What is sensitive data and where does it live in collaboration?
Every organization handles some form of sensitive data, such as intellectual property, financial records, legal documents, and regulated information like payment card details, protected health information, and personally identifying information (PCI/PHI/PII).
The goal of sensitive data management is to identify and mitigate the risks associated with handling regulated data and discussing confidential business dealings in collaboration tools like Slack and Microsoft Teams. If leaked or exfiltrated, this information could harm the company's reputation, cost market share, or lead to lawsuits and regulatory action.
What is personally identifiable information (PII)?
Personally identifiable information (PII) is any information that, when linked to a specific individual, can be used alone or with other relevant data to uncover their identity.
There are two types of identifiers. The first is direct identifiers like passport information or a unique customer number that can identify an individual uniquely. The second is indirect identifiers, or so-called quasi-identifiers, such as date of birth. When combined with other quasi-identifiers like zip codes, this information could successfully reveal an individual’s identity.
What is considered PII?
Any information connected to a specific individual that can be used to uncover their identity is considered personally identifiable information (PII).
Examples for PII include –
- Full (Legal) Name
- Home Address
- Email Address
- Social Security Number
- Passport Number
- Driver's License Number
- Credit Card Numbers
- Date of Birth
- Telephone Number
- Owned Properties e.g. Vehicle Identification Number (VIN)
- Login Details
- Processor or Device Serial Number
- Media Access Control (MAC)
- Internet (IP) Address
- Device IDs
- Cookies
These are considered PII because they are static identifiers that consistently link to a particular person or group of people. When combined with other pieces of information, they could successfully identify, trace, or locate a person or group of people.
Sensitive vs. non-sensitive PII
Not all personally identifiable information (PII) carries the same level of risk.
Sensitive PII includes information that, if disclosed, could cause significant harm to an individual. This can be through financial fraud, identity theft, or reputational damage. Sensitive PII is often subject to stricter regulatory controls and requires stronger protection measures.
On the other hand, non sensitive PII includes personal data that is less likely to cause harm if exposed on its own. However, when combined with other data points, even non sensitive PII can become identifying and increase risk.
While non sensitive PII may not always require encryption or redaction, it still warrants protection. Especially when stored alongside sensitive information.
Data privacy laws and PII
As data breaches and cyber threats increase, global data protection regulations have become more rigorous. Organizations that collect, process, or store PII must comply with regional and industry-specific data security laws. This is done to prevent unauthorized access and protect individual privacy.
In the United States, the Privacy Act of 1974 governs how federal agencies handle personal data. Sector-specific laws like HIPAA (for healthcare) and GLBA (for financial institutions) impose strict controls on sensitive information.
Similarly, the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) require organizations to uphold transparency, accountability, and consent when managing personal data.
Key requirements across most regulations include:
- Implementing strong security controls to prevent data leaks or unauthorized access
- Minimizing the collection of unnecessary PII
- Providing individuals with rights over their personal data, including access, correction, and deletion
- Reporting data breaches to authorities and affected users in a timely manner
Failure to comply with these laws can lead to substantial fines, reputational damage, and loss of customer trust. As data continues to flow across borders and platforms, it’s important to align your organization's PII policies with evolving data protection regulations.
How is PII stolen?
PII can be compromised in different ways, and with just a few pieces of personal information, malicious actors can do great harm. Some of the many possible scenarios include creating false accounts in your name, racking up debt, falsifying a passport in your name, and stealing and selling your identity.
With business increasingly happening online, digital files can be easily hacked and accessed by cybercriminals. This is especially true if your cyber protection is too loose. Without robust protection and a PII protection policy in place, organizations and their customers are exposed to great risk.
One of the easiest ways for cybercriminals to try and get hold of PII is through email. With email as the primary means of communication, a lot can be at risk if you’re not securing your environment well enough.
How to protect personal identity information (PII)
Mimecast's SaaS-based subscription service addresses all the challenges that financial services organizations face when protecting PII and other sensitive information contained in email. Leveraging a true cloud architecture, Mimecast solutions help to reduce the cost and complexity of protecting email while dramatically improving performance and enhancing security posture and compliance.
Mimecast solutions for protecting PII help:
- Protect against email-borne security threats. Mimecast not only stops spam and viruses but also mitigates spear-phishing, impersonation attacks, ransomware, a man in the browser attack and other sophisticated attacks.
- Improve email resiliency with 100% uptime. Mimecast Mailbox Continuity provides uninterrupted access to live and historic email and attachments – even during outages and attacks – using everyday tools like Outlook for Windows, mobile applications and the web.
- Simplify archiving and compliance. The Mimecast Cloud Archive serves as a central off-site repository for email, files and IM conversations, providing users with lightning-fast search capabilities and administrators with tools to simplify email retention policies, e-discovery and legal hold. Mimecast also makes it easier to manage PCI-DSS and FINRA compliance as well as SEC email retention requirements.
- Empower users. Mimecast gives your users tools for self-service security, archiving and continuity as well as capabilities for sending messages and sharing large files securely.
Protecting PII with Mimecast
Protecting PII (personally identifiable information) in email communications is a critical part of financial services compliance.Email has become the primary means of communication with colleagues, customers, vendors, and partners. As such, organizations in financial services are obligated to implement secure and effective solutions for protecting PII.
This requirement is made more urgent by the fact that email is the #1 attack vector for hackers seeking to steal PII and other sensitive information. Financial services companies are vulnerable to a wide variety of sophisticated email-borne attacks. These can dupe users and fool even the most discriminating employees. The job of protecting PII is made more complex by strict and evolving regulations, distributed workforces, and complex IT environments.
Mimecast can help. With an all-in-one approach to email security, archiving and continuity, Mimecast provides cloud-based services for protecting PII, email systems and users while simplifying management of business email.
Benefits of protecting PII with Mimecast
With Mimecast, you can:
- Quickly rollout and scale solutions for protecting PII while reducing operational and capital costs, thanks to Mimecast's 100% cloud SaaS solution.
- Improve security and resilience for Microsoft Office 365, Microsoft Exchange and Google G Suite.
- Simplify email management with a single console for setting policies, reporting, troubleshooting and managing email security, archiving and continuity.
Learn more about protecting PII with Mimecast, and about Mimecast healthcare compliance solutions.
Protecting PII FAQs
Who is responsible for PII protection?
Both, individuals and organizations, are responsible for protecting personally identifiable information.
Individuals must be careful when sharing their personal information, and must make sure to follow cyber hygiene best practices.
On the other hand, organizations dealing with PII must implement strong security measures, establish data protection policies, and comply with relevant (local) regulations. Additionally, providing regular security awareness training to employees helps raise their awareness of cybersecurity threats, and educate them to stay vigilant in the digital space.
What are some of the common risks while dealing with PII data?
Dealing with PII carries a lot of risks, as it involves handling individuals’ sensitive information.
What is PII compliance?
PII compliance refers to complying to data protection laws and regulations that govern how PII is being handled, stored and used.