PII requires protection for both legal and reputational reasons, but if a data breach occurs, will your company still be able to protect this sensitive data? What Is Considered PII? Personally identifiable information is any information that could be used to identify a specific individual; this includes Social Security numbers, full names, and passport numbers. These are typically regarded as the traditional forms of PII. However, with the increased digitization of society and with it our online identities, the scope of PII has expanded to include personally identifiable financial information, login IDs, IP addresses, and social media posts. PII Data Classification PII data classification is a central part of the PII identification process, and it can be used to broadly differentiate between sensitive and nonsensitive PII. Nonsensitive PII This is the type of PII that can be easily obtained from public sources like corporate directories, the internet, and phone books. It can also be transmitted in an unsecured form without harming the individual or exposing their identity. This type of data usually consists of the following: Gender Zip Code Date of birth Place of birth Ethnicity This obviously isn’t an exhaustive list. However, it underlines the type of information about a person that doesn’t pose any threat to their privacy when made public. Sensitive PII This consists of personal information whose public exposure can be harmful to the individual. The risk of exposure often results in identity theft that damages the individual’s credit or compromises their financial wellbeing. Examples of sensitive PII include the following: Social security number Passport number Driver’s license Mailing address Medical records Credit card information Banking and financial information Risk also extends to organizations when sensitive PII in their possession is leaked or compromised. The organization breached suffers reputational damage and is often burdened with noncompliance fines. As a result, sensitive PII needs to be stored securely, usually by using strong encryption mechanisms. What Are Non-PII Examples? There is some overlap between non-sensitive PII and what is generally considered non-PII. Though non-PII may relate to an individual, the information is so general it will not point to the individual’s identity. Non-PII examples include information such as race, religion, business phone numbers, place of work, and job titles. Although nonsensitive PII and non-PII may contain quasi-identifiers, this type of data alone cannot be used to confirm a person’s identity on its own. However, when nonsensitive data is combined or linked with other personal linkable information, it can be used to identify an individual. So businesses should still exercise caution with non-PII since reidentification and de-anonymization techniques can be applied on them. Especially through piecing together several sets of quasi-identifiers to distinguish individuals and reveal their personal identities. Therefore, organizations should ask themselves two questions regarding the sensitivity of their data: Identification: Can this specific piece of data on its own be used to identify an individual? Data combination: Can several unique pieces of data be pieced together to identify someone? PII is a very malleable term and the precise contours of its definition depend on where you live in the world. For instance, the United States government defines it as anything that can “be used to distinguish or trace an individual's identity,” such as biometric data, whether in isolation or in conjunction with other identifiers like date of birth or educational information. In Europe, its definition expands to include quasi-identifiers as listed in General Data Protection Regulation. Why Is PII Important? Identification mechanisms are crucial in a functional society to distinguish one person from another. The individual markers that PII provides are necessary to acquire and disseminate goods and services in a market economy. Not to mention its importance for ownership and acquisition of capital. For instance, without PII, it would be impossible to have meaningful medical records to facilitate public healthcare or grease the wheels of commerce with credit and banking information. PII is also important to criminals who can sell it for a handsome profit on the black market. Why Is Safeguarding PII Important? As highlighted in the last section, PII is necessary for the flow of goods and services in a society. However, if left unprotected, PII leads to identity theft and other forms of fraud. This is because hackers find PII to be an extremely valuable target due to the variety of criminal activity it allows them to perpetrate. Some of the potential harm suffered by individuals may include embarrassment, theft, and blackmail. Data breaches not only create legal liability for the organization but also reduce public trust in the organization. Due to these risks, PII should be protected from unauthorized access, usage, and disclosure to safeguard its confidentiality. However, PII creates privacy and data security challenges for organizations that collect, store, or process it. Therefore, the importance of PII also stems from its impact on the information security environments of organizations and the legal obligations this demands. PII Security Best Practices PII has become so valuable to enterprises and bad actors alike that it needs a special security framework to protect it both at rest and in transit. In addition to the traditional methods of encryption and identity access management, this framework also encompasses document security measures such as data loss prevention, digital rights management, and information rights management. DRM includes data security measures that protect PII within the boundaries of the corporate network or firewalls. But while DRM is important to PII, its overriding objective is locking down data, intellectual property protection, and the monetization that goes with it. IRM, however, is based on zero-trust security, which essentially means an implicit distrust of the user or platform that has access to the data. To achieve this, IRM accompanies the data wherever it goes. Here are the six practical ways to ensure the PII collected by your organization is secure: Discover and classify PII: This starts with identifying and classifying all the PII an organization collects, accesses, processes, and stores. It also involves locating where this data is stored, especially sensitive PII, to better understand how it can be protected. Establish an acceptable usage policy: This involves creating a framework of policies that guide how PII is accessed. One of its key benefits is serving as a starting point for enacting technology-based controls to enforce proper PII usage and access. Create the right identity access and privilege model: Enforcing usage rights and access controls with identity access management. Establish least-privilege models so users only access the data they need at a given moment. Implement robust encryption: Deploy strong encryption algorithms to protect PII at all times. Delete PII you no longer need: Ensure you don’t store PII you no longer need because it can pose compliance and vulnerability risks. Therefore, create a system for safely destroying old records without accidentally destroying viable ones. Create training procedures and policies for handling sensitive PII: Use training and policies to emphasize how various types of PII should be stored and protected. How to Safeguard and Enforce PII Compliance One of the first points of order to safeguard PII is to understand where it is located. Once a business knows where its PII resides, it can subsequently embark on the necessary mechanisms to prevent its unauthorized disclosure.

