Summary: With the increased focus on digital privacy and data protection regulations, data breaches are becoming prominent in the news. Data breaches happen due to the release of sensitive data to unauthorized parties and at times are the outcome of improper disposal of devices. This blog defines Personal Identifiable Information (PII), its breaches, and data disposal policy to ethically prevent PII breaches.
PII shared by employees, consumers, stakeholders, and clients are vulnerable to data leakage and need special attention by organizations responsible for storing, retaining and even when disposing storage device that contains this information. They must follow secure PII data disposal policy apart from rightful recycling of IT assets at the end-of-life to bridge the security gaps. Inappropriate handling of old devices can cause PII breach that may subsequently result in high penalties of up to €20 Million or 4% of global business revenue as per EU-GDPR and other data protection laws. Therefore, organizations dealing with bulk volumes of data must ensure permanent data wiping beyond recovery before donating, recycling, or disposing of old devices.
Get familiar with the fundamentals of Personally Identifiable Information in order to take secure disposal measures and prevent PII breach.
What is PII?
Personally Identifiable Information (PII) is information that if used alone or in combination with other records can define or trace an individual. It comprises any factual or subjective information, directly or indirectly associated with the person. PII may contain direct identifiers such as social security number or quasi–identifiers such as race or date of birth or a combination of both to successfully identify an individual.
A wide array of sensitive and non-sensitive information that forms a part of personally identifiable information are listed as under:
- Name, age, national identification number covering driver’s license, social security, and passport details
- Race, national or ethnic origin, and religion
- Marital or relationship status
- Medical, education, or employment history
- Financial information and business details
- DNA, digital identity, including face and fingerprint recognition
- Login credential, evaluation, comments, or opinions of an individual as an employee
Daunting Incidents of PII Breach
A PII Breach occurs when an unauthorized party gets access to the sensitive, confidential information pertaining to the organization (employees, customers, or stakeholders) and discloses it. This unauthorized access of physical or electronic information due to illicit handling, exposure or control leads to PII Breach.
Lack of data security measures and inappropriate handling of IT Assets during their disposal is leading to major PII breaches in the recent times. Improper hard drive disposal and poor vendor selections have caused massive penalties and losses to organizations in the near past. Here are some eye-opening PII breach incidents highlighting the ramifications of inappropriate IT asset disposal at the end-of-life:
| Company | Incident | Cost of Breach | PII Violation |
| NHS Computers | Sensitive data remained unattended in the old computers sold on eBay | £200,000 | About 900 adults and 2000 children patient’s record, personal data, and HR data was breached. |
| U.S. Department of Veterans Affairs | The devices enclosing personal data (PII) and other confidential military personnel data were stolen from the house of a Veteran Affairs employee who was liable for Unauthorized possession of office laptop and external hard disks. | Undisclosed | Personal information of 26.5 million veterans were compromised. |
| Morgan Stanley | Lack of due diligence while decommissioning IT assets at the end-of-life. | $60 Million | Failure in protecting the PII of approximately 15 mn. current and former clients. |
| HealthReach Community Health Centers | Improper disposal of hardware led to non-compliance to Maine Privacy law and HIPAA regulations. | Undisclosed | Over 100,000 Patients’ PII and PHI data has been compromised. |
These breaches reinforce the need to take due measures while handling and disposing of IT Assets in order to protect sensitive customer data (PII and PHI) from falling into wrong hands.
How to Prevent PII Breach?
Regardless of the industry or size, the organizations are advised to protect the personal information of their customers, employees, and stakeholders from getting exposed to unauthorized entities. So, they must develop comprehensive policies and procedures to securely manage PII at all stages of the data lifecycle.
Here is a list of key measures that an organization must adhere to prevent PII breaches in future.
- Limit access to devices and areas in an organization that store, transmit and process sensitive data.
- Establish an IT security policy for data encryption, multi-factor authentication, strong password policy, regular software updates and data backup to secure your devices.
- Establish a data governance policy that sets out protocols for safe data handling, archival and protection. Regular audit of the staff who is responsible for collection and processing PII must be done.
- Develop a privacy policy for the organization that defines and limits the usage and management of data collected from customers, investors and other stakeholders.
- Formulate vendor management program that addresses risk, security, privacy and compliance to data protection laws and regulations.
- Organize and carry out employee data security awareness trainings at regular intervals to ensure old and new personnel across the organizations are well aware of the pitfalls of data leakage.
- Organizations using personal information of customers should not store it beyond the purpose of collection. The data must be permanently erased once the project is over.
- Formulate PII data retention and disposal policy for permanent data destruction from devices not in use. Define best practices for data destruction including usage of software-based erasure for wiping data stored on hard drive, SSDs, etc. in PC, Mac and servers.
- Craft an incidence response plan to detect, respond, and recover from data security and data breach incidents.
Global Regulations for PII Protection
Unfortunately, the conventional methods of data protection and privacy measures were fundamentally flawed. When the major malicious attacks started rocking the world, different countries came up with a stringent set of data protection laws to guide organizations with the legitimate approach of PII collection, storage, and disposal.
Some fundamental principles outlined by these laws emphasize on not using personal information unless extremely critical. The regulatory guidelines also insist on data erasure of sensitive information once its purpose is fulfilled or it is no longer required in the future.
With an objective to protect the individuality of their citizens, the United States follow the National Institute of Standards and Technology (NIST) guidelines to safeguard the confidentiality of their citizens. Similarly, EU GDPR is one of the toughest data protection regulations effective across the European Union (EU).
Even the Government of Australia initiated a predominant data privacy law in the late 80s, known as the ‘Privacy Act 1988’. The Personal Information Protection and Electronic Documents Act (PIPEDA) empowers Canadian customers with the right to access their personal information gathered by organizations on their websites. The Japanese Act on the Protection of Personal Information, also known as APPI, aims to preserve the personal information of Japanese citizens. Organizations that ignores the regulatory laws suffer massive penalties from the legal and compliance regulators.
Conclusion:
Responsible handling of personal information is critical for any organization. Data Collection, Processing and Management should be governed by the data protection, retention and disposal policies in order to meet compliance and mitigate risks. Maintain a meticulous approach to record, access, preserve, and dispose the Personally Identifiable Information after a specified duration. Even documents of PII records must be destroyed in line with the prevailing data protection laws. Failure in doing so can lead to non-compliance and risk organization goodwill.
