Whether at work, at home, or on the go, we’re beholden to a lifecycle of data that is often the top target of cybercriminals. Protecting that data isn’t a highly technical process, but rather one that requires common sense and a strong commitment to privacy in every aspect of our lives!
What is PII?
Personally Identifiable Information (PII) includes any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
What are examples of PII?
PII constitutes a combination of an individual’s first name or first initial and last name with any one or more types of linkable information. Examples include, but are not limited to:
- Name: maiden name, mother’s maiden name, or alias
- Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
- Personal address information: street address, or email address
- Personal telephone numbers
- Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
- Biometric data: retina scans, voice signatures, or facial geometry
- Information identifying personally owned property: VIN number or title number
- Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
What are examples of non-PII?
The following examples on their own do not constitute PII, as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be still used to identify a specific person and should be treated as sensitive information:
- Date of birth
- Place of birth
- Business telephone number
- Business mailing or email address
- Geographical indicators
- Employment information
- Medical information
- Education information
- Financial information
What is PII so important?
On a personal level, our PII is necessary to acquire some goods and services, such as medical care and utilities. But in the wrong hands, PII leads to identity theft and other forms of fraud. On a professional level, we may store PII of customers, clients, vendors, contractors, employees, and partners. If left unprotected, our organization could face steep fines and our reputation could be severely damaged.
How do you protect PII at work?
Protecting PII begins and ends with following our organization’s security policies, which were created to ensure that the data we handle remains private. Treat all requests for sensitive info with a high degree of scrutiny, stay alert, think before you click, and if you have any questions, please ask!
How do you protect PII at home?
We encourage you to develop a home security policy like what we use here at work. This policy stipulates common sense practices such as not clicking on random links and attachments, guarding personal info online and in real life, destroying sensitive documents beyond recognition, and setting social media profiles to fully private.
As with every organization, job functions vary by department, but we all share a common responsibility of protecting the private data of our clients, customers, partners, and co-workers.
What are some actions we can take to keep this data safe?
Reduce information sharing. Limit the amount of personal info you make public. Set your social media profiles to fully private and thoroughly vet all friend requests.
Remain skeptical. Government and tax entities will never email you requests for payments. Some even utilize compromised or spoofed email accounts of executives to send requests for money or sensitive data to other employees. Treat all requests for sensitive info or money with a high degree of skepticism. If there is any question of legitimacy, use the Phish Alert button to report suspicious email.
Respond with care. If you receive a notification that an account has been compromised (e.g., credit card, bank account, email account), never trust information in the notification. Instead call the number on your card, visit the website, or look the number up from a known good source. In addition, you should never click on unsolicited links that come via emails or text messages.
Proper disposal. When recycling personal smart devices proper care should be taken to ensure the data in the device is no longer viable. This can be done by clearing (overwriting), purging (magnetic erasure), or physical destruction. All EDFR-owned devices must be returned to the Service Desk for disposal. All sensitive documents should be shredded before discarding.
Encrypt the crown jewels. Encryption is well known by security pros for preventing data loss. Encryption protects businesses and individuals from having their sensitive data accessed by cybercriminals. Your data has a lifecycle – in use, at rest, and in motion. It should be encrypted across all these stages because data can be intercepted by threat actors at any stage. Use of a VPN, only visiting secure websites (“HTTPS”), and encrypting disk drives are all methods to accomplish this.
Install All Updates. Software distributors and device manufacturers release hundreds of patches every month to remediate serious vulnerabilities. Threat actors pay attention to these releases and immediately go to work figuring out ways to exploit them. Not patching or updating these devices because of possible breaks or glitches is not a good tactic. Doing so opens you up to risk of compromise and loss of sensitive data.
Avoidable mistakes made by individuals and non-technical attacks are the common theme in most breaches. We remind you of this simply to highlight the role you play as a human firewall. Alert and vigilant employees are key in helping to prevent data breaches!