Having a Digital Rights Management tool can help your team collaborate in the cloud while meeting compliance needs and adhering to your organization's data security policies.

What Is Document Security? Document security is the procedures and storage protocols set up to protect either a physical or digital document which includes how it will be stored, shared, and discarded. This security is important so the owner can control who has access. Document security seeks to protect documents and comply with regulatory requirements for privacy and safety. It involves a file management process to restrict access, especially to sensitive or private content. File security entails managing these files securely however they are stored, processed, or transmitted to mitigate security threats. Why Is Document Security Important? Documents face a myriad of threats from many malicious actors. Thieves, cybercriminals, and organized crime syndicates want to steal identification details to gain access to financial gateways like bank account logins and credit card information. Confidential data provided to businesses by their customers and employees needs to be kept under tight privacy protocols. Businesses risk lawsuits and reputational damage if this information is compromised. Intellectual property is a competitive advantage on which the prosperity of companies and nations depends in an increasingly global marketplace. Therefore, organizations don’t want their business secrets and intellectual property to fall into the hands of competitors through espionage. All this valuable and sensitive information is invariably stored in digital documents. Document security seeks to prevent these incidents by protecting files from unauthorized access and reducing the risk of data loss, leakage, and exposure. Types of Document Security Different documents require different levels of protection. Overall, the type of security documents require are the five pillars of information assurance: Confidentiality: Confidentiality means the information in the file remains private. The secrecy required to shield the file’s content from those who aren’t authorized to view it is enforced with encryption. Integrity: Integrity ensures a file hasn’t been inadvertently or intentionally modified, whether at rest or during transmission. Hash functions use a hash value to verify the integrity of the data within the document. Availability: Adequate security measures ensure documents are available to authorized users when needed. This means that threats, like denial-of-service attacks, have to be thwarted to ensure documents on websites are available to those who need to access them. Authentication: Authentication compels those who attempt to access documents to prove that they are who they say they are. This requires robust identity management. Most organizations now implement multi-factor authentication to strengthen authentication. Nonrepudiation: This ensures that the parties involved in a transaction cannot deny their participation. Hence, a security system should be able to prove that someone sent, viewed, or modified a file. Nonrepudiation is achieved through digital signatures, logging, and audit trails. Components of Document Security A document protection system contains several components that facilitate its mission to protect documents. Some of these help to restrict access to only authorized users, while other components control permissions on who can modify a file. Here are the security components typically used in these security systems: Encryption and license controls: Encryption uses cryptographic algorithms and keys to scramble or encrypt a file’s content so that it becomes unreadable. Hence, only valid users and recipients, who possess the correct cryptographic key, can decrypt and view the file’s contents. Document rights management: DRM is a perimeter-based security model that seeks to protect documents and content from copyright infringements and intellectual property violations. Its objective is to restrict the access of digital content to only those who have assumed rightful ownership, typically through purchase or authorship. Document tracking: For a document to be truly protected, both within and outside the corporate perimeter, a business needs to have full visibility into its movement and chain of custody. One of the ways this visibility is achieved is through tracking the document to know who has accessed and viewed it and for how long these transactions have occurred. Password protection: From a user access