Last weeks newsletter was all about data leakage, and I argued that it wasn’t a well understood problem, which doesn’t get the attention it deserves.  We all know about data protection, at least at a high level, and we know about the regulatory issues around it, although many take the view that talking about that is scare tactics designed to make you buy something.  And OK, it can be just that, but it doesn’t make it any the less real.

We all need to be cognisant of the issues and potential fallout, but it becomes much more of an urgent issue for organisations that depend upon holding and processing large amounts of what is known as Personally Identifiable Information or PII.  That is information that can identify a specific individual, either on its own or when combined with other data.  PII spans quite a large category of data:

a. Direct identifiers (identify someone immediately)

         •        Full name

         •        Social Security number / National ID number

         •        Passport number

         •        Driving license number

         •        Biometric data (fingerprints, facial recognition data)

b. Contact information

         •        Home or mailing address

         •        Email address

         •        Phone number

c. Financial information

         •        Credit or debit card numbers

         •        Bank account and routing numbers

         •        Tax records

         •        Payment transaction histories

d. Digital & online identifiers

         •        IP address

         •        Device IDs (IMEI, MAC address)

         •        Cookies linked to an individual

         •        Account usernames (when tied to a real person)

e. Personal characteristics

         •        Date and place of birth

         •        Gender

         •        Marital status

         •        Employment details

         •        Education records

f. Sensitive PII (higher risk if exposed)

         •        Medical and health records

         •        Insurance information

         •        Genetic data

         •        Precise location data

         •        Criminal history

We all process some data of this kind, if only data pertaining to our own employees, such as payroll information.  However, we often hold personal data regarding our customers and suppliers, names, payment details, addresses etc.  But consider organisations that store and process data covering many of the categories above.  I’m thinking about law firms, financial firms, even real estate agents and recruitment agents, amongst others.  Have you thought about the categories of PII you are holding?  Have you identified the sensitivity of the data you hold, and protect it accordingly?

It’s also important to understand what PII is not. 

• Fully anonymised or aggregated data
• General information that cannot be tied to a specific person (i.e., “people aged 20–30 in England”).

If you do hold lots of PII that is critical to your business, what do you need to care about?  This will depend to a certain extent on what you are holding and processing, but generally:

• Protecting reputation above all else
• Being seen as a safe pair of hands
• Keeping clients and the board confident
• Avoiding public embarrassment or loss of trust
• Having certainty without complexity

Reputational damage can be far worse than losing say, some money to a scam or ransomware.  Firms can often come back from financial loss, but reputational damage is often permanent and fatal.  You need to be seen as a safe pair of hands.

A core anxiety is often worrying that if something happens, the organisation wouldn’t be able to confidently explain where the sensitive data is and how it’s protected.  Three things that tend to be a common theme amongst those we deal with at the start of their journey:

• They know the risk exists
• They don’t know how big the problem is
• They hope nothing happens before they act

The problem often gets explained like this:

• “We don’t really know where all our sensitive data is.”
• “I’m relying on trust and assumptions.”
• “Our outsourced IT provides storage solutions and gateway security, but they don’t really have a handle on our data.”

At H2 we understand the issues and anxieties.  We have a solution that deals with these requirements and has a built-in encryption system, all within the same monthly cost.  It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.