[BreachExchange] The Importance of Protecting Personally Identifiable Information (PII)

[Audrey McNeil]

http://internetdo.com/internet/the-importance-of-protecting-personally-
identifiable-information-pii.html

The effects of a data breach can be devastating to any company and can have
far reaching effects. Target estimated the credit card data breach costs,
after insurance reimbursement at $105 Million. In addition, 40 million
payment cards and 70 million other records, including customers email
addresses and phone numbers were stolen. This breach was severe enough for
the CEO to resign.

The Ponemon Institute released a report in September 2014 indicating that
43% of companies had experienced a data breach in the past year and that
was an increase in 10% over the prior year. It’s not a matter of if your
company will be attacked, it’s when it will happen. According to the
report, the magnitude of the breaches is increasing and more than 80% of
the breaches were caused by employee negligence.

I do believe that we will see a flood of lawsuits pertaining to PHI data
breaches and with the stringent HIPAA laws in place, medical practices and
the associated industry can expect to pay exorbitant penalties.

Companies need to protect PII, PHI and PCI from both internal and external
threats and should retain only information that is crucial to the operation
of the business and what is legally required if their data is breached.

Personally Identifiable Information (PII) is information that can be used
to identify on its own or in conjunction with other information a single
person. The National Institute of Standards and Technology (NIST) Special
Publication 800-122 defines PII as “any information about an individual
maintained by an agency, including (1) any information that can be used to
distinguish or trace an individual’s identity, such as name, social
security number, date and place of birth, mother’s maiden name, or
biometric records, and (2) any other information that is linked or linkable
to an individual, such as medical, educational, financial, and employment
information.” So, for example, a user’s IP address as used in a
communication exchange is classified as PII regardless of whether it may or
may not on its own be able to uniquely identify a person.

Protected Health Information (as defined by HIPAA.COM) means any
information, whether oral or recorded in any form or medium, that –

· is created or received by a healthcare provider, health plan, public
health authority, employer, life insurer, school or university, or health
care clearinghouse; and

· relates to the past, present, or future physical or mental health or
condition of any individual, the provision of health care to an individual,
or the past, present, or future payment for the provision of health care to
an individual; and

1. Is created or received by a health care provider, health plan, employer,
or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an individual;
or the past, present, or future payment foe the provision of health care to
an individual; and

(I) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the
information can be used to identify the individual

Payment Card Industry (PCI) Compliance is adherence to a set of specific
security standards that were developed to protect card information during
and after a financial transaction. According to TechTarget, PCI compliance
is required by all card brands and per the PCI Security Standards Council
there are six main requirements for maintaining compliance.

1. Build and maintain a secure network

· Install and maintain a firewall configuration to protect cardholder data

· Not use vendor-supplied defaults for system passwords and other security
parameters

2. Protect cardholder data

· Protect stored cardholder data

· Encrypt transmission of cardholder data across open, public networks

3. Maintain a vulnerability management program

· Use and regularly update anti-virus software

· Develop and maintain secure systems and applications

4. Implement strong access control measures

· Restrict access to cardholder data by business need-to-know

· Assign a unique ID to each person with computer access

· Restrict physical access to cardholder data

5. Regularly monitor and test networks

· Track and monitor all access to network resources and cardholder data

· Regularly test security systems and processes

6. Maintain an information security policy

· Maintain a policy that addresses information security

The costs associated with a data breach and subsequent loss of PII, PHI and
or PCI can be devastating to any organization, no matter their size. These
costs come in the form of financial penalties and loss of reputation and in
some cases result in criminal prosecution.

Reputation is one of an organization’s most important and valuable assets
and is intrinsically linked with brand image. According to research done by
the Ponemon Institute, respondents said that their brand would diminish by
21% in the event of 100, 000 confidential consumer records being lost due
to a data breach and that it would take on average about a year to restore
the organization’s reputation. Data breaches involving employee
confidential information and also records containing confidential business
information can also be extremely harmful to an organization.

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the
Virgin Islands have enacted legislation requiring private or government
entities to notify individuals of security breaches of information
involving PII. Some states have passed legislation requiring businesses to
proactively implement security measures to protect PII before a data breach
occurs.

Protecting PII, PHI and PCI within an Enterprise Content Management System

It goes without saying that all data in databases, files and applications
and data being transmitted needs to be secure and encrypted. Just as
important is to purge files and data no longer required to be kept in
accordance with any laws and regulations and to redact all PII, PHI and PCI.

PII collected by businesses and government is stored in various formats
either digitally or hard copy paper. At least 32 states and Puerto Rico
have enacted laws that require entities to destroy, dispose, or otherwise
make PII unreadable or undecipherable.

There has been an increasing awareness to protect data at the source and
not just at the perimeter

Redacting documents, especially unstructured documents, can be a very
challenging exercise and should be entrusted to an enterprise content
management software and development company that is competent and
experienced in developing and integrating redaction software and workflow
to automate the redaction processes.

The passage of the HITECH Act increased penalties for information security
negligence pertaining to PHI. The basis for the act requires organizations
that handle PHI meet a baseline criteria for protection of data in transit,
in use, at rest and when disposed. The HITECH Act is noteworthy because it
provides definition around the protection of PHI and puts an emphasis on
the encryption of PHI.

The penalties for HIPAA violations and data breaches of PII, PCI and PHI
can be devastating to any organization and companies should not spare any
expenses with regards to HIPAA compliance training and the securing of
networks and data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170606/0a4f0a75/attachment.html>