perspective, enabling password protection is the first step in document protection. It is the first security barrier to prevent unauthorized access to files. Moreover, it is relatively simple to implement, although not entirely foolproof. Document expiry, restriction of access, and self-destruction: Limiting access to documents based on time duration and permissions provides immense advantages for security. Watermarking: Watermarking has several applications beyond the use as a trademarking device. One of its basic functions is to clearly communicate the document’s classification. Hence, it leaves the recipients with little doubt as to how the document should be treated. A document marked with a “confidential” watermark signals a certain degree of secrecy. Information rights management: Information rights management is a subset of DRM and it focuses on zero-trust security for collaborative files. Information Rights Management security travels with the document wherever it goes, equipped with identity access management techniques to ensure user permissions are enforced. Implementing Document Security at Each Stage of the Document Life Cycle There are several phases involved in document protection. At each stage of a file’s life cycle, organizations face the danger of the document being stolen, lost, or compromised. Therefore, businesses need to have full visibility into how their documents are produced, processed, stored, and consumed—i.e., throughout the entire document life cycle: 1. The Capture Phase This is the equivalent of the “onboarding” of information to produce the document. This phase encompasses creating and saving files in an application. Activities at this stage also include scanning to transfer hard copy documents to electronic format. 2. The Storage Phase Electronic-based document storage provides a lot of opportunities for centralized record management and better oversight. For instance, storage in database systems provides the capacity for search capabilities and normalization to reduce redundancy. 3. The Management Phase One of the most important things for file protection, especially in a distributed system is adequate management. Management helps to provide supervision and control over the document protection system. What facilitates security during this phase are user roles, permissions, version control, and audit trails. These elements have a way of reinforcing one another to provide all-around document protection management. Ultimately, without this phase of a document security system, elements like user permissions will be difficult to enforce. 4. The Preserve Phase Document preservation requires monitoring and maintenance of the digital repositories where they are stored. In most cases, file retention is required by law. And in some instances, documents are legally required to be preserved for a couple of years. 5. The Delivery Phase The delivery phase emphasizes sharing and collaboration. The delivery phase is important when it’s necessary to share information between contractors, allies, and other business partners. 6. The Integration Phase In the current digital economy, it’s imperative for applications and documents to be able to “play well” and collaborate with others. This is because there’s a certain specialization of roles and division of labor since a single application can’t supply all the expertise needed to support user aspirations. This is why there’s a proliferation of application program interfaces in software to facilitate integration between applications. Likewise, the integration phase allows files to communicate and exchange information with other applications. Document Security Measures That Every Business Needs Remote work and "bring your own device" have increasingly become part of the fabric of the modern workforce. Along with these paradigm shifts come more security risks because of an organization’s increased surface of attack exposure, thereby making their documents more vulnerable. Here are some of the security measures organizations can implement to address the challenge of workforce mobility: 1. Intrusion Detection Systems Malicious actors are using more sophisticated attack vectors that can operate in stealth mode. Most businesses don’t have a clue they have been breached, sometimes even months after the fact. Therefore, an added layer of document protection is justified by investing in an intrusion detection system to monitor your network. These systems alert you to suspicious behavior that is indicative of a system breach.

