Simply defined, personally identifiable information (PII) is any information that can be used to identify a particular person. Examples include an individual’s full name, Social Security number, driver’s license or ID number, passport number, bank account numbers, e-mail addresses, IP addresses, and geolocation information. In 2008, Illinois led the way and became the first state in the U.S. to regulate processing of biometric information, acknowledging the risks associated with the widespread application of biometric identifiers in business settings e.g. facilitate financial transactions, manage employee attendance records or administer employee access to the physical facilities or organization’s digital assets. Data aggregators should be aware that processing of PII comes with government regulations aimed at protecting such PII from reasonably anticipated threats and unnecessary disclosures. If your business collects, retains, generates, uses, transforms, shares, or disposes of PII at any point in your business operations, you should consider developing comprehensive information security management policies as part of your business plan and risk management strategy.
The Federal Trade Commission (the “FTC” or “Agency”) is the major cybersecurity federal enforcer in the United States. As of today, the FTC has not issued one separate legally binding comprehensive federal regulation that would serve as a clear prevailing guideline when it comes to information security in the U.S. Businesses should turn to filed complaints, final decisions, and consent decrees in the past FTC’s information security enforcement actions for guidance on what the Agency considers inadequate information security protection and adjust their practices accordingly if necessary.
An increasing number of data processors rely on recognized information security standards published by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Center for Internet Security (CIS) as guidelines for developing information security management programs to address administrative, technological, and physical PII security safeguards. Here, I will cover some of the general guidelines and recommendations of various U.S. federal and state government agencies, such as the Federal Trade Commission (FTC), the Health and Human Services Department (HHS), the New York Department of Financial Services (NY DFS), and the Massachusetts Department of Consumer Affairs (MA DCA) for creating comprehensive data security policies to protect PII from cybersecurity incidents. The FTC’s findings from its enforcement actions, combined with regulations passed by the states, are the main sources of the regulatory framework when it comes to securing PII in the U.S.
1. Industry-wide Standard Security Measures. A number of enforcement actions based on inadequate information security measures brought by the FTC in the last two decades were due to the failure of businesses to implement readily available industry-wide security applications. Processors of PII should consider employing widely-used information security practices such as encryption, multifactor authentication for access, strong passwords, firewalls and SSL (Secure Socket Layers), VPN (Virtual Private Network) for remote access, TLS (Transfer Layer Security) for data transfers, etc. If your business commits in its Privacy and/or Information Security Policy to take reasonable steps to secure its client’s PII, government regulators anticipate that business will abide by its commitments and take steps to invest sufficient resources to implement reasonable information security measures.
2. Access Controls. The FTC recommends managing access to PII sensibly. Not all employees should have equal access rights to the information a business collects. A manager in a human resources department may have a permissible purpose to access other employees’ PII, such as Social Security number or date of birth. However, granting such access to an intern in the public relations department would not appear to be necessary or justifiable. Businesses must conduct comprehensive assessments to determine individuals who have a permissible “need to know.” Based on such assessments, organizations should be prepared to:
i) Develop clearance procedures to determine who must be granted access to what information.
ii) Implement access control policies efficiently. A Rule of Two for accessing sensitive PII.
iii) Set up internal procedures for sanctioning non-compliant employees.
Identifying and efficiently controlling who can justifiably access specific PII assets minimizes the risk that PII may end up in the wrong hands and used for unauthorized purposes.
3. Segment Your Network. Not all information collected from data subjects, namely your customers and clients, is PII and requires the same security measures. Knowing your information inventory and classifying information according to the level of its sensitivity helps to prioritize the resources to safeguard it. Specific information security requirements imposed by the government typically depends on the type of information that business processes. Data breach notification requirements often depend on the specific type of data that was accessed without authorization. It is recommended to keep more sensitive PII separate from other information and to implement more stringent security measures to protect it.
4. Designate an Information Security Officer. Information processing comes with accountability. Businesses must have at least one individual within the organization’s management structure who is responsible for creating, implementing, and keeping security policies up to date. In some states, cybersecurity regulations impose a requirement to appoint a Chief Information Security Officer (CISO). New York State Department of Financial Services Regulations passed in 2017 mandate covered financial institutions to have a CISO who is responsible for “compliance with the cybersecurity regulations and who must submit a written report to the Board of Directors, at least annually, that documents the company’s cybersecurity program and risks.” (N.Y. Comp. Codes R. & Regs. Tit. 23, Section 500.04).
5. Information Security Awareness Training. Once information security policies are developed, businesses should communicate them internally to the entire workforce and then conduct information security awareness training sessions. Periodic employee training might cover lessons learned from previous information security incidents, updates on the regulatory framework, and any developments with internal information security policies. All such training sessions should be tailored to the employees’ job responsibilities. Other potential topics covered in the sessions may include general information security reminders, summaries of the sensitive data inventory held by the business and a recap of specific baseline security measures employed to protect it, information about log-in monitoring, password management, emerging issues, and bring your own device (BYOD) policies.
