Data privacy has been a hot topic for some time, and this year it’s all coming to fruition. The California Consumer Protection Act (CCPA) went into effect at the beginning of this month, impacting businesses with a web presence throughout the U.S. Similar legislation may soon be passed in other states, and a federal data privacy standard is being discussed in Congress at this moment.
While the conversation on data privacy has mostly centered on business and consumers, government contractors aren’t excluded. The National Institute of Standards and Research (NIST) is currently developing its own framework, and the need to protect personally identifiable information (PII) has been emphasized before in compliance standards, including NIST SP 800-53.
It’s likely that federal agencies and contractors will soon face as much scrutiny as private businesses for their data collection and sharing practices. But until new NIST standards are released, it’s a good moment to review PII, what it is, and how to protect it. In this article, we’ll do just that.
What is PII?
NIST defines PII as:
“Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.)”
While this is a fairly comprehensive definition that most people can understand, Wyden’s Consumer Data Protection Act would expand it to “data that is reasonably linkable to a specific consumer or consumer device” if passed. In an always-connected world of digital technology, PII is everywhere, and leaves traces all the time.
In a federal context, stolen, leaked, wrongfully shared or otherwise compromised PII counts as a risk that contractors should address at three different levels:
- Employees – PII belonging to personnel can be used in malicious ways, both against the employees themselves (blackmail, stalking) and against their organization (social engineering and espionage)
- Clients and partners – contractors have a professional, legal and ethical obligation to protect the confidentiality of their clients, and failing to do so is a betrayal of trust which may lead to litigation and lost partnerships
- Organization – on an organizational level, failure to protect PII leads to a damaged reputation which may harm further business opportunities
In all cases, compromised PII may impact national security by giving malicious agents the information they need to target secret projects and operations. Contractors therefore have an obligation to address PII in their overall security and risk management plans, through business procedures and technology controls.
Although it is now a decade old – and soon to be replaced with updated standards – NIST SP 800-122 provides useful advice for securing PII at an operational level, and so does the updated SP 800-53. Although this list is not comprehensive, here we will highlight five of NIST’s recommended security controls:
- Minimize PII collection and storage – organizations often have a tendency to collect and store much more PII than they actually need to. Establish a high-level policy for minimal collection practices, and discard documents or files containing PII when they are no longer necessary, using automation where possible to ensure that nothing is overlooked.
- De-identify records – in many cases, it is necessary to store records that contain PII, but it is not necessary to retain the PII itself. “De-identification” is the process of stripping or obfuscating names, addresses, phone numbers, and other PII from records, and should be used judiciously.
- Tightly control access – enforce strict access policies for both physical and digital records. In facilities and lobbies, FSOs already restrict access to authorized individuals; add an extra layer of security to filing cabinets and archival storage. Use privilege-based authentication to restrict access to digital files.
- Use cryptography – PII that must be stored should be stored in the safest way possible. Use NIST-approved cryptographic standards for hard drives and other digital storage media; for remote access, use VPNs and two-way encryption to prevent interception.
- Limit remote access – remote or mobile access is one of the greatest dangers to PII, as it is an easy route for hackers to compromise data. Restrict remote access as a general rule, and only allow it when absolutely necessary for certain files and specific individuals.
While these specific controls can help to jumpstart a PII protection strategy, protecting PII should be a goal that guides all aspects of your business, from vendor management to hiring practices.
To borrow a line from NIST 800-53, “Organizations cannot have effective privacy without a basic foundation of information security“. The same principles that can be used to protect PII will also protect your organization from other risks and vulnerabilities. Entering 2020, make sure that you and your employees are armed with the tools and strategy they need to follow regulations and protect your vital assets.
All-in-One Compliance Tools
Keep your data all in one place and protect your facilities with peace of mind. MathCraft’s ViSi Commander is an all-in-one compliance solution for FSOs and government partners, providing a comprehensive platform for visitor management and access control. Take proactive steps to protect your organization today.