Improper Disposal of PII May Lead to Data Breach

Written By

Namrata Sengupta

Updated on

March 9, 2022

What is PII?

Personally Identifiable Information (PII) is information that if used alone or in combination with other records can define or trace an individual. It comprises any factual or subjective information, directly or indirectly associated with the person. PII may contain direct identifiers such as social security number or quasi–identifiers such as race or date of birth or a combination of both to successfully identify an individual.

A wide array of sensitive and non-sensitive information that forms a part of personally identifiable information are listed as under:

Name, age, national identification number covering driver’s license, social security, and passport details
Race, national or ethnic origin, and religion
Marital or relationship status
Medical, education, or employment history
Financial information and business details
DNA, digital identity, including face and fingerprint recognition
Login credential, evaluation, comments, or opinions of an individual as an employee

Daunting Incidents of PII Breach

A PII Breach occurs when an unauthorized party gets access to the sensitive, confidential information pertaining to the organization (employees, customers, or stakeholders) and discloses it. This unauthorized access of physical or electronic information due to illicit handling, exposure or control leads to PII Breach.
Lack of data security measures and inappropriate handling of IT Assets during their disposal is leading to major PII breaches in the recent times. Improper hard drive disposal and poor vendor selections have caused massive penalties and losses to organizations in the near past. Here are some eye-opening PII breach incidents highlighting the ramifications of inappropriate IT asset disposal at the end-of-life:

Company	Incident	Cost of Breach	PII Violation
NHS Computers	Sensitive data remained unattended in the old computers sold on eBay	£200,000	About 900 adults and 2000 children patient’s record, personal data, and HR data was breached.
U.S. Department of Veterans Affairs	The devices enclosing personal data (PII) and other confidential military personnel data were stolen from the house of a Veteran Affairs employee who was liable for Unauthorized possession of office laptop and external hard disks.	Undisclosed	Personal information of 26.5 million veterans were compromised.
Morgan Stanley	Lack of due diligence while decommissioning IT assets at the end-of-life.	$60 Million	Failure in protecting the PII of approximately 15 mn. current and former clients.
HealthReach Community Health Centers	Improper disposal of hardware led to non-compliance to Maine Privacy law and HIPAA regulations.	Undisclosed	Over 100,000 Patients’ PII and PHI data has been compromised.

These breaches reinforce the need to take due measures while handling and disposing of IT Assets in order to protect sensitive customer data (PII and PHI) from falling into wrong hands.

How to Prevent PII Breach?

Regardless of the industry or size, the organizations are advised to protect the personal information of their customers, employees, and stakeholders from getting exposed to unauthorized entities. So, they must develop comprehensive policies and procedures to securely manage PII at all stages of the data lifecycle.
Here is a list of key measures that an organization must adhere to prevent PII breaches in future.

Limit access to devices and areas in an organization that store, transmit and process sensitive data.
Establish an IT security policy for data encryption, multi-factor authentication, strong password policy, regular software updates and data backup to secure your devices.
Establish a data governance policy that sets out protocols for safe data handling, archival and protection. Regular audit of the staff who is responsible for collection and processing PII must be done.
Develop a privacy policy for the organization that defines and limits the usage and management of data collected from customers, investors and other stakeholders.
Formulate vendor management program that addresses risk, security, privacy and compliance to data protection laws and regulations.
Organize and carry out employee data security awareness trainings at regular intervals to ensure old and new personnel across the organizations are well aware of the pitfalls of data leakage.
Organizations using personal information of customers should not store it beyond the purpose of collection. The data must be permanently erased once the project is over.
Formulate PII data retention and disposal policy for permanent data destruction from devices not in use. Define best practices for data destruction including usage of software-based erasure for wiping data stored on hard drive, SSDs, etc. in PC, Mac and servers.
Craft an incidence response plan to detect, respond, and recover from data security and data breach incidents.

Global Regulations for PII Protection

Unfortunately, the conventional methods of data protection and privacy measures were fundamentally flawed. When the major malicious attacks started rocking the world, different countries came up with a stringent set of data protection laws to guide organizations with the legitimate approach of PII collection, storage, and disposal.

Some fundamental principles outlined by these laws emphasize on not using personal information unless extremely critical. The regulatory guidelines also insist on data erasure of sensitive information once its purpose is fulfilled or it is no longer required in the future.

With an objective to protect the individuality of their citizens, the United States follow the National Institute of Standards and Technology (NIST) guidelines to safeguard the confidentiality of their citizens. Similarly, EU GDPR is one of the toughest data protection regulations effective across the European Union (EU).

Even the Government of Australia initiated a predominant data privacy law in the late 80s, known as the ‘Privacy Act 1988’. The Personal Information Protection and Electronic Documents Act (PIPEDA) empowers Canadian customers with the right to access their personal information gathered by organizations on their websites. The Japanese Act on the Protection of Personal Information, also known as APPI, aims to preserve the personal information of Japanese citizens. Organizations that ignores the regulatory laws suffer massive penalties from the legal and compliance regulators.

Conclusion:

Responsible handling of personal information is critical for any organization. Data Collection, Processing and Management should be governed by the data protection, retention and disposal policies in order to meet compliance and mitigate risks. Maintain a meticulous approach to record, access, preserve, and dispose the Personally Identifiable Information after a specified duration. Even documents of PII records must be destroyed in line with the prevailing data protection laws. Failure in doing so can lead to non-compliance and risk organization goodwill.

About The Author

Namrata Sengupta

51 posts

Namrata is a seasoned business leader with a strong background in strategic management, revenue growth, brand building, and nurturing partnerships. She has more than 25 years of experience serving leadership roles in IT / ITES , Telecom & Education industries. In her role as Vice President at Stellar, she has been actively talking about data privacy & erasure solutions through live technology events in the US, Europe & APAC.

Improper Disposal of PII May Lead to Data Breach

Let’s get started

Submit Enquiry

Stellar Brings to The World Future-Ready Data Solutions