PII Data Encryption – Best Practices
What is Personally Identifiable Information (PII)?
The digital age of today is powered by customer and consumer data: data is the new currency. Provided it is collected through consent and transparency, consumer data is the key for enterprises to create value for their consumers, for example through personalization and transformed experiences. Among the various attributes of consumer data are those which can be used to uniquely identify the consumer – the set of such data is called Personally Identifiable Information (PII). Examples of PII include name, email address, telephone number, address, and other attributes related with the individual’s demographic, financial, health and any other personal details.
The need for enterprises to protect PII
With regulations such as the California Consumer Protection Act (CCPA) in the USA, General Data Protection Regulation (GDPR) in Europe and similar ones in other parts of the world, enterprises are under increasing legal obligations to protect PII data. As consumer awareness increases, each data breach causes a significant dent in consumer trust and consequently, the organization’s brand and reputation. However, it’s not just about brand and reputation: recent research indicates that each data breach has a financial impact of $4 million. With threats and vulnerabilities constantly on the rise, the need for enterprises to protect PII data is more today than ever before.
Encryption of PII Data
Encryption is one of the proven ways to protect PII data. Once consumer data is encrypted, the risk of a data breach can be mitigated to a large extent, and the impact of the breach can be contained – since the stolen data will be of no use to the attacker in an encrypted form. Apart from risk mitigation, PII data encryption is also necessary from a compliance perspective, with regulations such as CCPA and GDPR mentioned earlier, mandating such encryption.
What to encrypt?
The first step in PII data encryption is to decide what data to encrypt: and data privacy regulations offer a good starting point. For example, the HIPAA (Health Insurance Portability and Accountability Act) regulations in the US defines the patient information that needs to be encrypted, including treatment information. One point to note is that while regulations indicate what data is to be encrypted, they leave the choice of the encryption technology to the enterprise.
Locating the data
Once the data to be encrypted is identified, the next step is in locating the data across the enterprise, as a part of a data discovery exercise. This is essential because PII data could be stored in multiple applications, databases, and file systems across the enterprise, or in the cloud. The data discovery exercise typically involves an application and system portfolio study or assessment, along with the use of data discovery tools.
Encryption Technologies & Standards
The next step is the actual encryption of the data. There are multiple encryption technologies and standards available and let’s take a look at the most popular ones.
Advanced Encryption Standard (AES):
AES is one of the best encryption options primarily due to its strength and widespread acceptability. As one of the strongest encryption technologies available, AES enjoys widespread acceptability across regulations, enterprises, credit card issuers, and government agencies. AES is also used in the Pretty Good Privacy (PGP) standard which is used by a large number of banking and financial services institutions. The National Institute of Standards and Technology (NIST) recommends AES as the highest standard for encryption, with three different key sizes: 128 bit, 192 bit, and 256 bits.
This is an encryption standard named after its three inventors: Rivest, Shamir and Adleman. The strength of RSA is derived from the fact that prime factorization of very large numbers is computationally extremely difficult with existing hardware and compute resources. RSA has become popular since it can help assure the confidentiality, integrity, authenticity, and non-repudiation of data. Key lengths in RSA are very long at 1024 or 2048 bits and this is another reason for RSA’s strength. With these key lengths, the algorithm however is relatively slow and therefore one application of RSA is to use it for key encryption instead of direct data encryption. Another limitation of RSA is that as computers get more powerful, key lengths need to get longer and longer in order to stay ahead of brute force attempts at prime factorization.
Elliptic Curve Cryptography (ECC):
This is emerging as a popular alternative to RSA due to its advantages of speed, smaller key sizes, and cryptographic efficiency. ECC is also a good option for mobile devices due to its lower requirements on compute power and battery use. The algorithm is based on algebraic equations that represent elliptic curves. Keys generated through this approach are mathematically several orders of magnitude stronger than the prime factorization approach of RSA. For example, a 256 bit ECC key has the same strength as a 3072 bit RSA key.
The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) have now become mainstream with web servers and browsers being a familiar example of their usage. With PII data often being sent over the network from client to server, from one application to another and from one server to another, communication channel encryption using SSL/TLS is critical to avoid “man in the middle” attacks. At the heart of SSL/TLS is a handshake protocol between the two endpoints and secured using asymmetric cryptography, which is used to generate a session key that is valid only for that communication session. The rest of the communication over the channel is encrypted using a symmetric cryptography approach, with this session key used by both endpoints. The SSL/TLS protocol ensures both security as well as performance and has become the de-facto encryption standard for data in motion not just between a web browser and server, but across any two endpoints.
The ultimate success of any data encryption technology does not depend on the algorithms, hardware and software used: it depends on how well the private keys used for encryption are managed. The fundamental requirement for key management is to separate the encrypted data and the encryption keys into distinct physical locations. Options for key management include Hardware Security Modules (HSM), Virtual appliances, and Cloud key management services.
Any enterprise that handles personally identifiable information (PII) of consumers is also responsible for protecting that data. Data breaches pose three significant business risks to any organization: loss of consumer trust, direct financial impact, and legal / regulatory implications and penalties. Encryption technologies offer a proven means for enterprises to protect PII data and address all three risks.