Rather than money, it seems that it is in fact, data that makes the world go round. A key resource, personal data provides the cornerstone of our digital businesses; and we know that we must protect it to remain compliant with data privacy laws.
EU and UK GDPR leads the rest of the world when it comes to comprehensive data protection standards, holding organisations completely accountable for any Personal Identifiable Information (PII) they process and store. GDPR does not define any specific data privacy instructions, it is up to each company to assess the risk and define appropriate controls.
Managing vast and ever-increasing quantities of data can seem a daunting task for any CISO. Yet, it’s vital that our data-centric organisations demonstrate a full understanding of PII, its value and crucially, how to keep it safe.
What is Personal Identifiable Information? (PII).
What is PII? GDPR’s definition is rather broad as it varies case by case. Personal Identifiable Information includes any information that can identify a specific individual.
Whilst the more obvious examples of a name, address or credit card details tend to spring to mind, this might also include direct identifiers – a passport, driving licence or NI number. But as well as increasing in quantity, our PII data is also evolving. Biometric scanning is recorded and used daily, and not necessarily to unlock the door to a top-secret facility; our fingerprints and facial recognition are used to unlock our smartphones every day.
A quasi-identifier is a piece of information that means little alone, ethnicity, education or employment history, even your date of birth. When combined with other data, they can lead to successful recognition, it therefore, becomes PII. It’s unlikely that someone in your postcode shares the same birthday and mother’s maiden name, for example.
Non-sensitive personal information wouldn’t cause harm to an individual; public records, or details on a corporate website or a social account are widely available. However, sensitive information could, and as a result, it will have contractual, legal or ethical constraints for non-disclosure.
What is PHI?
One of the most sensitive data files is a Protected Health Information record, (PHI or ePHI) as it contains a plethora of useful and therefore valuable information – a hospital patient number, test results, next of kin data and when it comes to private healthcare, payment details.
The healthcare sector is one of the most frequent cyber-crime targets due to its limited budgets and legacy IT equipment. According to Cyber Talk, in 2021, over 93% of healthcare institutions reported a data breach in the past few years; the extreme life-or-death situation brought about by the pandemic created the perfect opportunity for cyber-attackers.
Why is our personal data valuable?
Our data is valued against key metrics including its accuracy, legitimacy and how it can be used. One record containing multiple pieces of information, like an ePHI, will command a higher value on the dark web.
General information is only worth a fraction of US cents and the average person’s data might only make a dollar. Whilst email accounts can be used to create fake profiles, 500,000 addresses might only be worth $10. ^ So, in that case, why is data so lucrative?
We conduct a huge proportion of our lives online; we even share offline activity on social media. Consequently, we’re increasing our data’s value and the hacker’s chances of success. Often only a little information is needed to create false accounts, false identities, file fraudulent claims or deploy ransomware.
The credit experts, ClearScore, recently launched an interesting but your PII’s value is not necessarily as you’d think. +
In 2022, credit card details with CVV numbers sold for an average of £25, + a hacked social account will be sold for £21 and your Netflix or Spotify password could fetch £8.
We have so many online accounts now, it feels like it is almost impossible to not only come up with, let alone remember a vast number of passwords – so, we don’t. A staggering number of people still use the same passwords. Recent research from First Contact, reported that 51% of people use the same passwords for personal and work accounts – so, that Netflix password can open a treasure trove of highly profitable data for attackers.
Other formats of data can also be fruitful – major life milestones, moving home, getting married, and having a child will all influence shopping behaviours and those insights can be highly sought after by those looking to market-related products. Even your dating profile could fetch £6 on the dark web. + The more information we provide about ourselves, the more we can be identified as an individual, and as a person.
How to keep your customer data secure.
When it comes to keeping your business data secure, some of the simplest, cost-efficient best practices are some of the most effective.
What business-critical data does your organisation really need to provide an effective service or complete contractual obligations? Your business has likely evolved, so your need for data collection will have to – are you collecting more PII than you need?
Limiting the amount of PII will reduce risk but brings additional benefits; reducing processing time and lowering the cost of data storage. Do keep the importance of data governance in mind; any information marked for deletion should undergo secure data erasure to ensure that you have met the GDPR data destruction requirements.
As a rule, it is recommended that you review and update your data privacy policy annually* to remain GDPR-compliant. It’s important to ensure that it’s communicated to your team, who’ll be responsible for delivering it. Demonstrating that you’ve responded to some of the biggest data governance challenges will also build trust and reassure customers when they hand over their PII.
Technical barriers.
By encrypting sensitive documents stored either in cloud storage or upon internal servers, you place physical access barriers in the way, substantially reducing the risk of data exposure.
Apply multi-factor authentication to systems that house personal identifiable data. For example, the continual user-access checks of the zero-trust model treats everyone attempting to access the network with the utmost suspicion. This prevents any lateral movement by an unauthorised user. As hybrid working practices have evolved, zero-trust secures the entire network, wherever people are accessing it from.
IT asset disposal policy.
In the same way that you would send a sensitive printed file to a professional shredding service, data destruction services will guarantee the secure data erasure of any PII hidden on your data-rich, redundant IT equipment. IT asset disposition services provide additional peace of mind when it comes to your legal responsibilities as they provide an ITAD chain of custody. Each individual asset will have its own IT asset disposal accreditation certificate. Unfortunately, one of the biggest ITAD mistakes is running a factory reset to delete sensitive data.
If you outsource ITAD currently, you’ll know that today’s leading IT asset disposition companies have a circular approach, only recycling devices when they really have become end-of-life IT assets. Whether you are looking to upgrade, redeploy or sell your asset for recommerce, an ITAD supplier during the . This approach not only limits e-waste, and is good for the environment, but it maximises your ROI for the device itself. Whether you sell redundant IT assets or recycle them, your ITAD partner will provide a residual payment for them.
As our increasing reliance on digital, online services shows no signs of slowing, we provide more and more valuable information, along with greater financial rewards for persistent cyber-criminals.
PII collection, processing and storage is ever-changing, which highlights the importance of reviewing your internal privacy policies annually. This will provide an accurate, granular view of the entire data lifecycle.
A data audit will revisit what business-critical PII is actually needed to reduce your company’s level of risk. Multi-authentication technical barriers, such as encryption or the adoption of the zero-trust approach will prevent access by unauthorised actors and also stop lateral movement through your network. Finally, when it comes to your data-rich, redundant IT assets, ITAD best practice will guarantee that your organisation remains fully compliant with GDPR legislation. However, whilst this legal obligation is vital, our businesses also have a moral obligation to protect the Personal Identifiable information that our customers have trusted us to keep safe and secure.
^ Invisibly, + ClearScore, * Pensar,
tier1 Asset Management provides comprehensive IT asset disposal services throughout your data lifecycle, guaranteeing both your GDPR data disposal compliance and improved protection of your customer’s PII.
Our circular, environmentally friendly ITAD approach also ensures that you maximise the lifetime value of your assets, meet your responsibilities under the EU’s WEEE directive and protect company data in a sustainable manner.
To find out more about our on-site data centre decommissioning, free IT asset disposal and secure data wiping services – contact us on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com/contactus
Resources.
The Information Commissioners Office, Forbes, The Financial Times, Tech Target, Privitar, CSO Online, Spirion, Help Net Security, True Vault, Hornet Security, LinkedIn, Data Prot, Security Magazine, The Daily Record, ClearScore.
