Personally Identifiable Information (PII) is any information about an individual that is maintained by an agency (your business). This could be information about your employees, customers, partners, or anyone else whose information is retained by your business.
The National Institute of Standards and Technology (NIST) outlines some examples of what that information could include:
Any information that can be used to distinguish or trace an individual's identity, such as name, SSN, date/place of birth, mother's maiden name, or biometric records; and
Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
By now, you are probably realizing that your business deals with PII, even if you haven't formally called it that yet. Simply by having information about your employees (including your own personal records!) you have access to PII and need to implement protective measures to keep it safe from unauthorized access.
Why is it important to know if you handle PII?
Reading the examples of PII above, it should become clear that the types of information that fall under PII include items that could severely affect individuals in a negative way if it was not protected adequately. With even just a few pieces of information, a criminal could masquerade as that person and open bank accounts, access online accounts, and ruin credit.
Many small business owners feel that they are too small a fish to be a target for hackers. NIST begs to differ. According to their Small Business Information Security Fundamentals publication, many small business are attractive targets for hackers precisely BECAUSE they are small and lack the budget to implement extensive security controls (page 4).
What to do to safeguard it.
It is important for small business owners to take a proactive approach to identifying what PII they have access to, and where it is stored within their company. The following steps will help you to begin the process of protecting this sensitive information, and can be extended to protecting other types of sensitive information within the company.
Write down all sources where PII could originate from. This could be employee records, customer profiles on your website, etc.
Draw out the data flow of this information. Where does it go within your company after you obtain it?
Determine what security controls are in place to protect this information currently. This could include network firewalls, data encryption, locked server rooms, auditing on who accesses sensitive office and network locations, etc.
Decide whether the controls you have in place are adequate to protect the data you have. Ultimately, there is no hard and fast rule about what controls are adequate. You must decide what level of risk you are comfortable with. You will likely face enormous reputation damage if your suffer a breach of PII, however, so think carefully about the cost vs benefit of implementing more controls.
Consider having an independent third party perform security testing to determine your vulnerable attack surfaces. This could be testing your website security, social engineering testing against your employees, or attempting more aggressive physical security testing (breaking in).
Share this article on social media using the buttons below to help other entrepreneurs protect PII!
Stay on top of securing your business by subscribing below. I won't sell your email address, and won't spam you.