Organizations need to keep in mind international data protection law developments and how they affect compliance demands.

Hospitals and healthcare providers in the state have been failing to report ransomware attacks that impact health data belonging to patients.

Recent changes to Nevada’s privacy law, effective October 1, 2021, give residents a broader right to opt out of sales and puts the onus on "data brokers" to respond to such requests.

On Wednesday May 12, the Biden administration took a critical step towards addressing security issues that have come to light after several recent, high profile cyberattacks. The extensive Executive Order (EO) described the government's plan to increase cybersecurity protection across the public and private sectors as well as secure the nation's digital infrastructure against the type of attack that recently shut down the Colonial Pipeline, a critical source of fuel for the entire East Coast. The 30-page Executive Order on Improving the Nation’s Cybersecurity covers a plethora of cybersecurity issues. It describes how government agencies should evaluate the software they buy. It mandates that executive branch agencies deploy multifactor authentication, endpoint detection and response, and encryption. And it calls for these agencies to adopt "Zero Trust" architectures and more secure cloud services. Let’s take a look at three of the key areas in the Order: Prioritize Zero Trust The EO mandates that executive branch federal agencies create "Zero Trust" environments. The administration says this is key to ensuring security when implementing cloud computing environments and services and modernizing the IT infrastructure of the federal government. The document notes that within 60 days, the agencies must update plans to prioritize the adoption and use of cloud technology as well as develop a plan to implement zero trust architecture. Adopting a Zero Trust mindset is not only a critical element of a robust cybersecurity posture, but also a popular one. This is primarily because it doesn’t innately trust any user or application until verified by multi-factor authentication (MFA) and also doesn’t require much CapEx to get off the ground. Zero Trust compliance ultimately rests on two main pillars: Strong identity and access management, and a mature data identification and classification framework. That means that to implement a true Zero Trust framework, organizations need to know everything about their sensitive data (including personally identifiable information, payment card information, intellectual property, and other sensitive data types): When it is created and by whom, where it is stored, and how and with whom it can be shared. Related reading: Why Zero Trust is So Hot Right Now - And How Titus Can Make it Happen Address Supply Chain Risks The EO notes that the commercial software used by federal agencies often lacks adequate controls to prevent attackers from gaining access and states the federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software. Within 30 days of the order's signing, the secretary of the Department of Commerce - acting through the director of the National Institute of Standards and Technology (NIST) - must solicit input from federal agencies, the private sector and academia. The government will then use this information to develop guidelines and criteria to evaluate software security and the best practices software developers must use. From recent events we know that no organization is immune to the risk of supply chain cyberattacks and data breaches, and those with especially large and complex supplier ecosystems are even more vulnerable. This has been exacerbated in recent months due to the pandemic and the expanded attack surface as a result of a more widely dispersed workforce. The main challenge here is that smaller organizations have neither the resources in personnel nor the capital to protect themselves and therefore the other organizations in the chain. Creation of a Cybersecurity Review Board The EO calls for establishing a "Cyber Incident Review Board" modelled on the National Transportation Safety Board. The positive is that the board’s membership shall include Federal officials and representatives from private sector entities. Therefore, in theory, this board should encapsulate the best of the public and private sectors, be unafraid to ask the ‘tough questions’ following a significant cyber incident and make concrete recommendations for improving cybersecurity. The challenge, however, is that the board will have to walk a fine line of complying with the Federal Advisory Committee Act, which forces boards like this to be "objective and accessible to the public," while also keeping the information it collects safe. Minimizing and Preventing Cyberattacks The goal of the EO is to modernize the government's IT infrastructure while creating a set of standards to help minimize the damage caused by cyberattacks. With aggressive timelines in tow and a clear directive to securely move to the cloud, this EO is arguably the most important step the President could have implemented. The three areas that we have highlighted in the EO all require organizations to take a more robust approach to data security. This is where Fortra data security platform can help, as our suite of products is designed to bring an organization’s data security policy into this modern hybrid reality with multiple ways of working with a highly distributed workforce. We have data security solutions that help ensure intellectual property and sensitive data is kept safe and secure. Our products run right across the various data protection requirements from classifying data inside the organization at the outset, through to detecting and preventing leaks of sensitive information outside the organization. As cyberthreats around the world continue to increase I am sure we will see more legislation and orders, like the EO, coming to the fore, therefore, demonstrating that you have a solid data security foundation in place and that you have layered security to help mitigate risk is going to be paramount. Keep your most sensitive data in the right hands​ SCHEDULE A DEMO

NIST has released new tools for defenders to protect sensitive information and mitigate state-sponsored hackers.

The figure, about 272.5 million euros, corresponds to 281,000 data breach notifications issued by regulators across Europe since GDPR went into effect.

If enacted, new federal rules would require banks to inform their primary federal regulator as soon as possible following a computer security incident.

NIST's latest guidance is geared towards preventing healthcare organizations that oversee PACS software from exposing patient data.

The National Institute of Standards and Technology's Cybersecurity Framework is designed to help organizations manage their security risk; in this blog we'll go over its requirements, penalties for failing to comply with it, and best practices.

