the risks associated with storing and transmitting PII, many organizations implement information security or PII policies that apply strict guidelines for handling and accessing PII. These policies typically enforce strong account credentials and the use of encryption, as well as prohibiting the storing of PII on public-facing applications or databases.
The most common culprit for PII transmission and storage is email servers. While encryption options exist on most major email platforms such as Gmail and Outlook, few users take advantage of this option and the overwhelming majority of emails containing PII attachments are transmitted in plain text across public networks.
In regulated industries like financial services and healthcare, client onboarding often requires the collection of dozens of documents containing the most sensitive forms of PII. For organizations that continue to use email as a document collection tool, knowing the risks is crucial to crafting effective information security policies.
For organizations that persist in sharing PII over email and public networks, there are three information security protocols you should enforce to minimize risk and liability.
Train your staff to recognize PII and be wary of where they send and store it in your systems.
Require encryption for all PII-containing emails and attachments, as well as storage on a secure database after delivery.
Unnecessary instances of PII – such as those contained in email attachments – must be purged from inboxes and other insecure storage sites upon receipt.
With the year-over-year rate of data breaches increasing for the foreseeable future, organizations must grapple with the risk of the practices they maintain and the potential costs.
Already there have been several data breaches so far in 2023 with various degrees of severity and consequences. In June 2023, American Airlines reportedly suffered a data breach in which hackers stole personal information relating to thousands of pilots who had applied for roles at the company. Meanwhile, the U.S. Department of Health and Human Services disclosed that the biggest health data breach of 2023 so far affected millions of people, leading to at least 11 lawsuits in California. Therefore preventing data breaches is essential for maintaining the security and privacy of sensitive information.
New FTC regulations pertaining to PII as defined in the Gramm-Leach-Bliley Act go into effect next month, and Australia is looking to introduce legislation to better enforce information security practices as well.
While we cannot speak with certainty about the changing legislation in Australia, we do know that the updated FTC Safeguards rule will make it nearly impossible to continue requesting sensitive information and being compliant with the rule.
Now is the time to get your PII out of email.
For organizations in need of a quick, comprehensive solution to the pervasive problem of email security, FileInvite’s secure document collection software can jumpstart improved and compliant information security practices.
To learn more and request a demo, visit FileInvite today.
With digitized healthcare records having become the standard, robust security measures are vital to protect healthcare PII and PHI.
The California Privacy Rights Act (CPRA) recently went into effect. U.S. businesses should familiarize themselves with the restrictions around data...
The FTC's updated Safeguard Rule's requirements around encryption, authentication, and customer data disposal expose email’s security shortcomings.