A technical explainer on PII protection

Reports of data breaches in the news are seemingly endless, as enterprises consistently fall short in protecting personally identifiable information (PII).

It’s difficult to pinpoint the exact root cause for this lack of protection; some businesses don’t store data correctly, while others lack the proper measures and processes. When you add third-party data sharing into the equation, the complexities of data protection increase exponentially.

The importance of protecting PII transcends the financial implications, as the consequences of a breach include reputational damage and loss of customer confidence. 

With an ever-changing threat landscape and an uncertain economy, the modern enterprise must do everything possible to protect PII better. 

The compliance challenge

Enterprises manage millions of documents and dozens of databases every day. While access to such vast amounts of data can be hugely beneficial from an operational standpoint, managing so much PII and other sensitive data is very difficult because that data is often hard to find and protect. Breaches may take months to discover, while compliance demands are getting harder and harder to meet. 

With privacy regulations like Europe’s General Data Protection Rules (GDPR) and California’s Consumer Privacy Act (CCPA), businesses collecting data about anyone – from customers and patients to employees and website visitors – have new mandates for data transparency and protection, regardless of when it was collected or how it is being used. 

What’s more, the price of non-compliance can be high. According to Globalscape’s True Cost of Compliance study, the average total cost of non-compliance organizations exceeds $14 million US due to a single non-compliance event. The cost of non-compliance can include fines, penalties, and other fees, loss of revenue and productivity, business disruption, and reputational damage.

The good news: according to a 2022 Ponemon Cost of Data Breach report, deploying AI security and automation tools reduces the cost of a data breach by US $3.05M.

Making sense of modern data protection tools

Much like other cybersecurity solutions, not all PII discovery tools are equal. Some offer critical services that specifically benefit small organizations, while others target the enterprise with an extensive list of features that include data discovery, classification and remediation. A grasp of the amount of PII you collect, the number of customers you have and how much access is granted to third parties will provide a good baseline for the type of solution to meet your requirements.

Solutions and tools that focus on protecting business-critical information can leverage data security governance to help organizations discover, mitigate and protect PII data from risk. 

Those solutions must clearly address the key questions surrounding data risk:

• Where sensitive data resides
• Whether it is being shared only with authorized parities
• Whether it has been shared or accessed appropriately

Ultimately, organizations need fast, accurate and efficient discovery of risk and protection of PII data as well as the ability to efficiently respond to data subject access requests, breach notifications and deletion requests.

6 strategies for protecting PII 

Deploying a security solution that can identify, classify and remediate PII issues is a great way to mitigate risk. There are several protection strategies that the enterprise can deploy, and many tools that offer PII protection will incorporate some or all of the following:

1. Identification 

Perhaps the most critical step in safeguarding PII is the ability to identify what PII you collect, where it is stored, and if it’s stored correctly.
 

2. Are Compliance Regulations Followed? 

Depending on the industry, an organization can have specific compliance laws and regulations that govern the collection, storing, handling and transmitting of PII. Regulations may also be specific to an organization’s customers’ data or location. 

Here are some of the common regulations: 

• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Payment Card Industry Data Security Standard (PCI DSS)

3. PII Risk Assessment

Identifying vulnerabilities or weaknesses in a security strategy is critical. Organizations must:

• Ensure they understand what it means for regulatory compliance.
• Identify the reputational, operational and security risks for unregulated PII
• Know their threat sources
• Have robust risk management strategies

4. Deletion of Unnecessary PII

Organizations probably store more PII than is necessary for business. This data might be outdated customer or employee data or PII residing on unused devices.

5. PII Classification

Classifying PII data may be the unsung hero in protecting PII, as the type of data and the lengths required to protect it can vary significantly. For example, credit card data is much more sensitive than email lists. Classifying data by its impact on privacy and security cannot be overlooked. 

6. Security Program and Policy Review 

An organizational review of security programs, processes and tools should be undertaken as frequently as possible. Plus, policies may need to be updated to reflect the changes to data privacy laws. Trusted frameworks like NIST, SOC 2 (System Organizational Controls) or CIS Controls are a good starting point for best-practice security controls.

How Concentric helps protect PII

Comprehensive PII data discovery and categorization

The Concentric Semantic Intelligence solution uses sophisticated machine learning technologies to autonomously scan and categorize data —  from financial data to PII/PHI/PCI to intellectual property to business confidential information – wherever it is stored. Our Risk Distance analysis autonomously identifies PII, learns how it’s used, and determines whether it’s at risk. Know where your PII data is across unstructured or structured data repositories, email/ messaging applications, cloud or on-premises – all with semantic context.

Autonomous risk monitoring

For any organization, the ability to continuously monitor data for risk is not only difficult but time-consuming for IT and security teams. Writing complex rules and deploying policies on-the-fly will no longer suffice. With Concentric, you can autonomously discover how PII/customer data is being used, who it is being shared with, and who accessed it — to quickly and accurately pinpoint risk from inappropriate permissioning, risky sharing, and unauthorized access. 

Meet regulatory mandates and avoid customer data loss

Breach notification, right-to-know and right-to-be forgotten requests are becoming more commonplace for many industries, and organizations must be diligent about protecting all the confidential data they store. Concentric helps you meet regulatory and security mandates, demonstrate control to auditors and implement zero–trust access practices. Plus, our solution’s easy, autonomous remediation fixes access issues and reduces odds of data loss or governance violation.  

Try Concentric with your own data 

Concentric’s powerful deep learning technology improves data access and activity governance by giving you an unparalleled contextual understanding of your structured and unstructured data. With Concentric, you’ll identify business–critical data, understand how it’s used and identify risk. We can help you meet access and activity governance regulations, demonstrate control to auditors and implement zero–trust access practices – all without complex rules, regex, or relying on end-users. 

As a SaaS solution, it’s easy to give us a try using your own data. Concentric is agentless and easy to deploy — sign up in 10 minutes and see value in days.