Small businesses often tell us that they do not have any personally identifiable information ("PII"). They claim that they do not have any data that a hacker would want. They are almost without exception, dead wrong.
Businesses have customers. Businesses have employees. Businesses have vendors and sub-contractors and other relationships. Interactions with people require data and that data usually contains PII. Heck, your customer list, just a name and phone number, is PII. That data is valuable to a hacker and can be used by criminals to identify and impersonate.
The pieces of data that define a person are many and varied. Criminals, just like marketers, compile info on their targets. The more pieces of information they have, the more they can do. Sometimes a name and a phone number are enough for a scam.
Here's the problem for businesses that don't take data privacy seriously: many state laws mandate the protection of PII. If you have a data breach, and statistically you will, you need to be protecting your PII or face lawsuits.
PII is any information about an individual that can:
- Identify or trace an individual's identity
- Associate or link an individual to private information
- Distinguish one person from another
- Be used to re-identify anonymous data
|• Name||• Credit card number||• IP address||• Political opinions|
|• Address||• Bank account, other financial numbers||• Email address||• Criminal information|
|• Date of birth||• License plate number||• Religious beliefs; sex life or behavior|
|• Telephone number||• Passwords, pin numbers||• Genetic information|
|• Cell phone number||• Login or access credentials||• Biometric information||• GPS or location data|
|• Medical records||• Driver’s license number||• Origin or race||• Passport number|
|• Health information||• Vehicle number (VIN)||• Employment history|
Found alone, the information may not represent any harm, but when pieced together, it can reveal someone’s identity or private information. The more pieces of information a criminal has, the more they can do.
Mandatory PII protection laws exist for ALL businesses:
It is well-known that laws exist for PII collected by banks, doctor’s offices, and insurance companies, but almost all states now have one or more laws to protect PII which apply to ALL businesses! These laws have a wide range and can include:
- Mandatory protection of PII
- Mandatory PII protection program with documented policies and procedures
- Mandatory requirement for third-parties/vendors to have the same protection/program for PII and it must be documented in their contracts
- Mandatory redaction of social security or credit card numbers
- Mandatory requirement for there to be authorization levels set for PII access
|Reduce your chances of a catastrophic data breach. Download CSR's Guide to PII. It's right out of our Readiness program.
Get it now: CSR's PII Privacy Practice .
Don’t chance it! Protect PII
If you have a breach, you can be sued. Recent litigation made it possible for lawsuits to be filed even if no identity theft has occurred. You don’t want to go to court and admit that you did not take steps to protect PII!
Add more than virus protection to computers. Learn about precautions, such as:
- Encryption, deidentification, anonymization, or pseudonymization techniques
- Redaction/truncation of sensitive information, such as social security and credit card numbers (leaves only last four numbers)
- Levels of authorization – employees should only see PII as absolutely necessary to complete their job duties
- Employee training to recognize and protect PII