PII, or personal identifiable information is a type of data that can be used to track a specific individual. It includes identity details, location data, or contact information. That’s why it is necessary to keep PII private to keep your identity safe. According to a report by an UpGuard analyst, in 2021, Microsoft Power App suffered a data breach attack that exposed 38 million records containing personally identifiable information (PII). It happened because of the Open Data Protocols (OData) API used by the organization’s Power Apps portal, which contained an anonymously accessible list of data.
As of today, there are various methods to record, track, and utilize your personal data. The fingerprints and facial scans can unlock the devices, which makes it more crucial to take necessary measures to protect identity and other information that are unique to a person. Securing PII is important to ensure that integrity of your identity remains secure. Otherwise with just a few bits of personal information, bad actors can create false accounts in your name.
PII is of two types: Sensitive and Non- Sensitive.
The following items are considered as PII, because they can identify a human being:
It is a legal responsibility for protecting PII, ultimately it is the responsibility of the company that controls the PII itself.
The European Union's GDPR went into effect in 2016, it imposed strict rules on what companies doing business in the EU or with EU citizens and confirmed that companies take precautions to protect that data from hackers.
The list of data that the GDPR protects includes:
Some privacy legislation makes it mandatory to have specific individuals in a company designated to have responsibilities in regard to PII. HIPAA requires that companies appoint a specific privacy officer for developing and implementing privacy policies.
A “Data Privacy Framework” is a conceptual structure that assists businesses in protecting their sensitive data. The framework addresses three main things.
Some established data privacy frameworks are:
However, one can also create a framework to suit your company's specific needs.
Below are some PII security controls that can be used to safeguard PII:
Keeping a track of changes to the IT infrastructure adding/removing user accounts.
Monitoring incoming and outgoing data to spot any potential data breach.
Ensure there is a Privacy Impact Assessment (PIA) to get a sense of each type or classification or PII, to know how it is collected, where it is stored, and how it is disposed of, also, the security risks associated with each type of PII.
Ensure the data is sent with minimum required information to maintain a level of privacy even if a security breach takes place.
Logging and monitoring all privileged access to files and databases, users and new permission groups, blocking and notifying when any suspicious activity is detected.
Audit all access to sensitive data, and send out notifications on detecting any suspicious or anomalous activity.
Keeping log of all PII incidents and information for a minimum period of 1-7 years, for legal or compliance purposes, and to enable forensic investigation in case of any security incident.
Removing unwanted, unused and misused user accounts that have not been used for several months.
Track online user activities, while using official hardware to detect any leak of sensitive data.
Only release information to the right group of users with minimal required information to maintain data privacy and security.
Following are the type of data exposed in every PII breach:
According to the research, PII is the most targeted data for breaches, comprising 97% of all breaches.
Loss of PII can result in harm to an individual in the form of identity theft or other fraudulent use of the information, however we can prevent PII security breaches if we implement the PII security controls. PII security is an extremely critical aspect of any application, which needs to be implemented & tested carefully. At QASource we help reduce the number of PII data security breaches, we embrace security for PII so that issues can be addressed preemptively. To know more, contact QASource experts now.
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at knowledgecenter@qasource.com