PII - What's the Big Deal

 

There is a lot of concern surrounding Personally Identifiable Information (PII) and data transfer. We live our lives in the digital world and so much of our information is out there with the places we interact with. On the outside, we don’t really think about where our data is going, how it is stored, and whether or not it will be shared let alone is it safe….We simply conduct our transactions and that’s the end of it….until something bad happens.

What Information IS PII Anyway?
No matter where you are in the world, we don't seem to agree on what PII actually is. Some people think it is just their name or face or basic information like address and phone number. 

The California Consumer Privacy Act (CCPA) defines it as any information that can be coded back to any individual or household. Shoe size doesn’t mean a thing but if it can be coded back to an individual, then it is PII. 

Netflix did a DEV challenge to create software that gave recommendations based on anonymized consumer data. They were forced to take the challenge down because the rental information is personal data protected by Netflix’s privacy policy and they should have known that it’s possible to identify users based on that data. The same thing happened when AOL released "anonymized" search engine logs, which was later used to track down people.

We have to get back on a human level. If the person sitting next to us was a friend or family member, would it be ok to share their information with everyone?

Your Data is Everywhere and There is No Turning Back.
It is all online in hundreds of different places. Companies that perform Data Subject Access Requests can pick up over 150,000 pieces of data linked to one individual from personal information down to which websites you clicked through. So if it’s all out there, what can we do? Well, it’s not only about keeping your data secret, it’s also about leaving you alone. The fact that a company has your data doesn’t mean they can abuse it. It’s your data, you own it, and you can decide what company can use it and what for.

The information may already be out and cannot be hidden but there needs to be some controls and regulations put in place when using, sharing, and storing PII. 

Why Companies Should Start Collecting Less
It’s said that data is more valuable than oil, but it is also a liability and could be more expensive to manage to meet compliance standards. Do you really need all of this data?  Don’t collect things just because you may need them in the future. This data isn’t really free. You need to protect it and because of it, you are at a higher risk of a privacy breach.

Organizations that are collecting everything whether they need it or not are stuck in the Pinata Paradox where they collect and collect, getting larger and more attractive to an adversary. (term courtesy of Scott Foote)

Keep it simple, ask only for the data you actually need to fulfill the service you are offering. It’s a simple “why” to significantly reduce your compliance cost.

What About Consumers? What Can They Do?
Don’t give out your shoe size if it’s not required to buy the donut! Avoid filling out optional fields. Every time you fill out a form like that, you are handing over money. Is it worth it? Think before you give out your information, negotiate, and value yourself. 

It’s time to start asking companies the following questions when they ask for your information. Why are you collecting this information and what are going to do with it? Where is it going? What is the benefit to me? How are you protecting me?

 

Want a Fun Challenge?
You know that 2nd address line most online forms have? Put something there like “I filled this out for Best Buy” and when you are sent something by a company that is not Best Buy, you’ll know who your information was shared with.

Information in Layers
It’s helpful to look at PII in layers in order to make decisions on which businesses to interact with on a personal level. For companies, it is equally important to look at these layers to assess risk and put controls in place to protect data while still making a profit.  Some of these layers are never exposed and some are. From a personal and company point of view, we can break down levels of information like this:

  1. Are you putting me at risk? Is my personal data safe? Can someone take out a loan with it?
  2. It’s a nuisance if someone is following on my clickstream to pepper me with ads.
  3. It’s inconvenient. (birthday, address, etc.) These don’t pose a huge risk.
  4. It’s out there. Where have I worked? Who do I know? (Social Media Profiles, posts, friends lists)

Data is an Adversary's Dream...
We are now facing the human element of the information. I can take these individual pieces that you do not think are critical and I can go check in other databases to put enough information together to target a victim. So data from that one company that you gave your birthdate to and then that other company you gave your social security number to can be used against you.

The business model has changed for scammers. It used to be they had to break in and steal your data and find a buyer no matter what that data was. Now, they break in, steal the data, encrypt your computers, and make you pay a ransom. They’ve already got their revenue. They don’t even really have work and use your data. The data is the icing on the cake.

Building Awareness
“I’m not doing anything illegal so it doesn’t matter.” It is a far too common thing we all hear. You won’t care about your data today but you may care tomorrow. It’s good there are some regulations out there but people don’t really understand or think about the risks. What can we do as an industry to help people understand and become aware? 

Seventy percent of Americans feel their information is less secure and 80% want more control of it. People are starting to wake up but we still have a long way to go to educate and build awareness in our communities. 

Wizer would like to give a special thank you to Chris Roberts, hacker extraordinaire for  his contribution to this project!

We wish him much success!

Thank you to our esteemed panelists:

  • Nimrod Vax - Co-Founder, Head of Product@ BigID - Know Your Data™ ▸ Privacy • Protection • Perspective 

  • James J. Azar - ISO - CISSP, Host of CISO Talk Podcast and CyberHub Podcast🎙- Cyber security, Privacy, Board member

  • Matt Lee - Director of Technology and Security (Evangelism) at Iconic IT | CISSP | CCSP | Proud Member of Infragard | Hacker | Father, Husband!

  • Scott Foote - CISO, CPO/DPO, Cybersecurity Executive, Board Advisor, CISSP, CCSA, CCSP, CISM, CRISC, CISA, CDPSE