The Crown Jewels of Manufacturing Trade Secrets Maintaining a competitive edge in manufacturing demands protecting R&D, product designs, specifications and supplier contracts. But like it or not, manufacturing trade secret intellectual property leaks. The nature of manufacturing necessitates sharing highly confidential information throughout the supply chain and to employees who may not necessarily be with your company forever. In the course of doing their work, those who touch confidential data continually use email, collaboration platforms, managed and unmanaged mobile devices, Slack, and even USB drives, making virtually every manufacturing enterprise porous. Unfortunately the rate at which employees share outpaces the security team’s ability to patch the perimeter, block or quarantine information, and stop confidential data from leaving a company’s control. Realistically, manufacturing security teams must often balance protecting intellectual property with enabling high-speed production efficiency. Common Tools Fall Short For help, they frequently rely on some common tools that, while offering some valuable benefits, all share the same limitation: locking data down. Data Loss Prevention (DLP): Scans and quarantines confidential information traversing the network. Once it leaves that environment, security teams can’t see, audit or control what others are doing with mission-critical data. Cloud Access Security Broker (CASB) – Enforces security policies and blocks information leaving cloud applications (e.g., Box, Salesforce). However, when data is downloaded or moved offline, security teams lose all control of what happens next. Digital Rights Management (DRM): Attempts data-centric security, but cumbersome user experience prevents enterprise-wide adoption and scalability. Classification: Tags and classifies sensitive information shared from your business. A classifier can’t prevent an employee from downloading trade secrets and taking them to his/her next job. These tools rarely work at the most critical moment, when people are working with the information. They can’t prevent an external supplier in Europe from saving a copy of proprietary designs and forwarding it to a competitor. And, once data moves past the DLP fence and CASB proxy, it’s in the wild, exposed. Digital Guardian Secure Collaboration Keeps Manufacturing Trade Secrets Secure Truly protecting data crown jewels requires shifting the security strategy to protect the data itself ―through its entire life cycle, everywhere it travels, no matter who has it or where it’s stored. The ideal data-centric security solution is characterized by five capabilities: Securing all forms of data Providing 360-degree visibility Supporting dynamic data protection Integrating with the existing IT ecosystem Providing an invisible user experience At Digital Guardian, we see how manufacturing security teams are leveraging data-centric security to automate their jobs and become value-driven enablers to the core business, by: Automating secure trade secrets emailed to third-party suppliers. One of the most common workflows our manufacturers leverage is automatically securing all trade secrets sent to third-party suppliers over email. Using the products smart rules engine, all attachments sent to a supplier are automatically secured without requiring employees to take any manual steps. If data is ever forwarded to a third party that doesn’t belong to the intended domain, they’ll never be able to access it. Preventing leaks, even after IP is downloaded from a manufacturer’s systems. Manufacturers store sensitive patents, trademarks, customer information and processes across multiple storage platforms: local file shares, Box, Dropbox, SharePoint, OneDrive, and more. Our secure collaboration functionality has built out-of-the-box integrations to automatically secure any file uploaded or downloaded from those platforms. That way, employees work exactly as they normally would, and Digital Guardian Secure Collaboration works seamlessly behind the scenes to protect the IP everywhere it moves. If data ever leaks or is downloaded, our solution's security stays with the file, making sure only authorized parties can access it. Tracking proprietary R&D throughout the supply chain. Manufacturers leverage the products audit capabilities to understand exactly who is accessing R&D throughout the supply chain, to track all access attempts (authorized or not), and to get granular metrics on usage and adoption. Even if the file is removed and duplicated, security controls always stick to the data. Revoking access to data kept by departing employees. Employees come and go. Sometimes they’re tempted to take proprietary designs to their next venture. Manufacturers employ the products Dynamic Data Protection to revoke access to any data a departing employee has appropriated throughout his/her employment—even when it’s moved to a personal account. In one click, all copies of secured designs are shut off. Securing IP generated from home-grown apps. The products SDK enables automatic securing of machine-generated files and custom designs that are uploaded and shared from home-grown systems or third-party apps. That provides manufacturers with a powerful data security fabric for their entire ecosystem and extended enterprise. With the innumerable ways precious IP can leak, securing it at the data level is really the only path to ensuring that the heart of any manufacturer’s core value and competitive viability remain intact. Keep your most sensitive data in the right hands​ SCHEDULE A DEMO

The General Data Protection Regulation (GDPR) has become the norm for data privacy in the European Union. What have we learned in the time since its been in effect? We asked 24 data privacy and compliance experts.

Learn about what the Electronic Healthcare Network Accreditation Commission, or EHNAC, is, its benefits, the accreditation process, and best practices in Data Protection 101, our series on the fundamentals of data security.

May's massive breach at First American Financial Corp. exposed 885 million records. Now the company is drawing the attention of regulators, curious if any laws were broken.

Nevada's new law, which will require website operators to honor opt-out procedures, goes into effect on October 1, three months before the CCPA's compliance deadline, January 1, 2020.

Brazil's GDPR-like data protection law, LGPD, owes a lot to the EU regulation but has several key differences that organizations that do business in the country should be familiar with.

Alabama is the latest state to adopt the Insurance Data Security Model Law, a legal framework that requires insurers to develop and implement an information security program among other security standards.