31
Jan
2020
PII Data Encryption – Best Practices
What is Personally Identifiable Information (PII)?
The digital age of today is powered by customer and consumer data: data is the new currency. Provided it is collected through consent and transparency, consumer data is the key for enterprises to create value for their consumers, for example through personalization and transformed experiences. Among the various attributes of consumer data are those which can be used to uniquely identify the consumer – the set of such data is called Personally Identifiable Information (PII). Examples of PII include name, email address, telephone number, address, and other attributes related with the individual’s demographic, financial, health and any other personal details.The need for enterprises to protect PII
With regulations such as the California Consumer Protection Act (CCPA) in the USA, General Data Protection Regulation (GDPR) in Europe and similar ones in other parts of the world, enterprises are under increasing legal obligations to protect PII data. As consumer awareness increases, each data breach causes a significant dent in consumer trust and consequently, the organization’s brand and reputation. However, it’s not just about brand and reputation: recent research indicates that each data breach has a financial impact of $4 million. With threats and vulnerabilities constantly on the rise, the need for enterprises to protect PII data is more today than ever before.Encryption of PII Data
Encryption is one of the proven ways to protect PII data. Once consumer data is encrypted, the risk of a data breach can be mitigated to a large extent, and the impact of the breach can be contained – since the stolen data will be of no use to the attacker in an encrypted form. Apart from risk mitigation, PII data encryption is also necessary from a compliance perspective, with regulations such as CCPA and GDPR mentioned earlier, mandating such encryption.What to encrypt?
The first step in PII data encryption is to decide what data to encrypt: and data privacy regulations offer a good starting point. For example, the HIPAA (Health Insurance Portability and Accountability Act) regulations in the US defines the patient information that needs to be encrypted, including treatment information. One point to note is that while regulations indicate what data is to be encrypted, they leave the choice of the encryption technology to the enterprise.Locating the data
Once the data to be encrypted is identified, the next step is in locating the data across the enterprise, as a part of a data discovery exercise. This is essential because PII data could be stored in multiple applications, databases, and file systems across the enterprise, or in the cloud. The data discovery exercise typically involves an application and system portfolio study or assessment, along with the use of data discovery tools.