6. Require Contractual Assurances from Third Parties. If your business uses third-party subcontractors, vendors, or service providers and such providers could have access to the PII of clients and customers in the process, you should require information security clauses in the contracts with such third parties. Typically, a primary PII collector is ultimately responsible if the information is used improperly. Requiring third parties to contractually ensure that they employ minimum information security standards should become one of the conditions to do business with you.
7. Preparedness for Information Security Incidents. Developing a proper data breach response plan should be an integral part of your information security policy. Once an information security incident is discovered and confirmed, an investigation to determine the scope and impact of the breach must be conducted and documented. The recovery plan and damage control measures should be implemented. In some data breach cases, affected data subjects and government agencies must be notified. Early preparation to adequately document post-incident efforts in compliance with government regulations is recommended.
8. Address Vulnerabilities Without Delay. Government regulators do not expect recommendations for information security measures and testing for known vulnerabilities to apply to all businesses uniformly. Businesses with more financial and human resources will be able to do more. Information security programs should be tailored to the size, scope, and type of business, the amount of data that is collected and stored, and the level of sensitivity of PII. Business enterprises with large repositories of sensitive information should be prepared to allocate more resources to protect their PII assets. One of the lessons learned from past FTC’s inadequate information security enforcement actions is that following data breaches, businesses must adjust their information security programs and address identified vulnerabilities without unreasonable delay. Failure to address such vulnerabilities promptly may attract unwanted attention from government regulators.
9. Collect Only What You Need. The data collection limitation principle is part of the Fair Information Practice Principles (FIPPs) which are considered the Northern Stars of Data Protection practices. Businesses are encouraged to limit the collection of PII to information that they need for some defined and justified purpose. There should be no intentional or accidental collection of PII without a clear purpose. Businesses are safe-keepers of PII they collect. The fewer data that is collected, the fewer efforts and resources that are needed to protect it.
10. Dispose of Unnecessary PII. Once a business has used information for an intended purpose, it should put protocols in place to securely dispose of such information without delay. Storing sensitive data for no valid purpose exposes business entities to unnecessary risks. In the event of a data breach, storing less PII means that businesses will have to spend fewer resources to comply with data breach notification requirements. Some of the U.S. states have statutes that impose minimum information disposal requirements. It would not be considered reasonable to dispose of the sensitive PII in a way that such information may be later recovered by a third party and potentially used for an unauthorized purpose. If a third-party vendor is used to dispose of PII, such vendor shall contractually commit that it complies with minimum state requirements for PII disposal.
11. Develop Reasonable Physical Safeguards to Protect your PII. Information protection starts with securing access to the physical facilities where PII is stored. The following recommendations are mandated for PII processed within the healthcare sector but may be applied to any business with facilities storing PII:
i) Limit physical access to facilities.
ii) Establish contingency operations and plans for restoration of lost data.
iii) Develop procedures and policies to physically safeguard equipment and prevent physical access and limitations to access of the facilities.
iv) Document repairs and modification to doors, locks and other physical access components that lead to the physical location where data is stored.
v) Develop physical safeguards to restrict access to authorized users.
vi) Develop procedures to restrict physical removal and transit of devices that store PII.
12. Periodic Evaluations. Government regulations change, software companies issue security updates, lessons are learned from PII security incidents, and new and more effective information security standards are developed and made available by the information security industry. Therefore, regular evaluations of policies are necessary to identify new vulnerabilities that pose threats to PII assets. The risk of an incident may not be completely avoided. However, being up to date may significantly minimize exposure to such risk.
A rising number of data breaches and the increasing sophistication of criminal elements online have become a major concern to businesses struggling to keep up to date with mounting information security regulations and advances in the information security industry. Investing adequate time, financial and human resources in developing and implementing balanced information security policies may significantly minimize the likelihood of reasonably foreseeable information security incidents. In addition to costly post-breach compliance requirements, failure to act in a timely way exposes to reputational risks as well. Data subjects are increasingly wary of the risks associated with sharing their PII with businesses. Not completing the necessary risk assessments and implementing the recommendations discussed above may also expose businesses to expensive and time-consuming enforcement actions from government authorities charged to police data security violations and protect PII. Being ahead of your competition when it comes to the protection of PII may give your business a competitive edge. Inaction when it comes to reasonably protecting PII is not an option.
Adomas Siudika is an associate attorney specializing in data privacy and cybersecurity strategy at Boodell & Domanskis LLC in Chicago, IL. He serves as the firm’s Chief Information Security Officer. Siudika’s research interests in data privacy include transparency by design and algorithmic accountability in artificial intelligence driven decision making, and operationalizing compliance with risk assessments mandated by algorithmic accountability.
Adomas served on the Board of Directors of Lithuanian American Bar Association as Vice President and was appointed by the Mayor of Chicago to serve as Vilnius committee member of Chicago Sister Cities International organization. Siudika is fluent in English and Lithuanian. He is moderately fluent in conversational Russian and has a basic knowledge of German and Italian.