Anyone working in corporate IT, security, or regulatory compliance has probably heard a great deal about Personally Identifiable Information (PII). If that’s you, you’re probably going to be hearing quite a bit more about it in the near future, too. Why is that? The reasons for PII data’s prominence in discussions about security, data governance, and compliance have to do with its role in cyberattacks, cyber fraud, and government privacy regulations. It’s also relevant to backup and restore operations.
As its name suggests, Personally Identifiable Information comprises any data that identifies a specific person. This includes email and postal addresses, phone numbers, and Social Security numbers. However, PII can also mean IP addresses, social media identifiers, and geolocation information. Even biometrics like digitized fingerprints could be considered PII, depending on who is asking—and many different entities are asking, unfortunately.
Businesses store PII about their customers and employees on multiple systems. The HR management solution likely contains a lot of detailed employee PII. Systems that run e-commerce, for instance, also tend to have customer names and addresses stored in their databases. So, chances are, if you run a business, you’ve got other people’s PII spread out across your IT infrastructure.
Protecting PII should be a top-of-mind issue for IT, security, and compliance managers for at least three significant reasons:
Basic business conduct and brand image—You are the steward of people’s sensitive information. If you allow hackers to invade their privacy and use their data for identity theft, that will make your business look bad and probably cause you aggravation, legal liability, and expense.
Cybersecurity and cyber fraud—Hackers love PII. It enables them to impersonate people and take over their bank accounts, among many other types of online fraud. With PII, a hacker is also well-positioned to conduct spear phishing attacks. At a minimum, hackers can sell PII on the dark web to fraudsters who will make good (bad) use of it.
Regulatory compliance and data compliance—A number of laws now dictate how corporations are supposed to handle customers’ PII. The EU’s GDPR regulation and the California Consumer Privacy Act (CCPA), to name two major examples, both have strict rules and high penalties for companies that do not protect PII from breaches. With CCPA, fines can be as high as $2,500 per incident. Thus, if you have a million customer records, that might mean facing a $2.5 billion fine for not handling PII with care! The laws also have a “right to be forgotten,” which enables consumers to request that their PII be deleted from all corporate systems.
Backup and restore are weak points in PII security and data compliance. The major ERP and RDBMS vendors have created effective tools for tracking PII and the “right to be forgotten.” The problem is that PII can end up all over the place when it’s included in a backup program. You might inadvertently be storing PII data in on-premises storage arrays, cloud backup volumes, mirror sites, and so forth. In these cases, which are extremely common, you could be viewed as negligent in terms of compliance—plus, you are vulnerable to data breach of PII by hackers.
Data governance mitigates most regulatory compliance and data compliance risks, at least in theory. It establishes rules for managing PII. For example, data governance policy might require that PII be classified as such and carefully tracked in its storage and usage. This is a good idea, except is has a big flaw. The frenetic nature of storage and backup render intentional data classification a partial solution at best. A lot of PII can be stored in the enterprise without anyone knowing where it is or realizing it ever needed to be classified.
There is a way to prevent PII from causing trouble. It’s called automated data governance and classification. Using Artificial Intelligence (AI), tools like Rubrik Polaris Sonar can automatically discover, classify, and protect sensitive PII. Sonar scans your existing backup data and reports on any sensitive data you are storing. That way, you can make informed decisions about how to handle PII in your operation. Learn more about how Rubrik can help you protect your PII with automated sensitive data discovery.