Google Assisting in Personally Identifiable Information Removal

Secure your business with CyberHoot Today!!!

Sign Up Now

In late April 2022, Google announced they’ve enabled new options for removing Personally Identifiable Information (PII) from Google Searches. Google is expanding the types of data people can ask to have removed from search results to include personal contact information like your phone number, email address, or physical address. The move comes just months after Google rolled out a new policy enabling people under the age of 18 (or a parent/guardian) to request the removal of their images from Google search results.

Remove Personally Identifiable Information (PII) or Doxxing content from Google Search

Google may remove personally identifiable information (PII) that has the potential to create significant risks of identity theft, financial fraud, harmful direct contact, or other specific harms. This includes doxxing, which is when your contact info is shared online in a malicious way such as encouraging others to swat someone. This is when someone calls the police falsely claiming an intruder or armed individual is at the target (swatted) residence.

Google evaluates each request based on the criteria listed below and evaluates the content for public interest. As a result, Google may:

• Remove the provided URL(s) for all queries,
• Remove the URL(s) for only queries including your name, or
• In some circumstances, deny your request.

Requirements

For Google to consider the content for removal, it must pertain to the following types of information:

• Confidential government identification (ID) numbers like U.S. Social Security Number, Argentine Single Tax Identification Number, Brazil Cadastro de Pessoas Físicas, Korea Resident Registration Number, China Resident Identity Card, etc.
• Bank account numbers
• Credit card numbers
• Images of handwritten signatures
• Images of ID docs
• Highly personal, restricted, and official records, like medical records
• Personal contact info (physical addresses, phone numbers, and email addresses)
• Confidential login credentials

Google’s New Feature

Google has for years accepted requests to remove certain sensitive data such as bank accounts or credit card numbers from search results. In a blog post, Google’s Michelle Chang wrote that the company’s expanded policy now allows for the removal of additional information that may pose a risk for identity theft, such as confidential log-in credentials, email addresses, and phone numbers when it appears in search results.

“When we receive removal requests, we will evaluate all content on the web page to ensure that we’re not limiting the availability of other information that is broadly useful, for instance in news articles. We’ll also evaluate if the content appears as part of the public record on the sites of government or official sources. In such cases, we won’t make removals.”

– Michelle Chang

Google’s removal of a search result from its index will do nothing to remove the offending content from the site that is hosting it, but getting a link from Google search results is going to make the content at that link far less visible. According to recent estimates, Google has around 92 percent market share in search engine usage.

How to Request PII Removal

Those looking to remove PII from Google’s searches must have the links to those public pages that contain sensitive information. Once you have those details, you can start filling out the form. 

After you fill out the form the following will happen:

1. You get an automated email confirmation. This confirms Google received the request.
2. Google reviews your request. Each request is evaluated on factors including the requirements listed.
3. Google gathers more information if needed. In some cases, Google may ask you for more information. If the request doesn’t have enough information for Google to evaluate, like missing URLs, they’ll share specific instructions and ask you to resubmit the request.
4. You get a notification of any action taken.
   • If the submitted URLs are found to be within the scope of Google’s policy, either the URLs will be removed for all queries or the URLs will be removed only from search results in which the query includes the complainant’s name, or other provided identifiers, such as aliases.
   • If the request doesn’t meet the requirements for removal, they’ll also include a brief explanation. If your request is denied and later you have additional materials to support your case, you can re-submit your request.

What does this mean for an SMB?

It may be a good educational exercise for your SMB employees to Google Search their PII details (name, phone numbers, addresses, etc.) and see if anything comes up. If they find information that is alarming, they can simply follow the instructions listed above, or head to Google’s Support page for PII removal.  

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

Sources: 

Krebs Security

Google

Additional Reading:

Trello Exposing Personal Identifiable Information (PII)

Related Terms:

Personal Identifiable Information (PII)

CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like: 

• Blog
• Cybrary (Cyber Library)
• Infographics
• Newsletters
• Press Releases
• Instructional Videos (HowTo) – very helpful for our SuperUsers!

Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.