Between 2017 and 2018, the amount of compromised personally identifiable information (PII) jumped 126 percent as more than 446 million records were exposed. While no security technology can prevent every breach, organizations can reduce risk by educating employees about PII and creating a culture in which IT security and data protection are shared responsibilities among all users.

PII is data that can be used to identify an individual, either on its own or when combined with other data. For example, a person’s name, home or email address, phone number, date of birth, Social Security number, passport number, driver’s license number, login credentials, and biometric data such as fingerprints or a retina scan can be used to identify someone. Data such as a first or last name, location, race, gender, age range, and medical or financial information can be combined with other data to zero in on a person’s identity.

Keep in mind that different types of information might be considered PII in different contexts. In healthcare, HIPAA (Health Insurance Portability and Accountability Act) regulations are intended to safeguard protected health information (PHI), which includes patient medical records. However, compliance with HIPAA doesn’t necessarily ensure compliance with Payment Card Industry (PCI) security standards that protect payment cardholder data.

The General Data Protection Regulation (GDPR), which was developed to protect the PII of European Union citizens, has raised the bar in terms of strict requirements and financial consequences for noncompliance. According to the GDPR, IP addresses, social media posts, digital images, location data, and other information fall under the umbrella of PII. 

Unlike the EU, the U.S. does not have a single standard or regulation for protecting all types of PII. In addition to industry-specific regulations, the rules vary from state to state. 

PII is often exposed because individual users store the data on their devices or in unsanctioned cloud platforms. A June data breach at Oregon State University was traced to an employee’s hacked email account, which contained the PII of 636 students and their families.

Centralized control of PII for security and compliance will reduce the risk of exposure, but organizations must make sure the proper protections are in place. For example, the Maryland State Department of Education recently found that PII of 1.4 million students and 233,310 teachers were stored in plain text in databases and applications. Fifteen servers were using programs that hadn’t been updated since 2015 and some computers were running software from 2008.

A recent survey of healthcare organizations by Netwrix found that no respondents – zero percent – had classified all of their data that was stored in the cloud. Thirty percent were not encrypting their cloud data, and 26 percent had experienced a security incident involving cloud data in the past year.

Technology must be part of the equation, but user training is critical to protecting PII and avoiding the penalties and potential lawsuits that stem from noncompliance. Let us help you develop a security program that educates users about what PII is, best practices for protecting PII, and the consequences of a data breach.