With the proliferation of technology and digital devices in our daily lives, electronic communication via multiple applications has become a staple of the typical U.S. household. Internet, emails, text messaging and many other conveniences offered by smart phones and computers are becoming the way of life. Their benefits and advantages are clearly undisputed, but does an average individual really understand the trail of information that is left behind when using these devices and services? Furthermore, what steps should be taken in ensuring the safety of this information and that it is not misappropriated?
It is a known fact that businesses regularly collect and disclose consumer data to benchmark their internal efficiency and to carry out the core mission. Data collection on consumers is not new-for decades businesses have sought to collect information about consumers for marketing purposes.
Advances in technology have helped to revolutionize the process by bringing ever-increasing speed and accuracy for collecting this data. It is now possible, even without consumer knowledge, to track information as specific as whether a consumer uses laxatives or yeast infection products, the number of whiskey drinks consumed in the past month, and the number of miles traveled in the last four weeks-all thanks to advances in technology.
Predicting Consumption Behavior
In the past, the information gathered was more generic in nature, but now businesses are taking it one step further by personalizing data and using this information to project a spending model and predict individual consumption behavior. To do that effectively they must capture some information that identifies an individual’s behavior pattern. The information that ties all this to a real person is called Personally Identifiable Information (PII).
National Institute of Standards and Technology (“NIST”) defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Individual and Organization Hazards
Breaches involving PII are hazardous to both individuals and organizations. Individual harms may include embarrassment, blackmail and identity theft, whereas organizational harms span to legal liability, remediation cost, and loss of public trust. Each organization’s legal obligations for PII protection may vary depending on the nature of the business and the U.S. laws and regulations governing its conduct. NIST recommends and provides guidelines for a risk-based approach to protecting the confidentiality of PII. To effectively protect PII, NIST recommends that organizations:
• Identify all PII residing in their environment.
• Minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission.
• Categorize their PII by the PII confidentiality impact level.
• Apply the appropriate safeguards for PII based on the PII confidentiality impact level.
• Develop an incident response plan to handle breaches involving PII.
• Encourage close coordination among their chief privacy officers, senior officials for privacy, chief information officers, chief information security officers, and legal counsel when addressing issues related to PII.
Please refer to NIST Special Publication 800-122 for more details on the guidelines.