The majority of businesses and organizations maintain some form of personally identifiable information (PII) regarding their customers, clients, and employees. PII is defined as information that when used alone or with other pertinent data, can identify an individual. It can be classified as non-sensitive PII which can be obtained from public sources. This might include facts like your place of birth or zip code.
Sensitive PII includes many data items whose exposure could cause harm to the identified individual. Sensitive PII is made up of data such as your Social Security number, financial dealings, credit information, and medical records. It should be evident that sensitive PII must be protected from misuse and unauthorized access. Multiple standards have been enacted by governments and other regulatory agencies designed to keep sensitive PII safe.
The Illicit Value of Stolen Sensitive PII
Many nefarious entities welcome the opportunity to access the PII that resides in your company’s databases. Their goal may not be to use the stolen data directly but to sell it on the Dark Web to other criminals. The information they steal has a monetary value determined by the specific type of data in question. Some examples are:
- Credit or debit card information can be sold for over $100 by a thief.
- Login information for an online payment service such as PayPal can net a hacker up to $200.
- Passports can be worth up to $2000 when sold on the Dark Web.
- The value of medical records varies based on whether a single record or a complete database is compromised. They can be worth up to $1000.
- Social Security numbers are sold by hackers for around $1.
The cost of purchasing this stolen information is dwarfed by the potential harm that the data can cause to the individuals who are affected. A lot more than one dollar’s worth of damage can be inflicted by the misuse of a Social Security number.
The Cost of Compromised PII
The costs to individuals and organizations that have had sensitive PII compromised can be substantial. There are many ways that individuals can be harmed, such as having their information used to open accounts which can then negatively impact their credit scores. In addition to the immediate financial repercussions of having your information stolen, there is the inevitable cleanup that is required to mitigate the damage. Changing passwords, creating new accounts, and monitoring for possible unauthorized access can be time-consuming and add an unwelcomed level of stress to your life.
The financial implications faced by the organization that allowed the PII to be compromised can also be considerable. Healthcare-related data breaches are the most expensive and average about 65% more to mitigate than similar incidents in other industries. In the United States, the average cost to a company subject to a data breach is over eight million dollars.
Additional financial penalties may be enforced by regulatory agencies for a company’s non-compliance with data protection requirements. Policies such as the European Union’s GDPR and California’s Consumer Privacy Act can result in fines that severely affect an enterprise’s bottom line. It’s in everyone’s best interest to maintain the security of sensitive PII.
The Responsibility of Protecting Sensitive PII
Protecting sensitive personally identifiable information is a shared responsibility. It begins with individuals who need to be cognizant of how and with whom they share their data. Care should be taken when transmitting this data electronically and a VPN or other means of encrypting the information should be regularly employed. Keeping their sensitive information safe should be the overriding concern of all individuals.
Organizations that collect PII are responsible for its security. This can be done by hardening the infrastructure to minimize the probability of intrusion by unauthorized entities. The purpose of the compliance regulations that are becoming more prevalent is to push companies to enact better policies to protect the PII they store. As is often the case in the business world, initiatives which impact the financial well-being of an enterprise have a way of capturing their attention and achieving results.
Identifying Your Sensitive PII
The ability to identify all of the sensitive PII residing in your IT environment and databases poses a significant challenge, and one that must be adequately addressed. It should directly influence how specific systems are secured to protect the data as well as point the organization to areas where work needs to be done to comply with privacy regulations.
IDERA’s ER/Studio Data Architect is a tool that enables you to identify and document your databases that contain PII. It provides the means by which you can find, track, and categorize where sensitive data is being stored. This knowledge enables management and the IT team to make informed decisions regarding strengthening their defenses against data breaches.
Using ER/Studio, an organization can reverse-engineer an existing environment to discover and tag the sensitive PII data elements it contains. Real-time reports can be generated to help address a data breach quickly and efficiently. If you are concerned with the potential of having unidentified PII in your databases, ER/Studio offers a comprehensive solution which will help keep that data safe and avoid the aftermath of a data breach.