Information Security: Personally Identifiable Information
Welcome to number three in our series of articles discussing Information Security. If you’re just joining, it may be helpful to familiarize yourself with the first two in the series: Information Security: An Introduction and Information Security: Malware Protection.
If you’ve been following the news lately, you’ve certainly seen (or been affected by) some recent breaches. Whether it was the TJ MAXX breach a couple years ago or the very recent Epsilon incident (which affected Hilton Honors as well as several credit card companies), breaches are becoming front page news. What actions need to be taken will depend on the type of information that was breached, or what was done to protect it.
Why do I need to be concerned?
The answer is simple – you deal with clients’ Personally Identifiable Information (or PII for short) every day. If you have a client’s name, address and phone number, that alone may not be considered PII. If you assign an account number to them (even your own randomly generated account number) the state of Texas now considers it to be PII. If you have client frequent flier numbers, along with name and address, it could also be considered PII. And more than likely you also have customer credit card numbers, passport numbers dates of birth in your files as well.
Understanding the risks associated with storing this information could mean the difference between your business surviving or not.
As an example, let’s assume that your customer records contain PII – because we know they do. If you copy that information to an unencrypted USB thumb drive and you lose it, you are required by various state laws to notify all of the customers whose information was on the drive that the data was lost. You could also be required to pay for a year of credit monitoring for each of your customers. Based on the latest information available, the cost for breach notification, credit monitoring all the associated cost is over $200 per record (e.g., per user who’s PII was potentially breached). So if you had just 100 customer records on that thumb drive, expect to pay over $20,000. Of small and medium size businesses that have suffered some type of data breach, 80% end up filing bankruptcy and/or going out of business as a result of the data breach.
But wait, it gets better. There are currently 43 different states with breach notification laws. Every one of those laws is different. And the laws that apply are the one where your client lives – not where your business is based. So what and how you’re required to disclose to clients who live in California will be different than what you need to do for Texas, Massachusetts and Florida. And it’s your responsibility as the custodian of these records to comply with every one of the laws.
How can I protect my business?
If the thumb drive in the above example had been encrypted, you wouldn’t be required to notify your customers. (We’ll talk about encryption in detail in the next article.) That’s because of something called Safe Harbor laws, which essentially means that if you’ve taken due-diligence to protect information and that information is lost, you are not liable for the consequences.
The same is true for customer data in paper files, on your computer, on an external hard drive, stored “in the cloud” or even on your cell phone. You need to ensure you protect your customers’ information regardless of where it’s stored.
- If it’s on paper, ensure that the file cabinet is locked. Is that filing cabinet in a locked office? Do you have an alarm system for the office (or your home)? These are all steps to help secure your clients’ sensitive data.
- If it’s on your computer, encrypt your client files, folders or the entire hard drive. The same applies to external storage drives.
- If you back-up your customer information in the cloud, make sure that either they take the necessary steps for compliance or that you only keep an encrypted backup copy there.
- For cell phones, at a minimum you need to have a PIN or password to lock the device. If your device allows for the encryption of data, turn it on.
The most important thing you need to remember is that you have been entrusted with information about your clients that is not publically known. Some of the information that you collect can easily be used to steal your client’s identity, or to make illicit charges to your clients’ credit cards. It can also be used to find out when your client is going to be on vacation so their home can be burglarized.
For now, think about what type of client information you have, why you have it and how you’re storing or protecting it. Next time we’ll discuss different ways of encrypting your information so that it stays protected.
John Schaefer is an information security expert with over 20 years of experience in Global 100 corporations. His experience includes application development, network operating systems, network hardware security architecture. He is the Chief Technology Officer for Eastvale Consulting Services, Inc.
Susan Schaefer is the owner of Ships ‘N’ Trips Travel (www.shipsntripstravel.com) located in Brentwood, Tennessee specializes in leisure travel with a focus on group travel and charity fundraisers. Through their division Kick Butt Vacations (www.kickbuttvaations.com) she focuses on travel for young adults under 35. Susan can be reached by email at firstname.lastname@example.org or by phone at (888) 221-1209).