How to Protect PII with Data Loss Prevention

Personally Identifiable Information (PII) is the most targeted and regulated data category worldwide. Data Loss Prevention (DLP) protects PII by identifying, monitoring, and restricting sensitive data across endpoints, networks, and cloud services. By controlling data movement, enforcing policy, and supporting compliance with GDPR, HIPAA, PCI DSS, and CCPA, DLP reduces insider risk and prevents unauthorized disclosure.

Focusing on safeguarding PII itself, rather than the system on which it is stored, Data Loss Prevention (DLP) adds an extra layer of protection against cybersecurity breaches, particularly those that may be caused by the negligence or duplicity of employees.

What is PII

Personally Identifiable Information (PII) is a type of data that allows for an individual to be identified. It includes any information relating to a specific individual, such as name, gender, address, social security number (SSN), date of birth, financial information, passport number, telephone numbers, and email addresses.

The National Institute of Standards and Technology (NIST) defines PII as: “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” The broad definition of PII also covers IP addresses, biometric identifiers, alien registration numbers (A-Number), geographic location data, social media posts, etc. Due to digitalization efforts across the world, most companies nowadays collect or store PII, whether it’s their own employees or customers who purchase their products or services. The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information.

PII is also the most valuable type of data and therefore, the most sought after by cybercriminals. According to the Cost of a Data Breach report 2020 released by IBM and the Ponemon Institute, PII was compromised in 80% of all data breaches, making it the type of record most often lost or stolen. Customer PII was also the costliest type of data compromised in a data breach, averaging $150/record.

As a consequence, the new wave of data protection legislation spearheaded by the EU’s General Data Protection Regulation (GDPR) has made the protection of PII mandatory by law, imposing a number of restrictions on what companies can and cannot do with data and how it must be protected; companies that fail to do so face heavy fines. Depending on the type of organization and the industry, there are various regulations and standards for PII, such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA).

How DLP helps to protect PII

Data Loss Prevention (DLP) solutions have emerged as an essential building block of compliance efforts and data security strategies. Focusing on safeguarding PII itself, rather than the system on which it is stored, DLP adds an extra layer of protection against cybersecurity breaches, particularly those that may be caused by the negligence or duplicity of employees. Let’s take a closer look at how sensitive data, including PII, can be protected using DLP.

1. Control how PII moves

The most important feature of DLP solutions is their ability to control the movements of sensitive information. DLP solutions use powerful content and contextual scanning tools to search hundreds of file types for such information, blocking and limiting their transfer based on policies when it is found.

Companies can prevent employees from copy-pasting, printing, or transferring personal data through unauthorized third-party services such as file sharing sites, personal emails, popular messaging apps, cloud services, or virtual coworking spaces. DLP solutions are an effective way to curb employee negligence and ensure that PII is not transferred through unsecure channels.

2. Know exactly where PII is located

One of the major problems with protecting PII is that most companies are unaware of how employees use and store files containing sensitive PII as they perform their daily tasks. PII might be passed around between employees or stored locally on hard drives and then forgotten.

This is particularly dangerous for compliance efforts as most data privacy regulations require PII to only be stored for as long as it is needed for the original purpose it was collected. Data subjects in many countries now also have the right to request that their data, most often PII, be deleted from a company’s records. If the information that should have been deleted, either upon a data subject’s request or because it was no longer needed, be found on a company network during an audit or made public in the wake of a data breach, companies can be penalized for noncompliance.

DLP solutions can be used to search locally stored data on the entire company network for files containing PII in general, but also particular PII an organization might need to delete for compliance reasons. When sensitive PII is found on a computer, remediation actions such as deletion or encryption can be taken.

3. Monitor PII movements

DLP solutions allow organizations to keep a close watch on the movements of PII in and out of the company network. Monitoring PII helps companies discover vulnerabilities within their information security strategies and how employees use PII as they perform their tasks.

With all attempts to violate policies automatically logged, organizations can identify bad security practices and organize training to address specific issues employees face in their day-to-day tasks. This can help boost efficiency in employee education and data protection strategies, reducing the overall cost of both.

4. Secure PII while working remotely

Most data protection laws require companies to continuously protect PII, which means there cannot be any interruption in the application of security policies. PII, therefore, needs to have the same level of protection when employees work from home as it does when they are in the office.

Some DLP solutions, like Endpoint Protector, are applied at the computer level, so their policies continue to be active even when a device is taken out of the office. Not only that, they will continue to protect data whether a computer is connected to the internet or not.

In conclusion

PII is the most targeted type of data in the world, and it is now companies’ legal obligation to protect it. DLP solutions offer an easy way to monitor and control its movements, restricting how PII is used and transferred by employees, helping to reduce security incidents caused by insider carelessness or malice.