In our previous articles, we have stressed the importance of not letting your data, devices and network become compromised by malicious actors. However, when it comes to data in particular, no special mention was made as to the type of data. Of course, the assumption is that all data on our devices and organisational network should be viewed as equally important and should be safeguarded by the same policies, technology and best practices.
While both users and the organisations that they form a part of should be implementing or contribute to a wide array of policies, sets of optimum methodologies depending on the situation, and technology-based security solutions to help construct a holistic approach to data privacy, there is one specific type of data which we need to place particular focus on: Personally Identifiable Information (PII).
What is Personally Identifiable Information?
We will examine Personally Identifiable Information in two contexts: how it is defined in a legal framework and what it is deemed to be composed of in an information technology context.
PII in law
Under the European Union’s Data Protection Directive (Directive 95/46/EC) which has been in effect since 1995, before its full implementation three years later, personal data includes everything that can be used to identify any one person in real life. This includes their passport or ID number, physical descriptors, social or cultural descriptors, and more.
Moreover, the Directive specifies that it solely “applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files).” What this means in effect, is that data processed by a human being in a personal or household context does not fall under this legal framework.
PII in an IT context and how it relates to the law
In the United States, Personally Identifiable Information in an IT context and the legal aspect of this type data are very closely linked, since PII is legally defined by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce.
According to NIST, PII includes your name and surname (although some exceptions can take place in the event of very generic names, e.g. John Smith), a digital image of your face, the address of your home, your personal email, your social security, ID or passport number, your personal vehicle license plate, your fingerprints, your individual handwriting, your driver’s license, your credit or debit card number, your digital ID number or alphanumeric code, your date of birth and place of birth, your genetic information in the event where a relevant test has taken place, your mobile or home phone number, your medical record, your login name in a specific context (e.g. within a specific platform), and more.
Moreover, there is some disparity as to what is considered a ‘clear identifier’ and a ‘pseudo identifier’. For example, a name and surname or an ID number are clear identifiers, however, a combination of weaker pieces of information, such as a string containing your gender, postcode and date of birth, may be enough to identify you. While the latter may not be deemed as PII in the United States, it may be deemed as PII under EU law.
Best practices when dealing with PII
Below we will be looking at the preferred practices when it comes to dealing with Personally Identifiable Information, particularly when working from home or any other remote location.
Habits you must avoid doing
Forwarding emails with sensitive information and taking PII home
Forwarding emails can potentially expose personal information belonging to one of your colleagues or business partners, since they can include email addresses which should not have been shared with a third party, or other personal information contained in their signature, including their mobile or work phone numbers and social media profile links.
Avoiding the forwarding of emails also applies in the event where you want to forward it to your own personal email address for any reason, including wanting to work from home. The reason for this is that the forwarded email and any information or attachments it includes can then be accessed by any malicious actor who has gained access to your home network or personal email account.
Similar risks apply when taking home PII via other means, including unauthorized transportation of organisational devices and transporting PII via portable storage devices such as USB drives, external hard drives, and other media. The security level at your home is vastly diminished than when working from the office and this impacts the way you should be treating data as sensitive as PII.
Printing PII at home and planning ahead
Users and organisations have to be proactive when it comes to the handling of PII. If the task at hand necessitates the printing of PII, it is highly advisable that this activity takes place at the workplace and any printed documents remain there due to the higher level of security and pre-embedded segmentation of access.
Printing PII at home introduces a number of risks, including security vulnerabilities to WiFi-enabled printers as well as vulnerabilities to the network equipment installed at your home or the remote location from which you are working from. This can allow a sensitive document or email becoming intercepted or otherwise accessed by malicious entities.
In addition, certain steps can be taken to improve print-related security, including the addition of dynamic watermarks to all printed documents to keep track of who has printed which document, as well as the continuous monitoring of all printing activity to track any potential dangers.
The same applies when having to use sensitive information in digital form. Limiting its use to office hours as much possible will help decrease any unnecessary risks. However, if this is unavoidable, particularly during a time when remote working is the norm, try to not expose yourself to needless risks and take all necessary precautions on all levels, including your devices, network, and online behaviour.
Allowing family or other household members to access PII
It is crucial that your family members or anyone else sharing a household with you be prohibited and restricted from accessing any PII found on your work devices. Studies have shown that people working remotely may allow their children or partners to use their devices for personal activities. This is a major cybersecurity risk as PII may be unwittingly shared, either directly through its accidental sharing or indirectly through your device becoming compromised after a malicious file is downloaded or a security setting becoming disabled.
Habits you should aim to emulate
Keeping PII encrypted
Encryption is one of the most steps that individuals and organisations can take in order to secure their most sensitive information. Moreover, encryption can reduce the potential for human-based errors and trust-based security risks. In addition, encrypting PII in such a way that only specific users can view it or limiting the network or geolocations in which that data can be viewed can massively help to prevent any exposure.
Secure your devices at home by restricting the access to them
While the possibility of PII being leaked or otherwise compromised in a digital manner, particularly in terms of wireless or other internet-based means, is a crucial concern which must be addressed, users must never forget that PII can be easily leaked in a more direct way: unauthorized physical access to a work device, document or storage device.
Users working from home should strive to restrict physical access to any device or document containing PII so that they eliminate the possibility of theft, loss or other unwanted access. This can take the form of a locked room in which the PII is stored, a locked cabinet or drawer, or a combination of all previous measures.
How Boltonshield can help
Boltonshield can help you assess your current security levels through a variety of methods, including penetration testing and security audits. This can help you identify problems and potential risks in a proactive manner and address them before they can be exploited.
Boltonshield can provide your organisation with terminal servers which can be used by remote workers. A terminal server can provide a safe, secure and remote working environment, access to organisational resources from wherever they are, as well as a singular point of both entry and maintenance which can be more easily monitored and managed.
If you want to get updated about our recent publications about cybersecurity related topics, subscribe to our newsletter!