Personal Identity Information or Personally Identifiable Information (PII) is information that permits the identity of an individual to be directly or indirectly inferred. An example of PII would be a person’s full name combined with a Social Security Number, passport number, or email address. Personally Identifiable Information is often found on public websites including your Full Name combined with your zip code, race, gender, address, and date of birth.
Pro Tip: CyberHoot suggests answering challenge questions, used by websites to help you recover access to an online account, with made-up answers. Just be sure to save the bogus answer in your password manager. It's too easy for hackers to find our true PII on various public websites and break back into our online accounts if we tell the truth on PII Q&A.
Multiple data protection laws such as the General Data Protection Regular (GDPR) and the California Consumer Protection Act (CCPA) have been adopted by various countries and US states to create guidelines for companies who gather, store, process, and sell the PII of their clients. The basic principles outlined by these laws provide restrictions and rights to consumers for managing and controlling access to their own sensitive information (PII). Most of these privacy laws allow users to ask the following questions or make these demands of companies:
- What data do you have about me?
- Don’t sell my data to any 3rd parties.
- Delete or correct my data.
And many more rights beyond these few above. For details see CyberHoot’s CCPA and GDPR cybrary pages.
What Does This Mean For My SMB?
Legislation is in place throughout most of the world, so businesses should focus on examining their local country’s (or state’s) data privacy rights. Once you understand your legal obligations in your own home country or state, you’ll want to develop each of the following:
- a breach notification plan.
- A website privacy policy that outlines what data you collect, and how to inquire about that data.
- An authentication and response plan to privacy requests from consumers (if you do collect PII on consumers).
THE IMPORTANCE OF A BREACH NOTIFICATION PLAN
It’s very important to have a plan to notify any users and applicable agencies involved in a data breach. The time to work out how to notify and what the applicable home country laws and requirements are is not during a breach but before one. In the US exists a patchwork quilt of data privacy laws by individual states. There is no federal law in effect. In preparing your breach notification process, make sure you seek outside counsel and expertise to help you comply with each state you may have data on (or country as the case may be).
DATA PRIVACY REGULATIONS BY COUNTRY (A SAMPLE):
- European Union’s General Data Protection Regulation (GDPR)
- California Consumer Protection Act (2018)
- Australia’s Privacy Amendment (Notifiable Data Breaches) Act of 2017
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Germany’s Data Privacy Law Compared to GDPR (BDSG)
CyberHoot recommends you know the laws affecting your company and you prepare a Breach Notification process document reflecting those laws. Don’t forget to test the process annually as well.
A Website Privacy Policy
Companies that collect, process, and store PII on consumers should call that out in an online privacy policy. CyberHoot provides a template for adoption to all subscribers to our product. This outlines establishing a Data Protection Officer email address for data privacy inquiries by consumers and an authentication process to validate the legitimacy of the request.
Importance of Authenticating Data Privacy Requests
Let’s say your company is a hotel. You receive a request email to DPO@HotelName.com for all the dates you stayed at that hotel from John Doe during the past year. The email states this is a GDPR request and you have every right to the answer. It came from JaneDoe@Emailprovider.com. Should you respond? No. Jane Doe has no right to John Doe’s information under GDPR or CCPA or any other legislation. Your authentication process must engage via a unique identifier which is typically the email address owned by the person making the request. Under privacy legislation, you are required to verify the identity of the privacy requestor before providing any PII Data back.
SMB PROTECTIONS BEYOND Data Privacy Regulations
CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years
If you would like to learn more about this topic, watch this short video:
Source: NCSD Glossary, CNSSI 4009, GAO Report 08-356, as cited in NIST SP 800-63 Rev 1, Investopedia
Secure your business with CyberHoot Today!!!
CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like:
- CyberHoot’s Blog
- Cybrary (Cyber Library)
- Infographics by CyberHoot
- CyberHoot’s Monthly Newsletters
- CyberHoot Press Releases
- CyberHoot Platform Instructional Videos (HowTo) – very helpful for our Super Users!
Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’. Sign up for the monthly newsletter to help CyberHoot with its mission of making the world ‘More Aware and More Secure!’