FileInvite meets global standard of security and privacy - SOC2 Type II.
Personally Identifiable Information Policies: Does Your Company Need One?
To mitigate the risk of exposing customers' personally identifiable information to unauthorized users, companies may wish to formulate PII policies.
In the last two years, the global shift to remote work has precipitated major changes in the methods and targets of cybercrime. As workloads moved to the cloud, remote access points and vulnerabilities proliferated, inviting cybercriminals to focus on remote workers and technologies. Following recent FBI warnings concerning digital identity verification, the surge in attacks targeting remote workers and their personally identifiable information (PII) – now accounting for 67% of all cybercrime – has emerged as a high-security priority for businesses in all industries.
What Is Personally Identifiable Information?
The U.S. General Services Agency (GSA) considers personally identifiable information (PII) to be any information that third parties can use to distinguish or trace an individual’s identity, whether consisting of a single data point or multiple data points combined to create an identifying link to a specific individual. The GSA does not limit the definition of PII to any specifically enumerated categories of information. Rather, the agency acknowledges that all personal information has the potential to become PII when integrated with other information.
Examples of Personally Identifiable Financial Information
Common examples of single-point PII include:
- Personal identification numbers such as social security, passport, driver’s license, tax IDs, and account and credit card numbers
- Physical and email addresses
- Telephone numbers
- Biometric data
- Property data such as VINs and title numbers
Potential PII information frequently consists of an individual’s:
- Date or place of birth
- Business phone numbers or emails addresses
- Demographic data such as race, religion, or ethnicity
Minimize Risk with a Personally Identifiable Information Policy
U.S. law does not yet clearly define the legal liabilities for private businesses associated with sharing or leaking PII. In certain fields such as healthcare and education, specific regulations like HIPAA and FERPA apply. Nevertheless, most consumers expect even private companies who possess their PII to protect it and would decline to do business with those that do not.
What Is a Personally Identifiable Information Policy?
To mitigate the risk of exposing clients’ PII to unauthorized access, companies can formulate PII policies to guide employee handling of PII. Though similar, PII policies differ from privacy policies. Privacy policies allow consumers to grant or limit the sharing of their personal information, while PII policies govern the use of PII internally without reference to consumer preferences.
To effectively regulate how employees handle PII internally, organizations need to first understand where and how PII currently exists in their systems. This process – called personal data mapping – involves deploying data inventory methods that identify PII. For all instances of PII, a personal data map should allow you to answer four questions that determine the security state of the information concerned.
- What is the data type? For example, is it a string, an integer, or an image file?
- What is the data format? Is it digital or hardcopy?
- Where is the data stored? On a local server or third-party cloud server?
- Which transfer methods apply to the data? Email, messaging applications, software-as-a-service (SaaS) user sessions? In which transfer methods is the data encrypted?
Currently, there is no golden standard for what PII policies should necessarily dictate. Nevertheless, best practices will focus on restricting any unnecessary sharing of PII – internally as well as externally – and keeping PII off any public-facing applications. Basic PII policy parameters should stipulate that:
- Users do not store PII on any publicly accessible server, either web or email
- Users must store PII on databases that conform to industry-standard access and authentication regulations
- Oversight must apply to all online data collection, retrieval, and application requests that may include PII
- Inhouse IT staff and cybersecurity officers must take responsibility for identifying and removing any applications and data handling methods that do not conform to the previous guidelines. As PII may involve amalgamations of distinct, non-PII data points, staff should regularly audit applications data-handling employees use to identify new vulnerabilities
A PII Policy Is Just One Way to Keep Clients Safe
For organizations that handle sensitive consumer data and personally identifiable financial information, PII policies are an important part of data breach risk management. Nevertheless, with nearly 99% of businesses using at least one software-as-a-service (SaaS) platform and 56% now running at least half their workloads in the cloud, protecting PII requires more than just regulating data handling within your organization.
As third-party service providers continue to store and transmit more PII, organizations should choose their service providers carefully as data breaches remain largely endemic SaaS cloud environments. Among SaaS providers, 43% report experiencing unrecoverable data loss to ransomware and other cyberattacks in the last 12 months. To help organizations identify providers with high data security standards, the American Institute of CPAs maintains a set of voluntary compliance standards providers can choose to adopt to certify their trustworthiness. In the financial services industry, the de facto standard of these is SOC 2 Type 2 compliance.
PII and Secure Document Collection with FileInvite
FileInvite provides financial institutions with an integrated platform to streamline secure document collection. With client portals operating on bank-grade, SOC 2 Type 2 compliant security, FileInvite allows you to accelerate your document collection processes while providing your clients with the highest standard of data security.