Personal information and the way companies use and store it has become a controversial issue over the years. Today, each click, each move of the mouse, and each ping from a person’s cell phone records impressive amounts of information and transmits it to repositories. Among that information, there’s a vast amount of sensitive data — data that can be used for criminal activities. That’s why more and more companies are streamlining their protocols and policies regarding the way they deal with PII – Personal Identifiable Information. Currently, dozens of companies detect and label personally identifiable information through time-consuming and error-prone manual processes. Leaving themselves open for attack vectors and other liabilities. Luckily, thanks to tech, there is a more expedient way — automated PII detection.
What is PII detection?
PII stands for “Personally Identifiable Information.” PII is a type of information that can be used to identify an individual. It is a term that is normally only used in the United States and one that is a bit broad in its definition.
Examples of PII data are:
-Name
-Address
-Phone number
-Date of birth
-Gender
-Postcode
This type of data is typically used to authenticate identity or make a financial transaction. However, according to the National Institute of Standards and Technology – NIST – this type of information although sensitive isn’t dangerous, it does not open an individual up to some of the most common threats of PII leaks. Why? Because those data points are less often used to distinguish an individual identity. They are in essence data points and traits that can be shared by many people. As such, to have any value to criminals, those data points require additional PII — for example, a Social Security Number, a bank account number, a Credit/debit card number, a passport number, etc.
The NIST, along with other institutes, has created clear guidelines regarding PII detection, and, more importantly, its security layers. In other words, what PII is truly valuable and has to be safeguarded at all costs, and which ones are inconsequential?
The benefits of continuous and automated PII detection
In today’s world, there are many ways to collect and store personal information. The problem is that this information is not always secure. It can be stolen or leaked, which can lead to identity theft. There’s also the challenge of collecting said info. The issue of its complexity added to the speed and regularity in which companies compile said information. Right now, companies collect PII on their users every single second, so much so that in many cases, the companies themselves are unaware that they have such a prodigious stream of data entering their networks.
There are many benefits to continuous and automated PII detection.
Privacy Laws
One of the benefits of continuous and automated
PII detection is that it helps ensure that companies are complying with privacy laws such as GDPR in the EU or the Canadian Privacy Act. Every country, including the United States, have incredibly detailed stances on what constitutes PII and how it can be used, collected, and safeguarded by companies. The US, for example, has the Privacy Act of 1974, along with the HIPAA – The Health Insurance Portability and Accountability Act. These are just two of the many privacy laws the US has instituted over the years.
For software creators, depending on the industry they work for, PII automatic detection might not be a luxury but an essential part of their MO. There’s a difference between creating supercilious game apps, to coding critical medical applications whose features are constantly amassing important sensitive data on a user.
Data Breaches
Another benefit is that it helps protect against data breaches by identifying where the vulnerabilities lie in a company’s system.
Visibility
The total amount of data captured, copied, or consumed globally by the year 2020 was over 64.2 zettabytes. Daily we generate as a species over 2.5 quintillion bytes of data. On average, every human creates at least 1.7 MB of data per second. Not all that data is relevant, and not all that data is picked up or collected by your systems, but a vast amount – if the user interacts with your programs daily – does flow into your digital coffers. A fraction of that stream has sensitive data, among that data PII data points. Statistics have shown that most companies are unaware of their digital surface – how much actual digital landscape they encompass. They are ignorant of the data they are amassing, and in many cases have no idea where said data is being funneled to.
PII detection software allows companies to get a more detailed view of their digital surface — giving them the ability to tally all that sensitive data and create procedures on how to properly address and protect it.
Structured and Unstructured data
In data science, there are two types of data — structured and unstructured. The former is data that has been labeled, managed, and organized in a varied protected format. The latter is basically all that information that fell through the cracks and is running loose in our systems. The challenge is that most companies have more unstructured data than structured. The input of data into systems is so vast and works at such a rapid pace that companies can’t keep up. Billions of small files, the byproduct of IoT devices and business systems, flood our networks. Among that data, there is a huge amount of PII. Automated PII detection pinpoints and collects all that data simply flooding in the unprotected ether of our networks — data that is extremely valuable to criminals and that is our responsibility to protect.
How to choose PII detection software?
There are a lot of factors to consider when choosing the right PII detection software. It’s often a complex issue. Still, at their most basic companies have to analyze two critical pain points when it comes to PII software and how it might affect their metrics — how it might help them.
Type of Data
The first thing to consider is the type of data you want to protect.
There are four types of data:
- Personal Information: Names, addresses, phone numbers, and social security numbers.
- Protected Health Information (PHI): Medical records and other health information.
- Financial Information: Bank account numbers, credit card numbers, and so on.
- Intellectual Property (IP): Copyrights, patents, and trademarks.
The more sensitive, the more said data needs to be protected. Not only because it can be used against your users as well as your systems, but because legislation and industry standards demand it.
Sensitivity of Data
The second thing to consider is the level of sensitivity of your data. If it’s sensitive enough for a breach to be catastrophic for your company or organization then you need more than just PII protection software but also DLP software.