How to Protect PII with Data Loss Prevention
Personally Identifiable Information (PII) is a type of data that allows for an individual to be identified. It includes personal information such as name, gender, address, social security, passport or telephone numbers, and email addresses. Due to digitalization efforts across the world, most companies nowadays collect or store PII, whether it’s their own employees or that of customers that purchase their products or services.
PII is also the most valuable type of data and therefore the most sought after by cybercriminals. According to the Cost of a Data Breach report 2020 released by IBM and the Ponemon Institute, PII was compromised in 80% of all data breaches, making it the type of record most often lost or stolen. Customer PII was also the costliest type of data compromised in a data breach, averaging $150/record.
As a consequence, the new wave of data protection legislation spearheaded by the EU’s General Data Protection Regulation (GDPR) has made the protection of PII mandatory by law, and any company that fails to do so faces heavy fines.
Data Loss Prevention (DLP) solutions have emerged as an essential building block of any compliance efforts and data protection strategies. Focusing on the protection of PII itself, rather than the system on which it is stored, DLP adds an extra layer of protection against data breaches, particularly those that may be caused by the negligence or duplicity of employees. Let’s take a closer look at how PII can be protected using DLP.
Control how PII moves
The most important feature of DLP solutions is their ability to control the movements of PII. DLP solutions use powerful content and contextual scanning tools to search hundreds of file types for PII, blocking and limiting their transfer based on policies when it is found.
Companies can prevent employees from copy-pasting, printing, or transferring PII through unauthorized third-party services such as file sharing sites, personal emails, popular messaging apps, cloud services, or virtual coworking spaces. DLP solutions are an effective way to curb employee negligence and ensure that PII is not transferred through unsecure channels.
Know exactly where PII is located
One of the major problems with protecting PII is that most companies are unaware of how employees use and store files containing PII as they perform their daily tasks. PII might be passed around between employees or stored locally on hard drives and then forgotten.
This is particularly dangerous for compliance efforts as most data protection regulations require PII to only be stored for as long as it is needed for the original purpose it was collected. Data subjects in many countries now also have the right to request that their data, most often PII, be deleted from a company’s records. If the information that should have been deleted, either upon a data subject’s request or because it was no longer needed, be found on a company network during an audit or made public in the wake of a data breach, companies can be penalized for noncompliance.
DLP solutions can be used to search locally stored data on the entire company network for files containing PII in general, but also particular PII an organization might need to delete for compliance reasons. When PII is found on a computer, remediation actions such as deletion or encryption can be taken.
Monitor PII movements
DLP solutions allow organizations to keep a close watch on the movements of PII in and out of the company network. Monitoring PII helps companies discover vulnerabilities within their data protection strategies and how employees use PII as they perform their tasks.
With all attempts to violate policies automatically logged, organizations can identify bad security practices and organize training to address specific issues employees face in their day-to-day tasks. This can help boost efficiency in employee education and data protection strategies, reducing the overall cost of both.
Secure PII while working remotely
Most data protection laws require companies to continuously protect PII, which means there cannot be any interruption in the application of security policies. PII, therefore, needs to have the same level of protection when employees work from home as it does when they are in the office.
Some DLP solutions, like Endpoint Protector, are applied at the computer level so their policies continue to be active even when a device is taken out of the office. Not only that, they will continue to protect data whether a computer is connected to the internet or not.
PII is the most targeted type of data in the world and it is now companies’ legal obligation to protect it. DLP solutions offer an easy way to monitor and control its movements, restricting how PII is used and transferred by employees, helping to reduce security incidents caused by insider carelessness or malice.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.