The Importance of Protecting Personally Identifiable Information (PII)

The effects of a data breach can be devastating for any business and can have far-reaching effects. Target estimated the cost of credit card data breach after reimbursement of insurance at $ 105 million. In addition, 40 million debit cards and 70 million other items, including customer email addresses and phone numbers, were stolen. This breach was serious enough for the CEO to resign.

The Ponemon Institute released a report in September 2014 indicating that 43% of businesses had experienced a data breach in the past year, a 10% increase over the previous year. It’s not a matter of whether your business will be attacked, it’s when it will happen. According to the report, the extent of the violations is increasing, and more than 80% of the violations were due to employee negligence.

I think we will see a flood of lawsuits involving PHI data breaches, and with the strict HIPAA laws in place, medical practices and the affiliate industry can expect to pay exorbitant penalties.

Companies need to protect PII, PHI and PCI from both internal and external threats and should only store information that is critical to the operation of the business and what is legally required if their data is breached.

Personally identifiable information (PII) is information that can be used to identify alone or together with other information about a single person. The National Institute of Standards and Technology (NIST) Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace a person’s identity, such as name, social security number, date of birth and place, mother’s maiden name or biometric records and (2) other information associated with or linked to a person, such as medical, educational, financial and employment information. “For example, a user’s IP address is classified as is used in a communication exchange, such as PII, whether or not it can identify a person alone.

Protected health information (as defined by HIPAA.COM) means any information, whether oral or recorded in any form or medium, such as –

· Created or received by a healthcare provider, health plan, public health authority, employer, life insurance company, school or university or health care clearing center; and

· Relate to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present or future payment for the delivery of healthcare to a person; and

1. Created or received by a healthcare provider, health plan, employer or health care clearinghouse; and

2. Relates to a person’s individual past, present or future, or physical or mental health; provision of healthcare to an individual; or past, present or future payment removes the provision of healthcare to a person; and

(I) It identifies the individual; or

(ii) As to what is a reasonable basis for believing that the information can be used to identify the person

Payment Card Sector Compliance (PCI) adheres to a set of specific security standards that were developed to protect card information during and after a financial transaction. According to TechTarget, PCI compliance is required by all card brands, and according to the PCI Security Standards Council, there are six main requirements to maintain compliance.

1. Build and maintain a secure network

Install and maintain a firewall configuration to protect cardholder data

· Do not use vendor-supplied standards for system passwords and other security parameters

2. Protect cardholder data

Protect saved cardholder data

Encrypt transmission of cardholder data on open, public networks

3. Maintain a vulnerability management program

· Use and regularly update anti-virus software

· Develop and maintain secure systems and applications

4. Implement strong access control measures

· Restrict access to cardholder data with business needs to know

Assign a unique ID to each person with computer access

· Restrict physical access to cardholder data

5. Monitor and test networks regularly

Track and monitor all access to network resources and cardholder data

Test security systems and processes regularly

6. Maintain an information security policy

· Maintain a policy that addresses information security

The costs associated with a data breach and subsequent loss of PII, PHI and or PCI can be devastating for any organization, regardless of their size. These costs come in the form of financial penalties and loss of reputation and, in some cases, result in prosecution.

Reputation is one of the most important and valuable assets of an organization and is entirely linked to brand image. According to surveys conducted by the Ponemon Institute, respondents said their brand would be reduced by 21% in the event that 100,000 confidential consumer records are lost due to a data breach and that it would take about a year to restore the organization’s reputation. Violation of data involving confidential information about employees and also records containing confidential business information can also be extremely harmful to an organization.

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have passed legislation requiring private or state entities to notify individuals of security breaches of information involving PII. Some states have enacted legislation that requires companies to proactively implement security measures to protect PII before a data breach occurs.

Protecting PII, PHI and PCI in an Enterprise Content Management System

It goes without saying that all data in databases, files and applications and data transferred must be secure and encrypted. Equally important is to clean files and data that are no longer required to be stored in accordance with any laws and regulations, and to redact all PII, PHI and PCI.

PIIs collected by companies and authorities are stored in various formats either digitally or hard copy. At least 32 states and Puerto Rico have passed laws requiring entities to destroy, dispose of, or otherwise render PII illegible or unwritten.

There has been an increasing awareness of data protection at source and not just at the perimeter

Document reduction, especially unstructured documents, can be a very challenging exercise and should be entrusted to a company’s content management software and development company that is competent and experienced in developing and integrating editing software and workflows to automate editing processes.

Adoption of the HITECH Act increased the penalties for negligence on information security relating to PHI. The basis of the law requires organizations that handle PHI to meet a basic criterion for data protection during transit, in use, at rest and when disposed of. The HITECH Act is noteworthy because it defines the protection of PHI and emphasizes the encryption of PHI.

The penalties for HIPAA violations and data breaches by PII, PCI and PHI can be devastating for any organization, and companies should not save any expense in HIPAA compliance training and network and data security.