Protecting PII is a challenge for individuals and businesses alike. As individuals, we alone are to blame if we expose our own information to risk, but organisations have a far greater liability. Every organisation is built on people and processes, and ultimately it is responsible for the actions of its staff and the effectiveness of the processes that define how PII is protected.
Reasons for loss of PII
A great deal of PII loss is the result of stolen or lost equipment, hard drives or documents. The Data Protection Compliance Report by IT Governance studied Data Protection Act (DPA) contraventions from January 2013 to October 2014, revealing that 32% of all incidents were due to personal or sensitive data being inappropriately disclosed. Repeated errors – such as sending information to the wrong recipients due to incorrect fax numbers or email addresses – were common. Another major cause of human error was the misplacement of files, documents or mobile devices, accounting for an average cost of £35,000 per incident.
Online data breaches and cyber attacks were also among the common reasons for PII loss identified by the report. Significantly, they were the most costly type of data breach in terms of monetary penalties.
The consequences of PII theft
Organisations that don’t protect the personally identifiable information of its employees, members or customers risk incurring a significant financial cost and reputation damage in the event of a data breach.
The Data Protection Compliance Report revealed that, for the period of 22 months from January 2013 to October 2014, the ICO issued £2,170,000 in fines.
How to protect PII
- Know where your personally identifiable information (PII) is stored – if you do not know where the information to be protected is located, then it is impossible to provide adequate protection.
- Know who sees your data – a key control for protecting the privacy of data is access control, ensuring that only those who have a business need to access the data have the relevant rights.
- Create policies for handling data – set rules regarding access to the data, how the data is received, stored and transmitted, what information can be sent within the organisation and what can be passed along to third parties.
- Educate users – ensure everyone handling PII is aware of the risks and their responsibilities under the DPA. A DPA staff awareness course will help communicate key messages to staff and test their knowledge.
- Carry out full encryption of desktop and mobile devices – USB sticks, laptops, tablets and mobile phones are major contributors to data loss. Make sure they are encrypted and that you have an appropriate BYOD policy in place.
A holistic approach to PII protection
Finally, protecting PII is about adopting a holistic approach that takes into account people, processes and technology. Consider ISO 27001, the information security management standard, which provides guidance on the development, implementation and maintenance of an information security management system (ISMS).
Data encryption, staff training and awareness, effective policies and procedures, and data disposal management are all elements of a well-planned and maintained ISMS.
IT Governance’s ISO 27001 ‘Get a Lot of Help’ package is a fixed-price online consultancy service to help you get started with ISO 27001 at a much lower cost than having to resort to on-site consultants. Combining live, online expert guidance with key implementation tools, this package significantly reduces the time and effort required to implement a robust information security management system.
Contact IT Governance today for further information on how to get started or to discuss flexible payment options, on +44 (0)845 070 1750 or email firstname.lastname@example.org.