Question

Why should companies have strong policies in place to protect personally identifying information?

Answer 1

Personal identifiable information (PII) is an attractive target for hackers and cyber thieves as it is easy to steal and it is easy to sell.

Hence, Protecting PII is a challenge for individuals and businesses. As individuals, we alone are to blame if we expose our own information to risk, but organisations have a far greater liability. Every organisation is built on people and processes, and ultimately it is responsible for the actions of its staff and the effectiveness of the processes that define how PII is protected.

Reasons for loss of PII

A great deal of PII loss is the result of stolen or lost equipment, hard drives or documents. Repeated errors – such as sending information to the wrong recipients due to incorrect fax numbers or email addresses – are common reasons. Other major cause of human errors include misplacement of files, documents or mobile devices.

Online data breaches and cyber attacks were also among the common reasons for PII loss identified by the report. Significantly, they were the most costly type of data breach in terms of monetary penalties.

The consequences of PII theft

Organisations that don’t protect the personally identifiable information of its employees, members or customers put themselves to risks incurring a significant financial cost and reputation damage in the event of a data breach.

How to protect PII

• Know where your personally identifiable information (PII) is stored – if you do not know where the information to be protected is located, then it is impossible to provide adequate protection.

• Know who sees your data – a key control for protecting the privacy of data is access control, ensuring that only those who have a business need to access the data have the relevant rights.

• Create policies for handling data – set rules regarding access to the data, how the data is received, stored and transmitted, what information can be sent within the organisation and what can be passed along to third parties.

• Educate users – ensure everyone handling PII is aware of the risks and their responsibilities under the DPA. A DPA staff awareness course will help communicate key messages to staff and test their knowledge.

• Carry out full encryption of desktop and mobile devices – USB sticks, laptops, tablets and mobile phones are major contributors to data loss. Make sure they are encrypted and that you have an appropriate BYOD policy in place.