Understanding PII and the Role of Cybersecurity Experts in Protecting It

In today’s digital landscape, where data breaches and identity theft are ever-present threats, safeguarding Personally Identifiable Information (PII) has become critical. For cybersecurity experts, protecting PII is not only a core responsibility but an ethical imperative. Sensitive personal information, if exposed, can lead to severe repercussions for individuals, including financial fraud, reputation damage, and, in some cases, even physical harm. It is the duty of cybersecurity professionals to ensure that this information remains secure and protected from malicious actors.

?

Definition of PII

In Saskatchewan, for example, the Freedom of Information and Protection of Privacy (FOIP) Act provides a comprehensive definition of PII, guiding organizations and cybersecurity professionals on what constitutes personal information. The FOIP Act defines “personal information” as recorded details about an identifiable person, covering a broad spectrum of data points. These include, but are not limited to, a person’s race, religion, age, family status, educational history, and financial transactions, as well as identifying numbers like an employee ID or a driver’s license number. Importantly, PII under FOIP also extends to opinions expressed by or about an individual and private correspondence shared with a government institution.

Categories of PII

By the standards of FOIP, cybersecurity experts can break down PII into several identifiable categories:

1. Background Information: Personal details about a person’s race, nationality, or family status, which could uniquely identify them.
2. Education, Employment, and Financial Transactions: Records of an individual's education history, employment details, criminal record, or financial transactions.
3. Identifying Numbers and Contact Information: Data points like addresses, contact numbers, and ID numbers assigned to individuals, which can be used to link back to them.
4. Personal Opinions and Private Correspondence: Views or opinions shared by an individual or about them, especially when provided in confidence.
5. Financial and Tax Information: Detailed records relating to a person’s assets, liabilities, or tax information.
6. Names Linked with Other Personal Information: An individual’s name when paired with additional data points that reveal further personal information.

?

Consequences of Not Protecting PII

Failing to protect PII can have dire consequences for both individuals and organizations. When personal information is compromised, individuals may face financial fraud, identity theft, and significant emotional distress. Financial fraud can lead to unauthorized transactions, draining bank accounts, and damaging credit scores. Identity theft can result in fraudulent activities conducted in the victim's name, causing long-term legal and financial complications. Additionally, the emotional toll of having one's personal information exposed can lead to anxiety, stress, and a loss of trust in institutions.

For organizations, the repercussions are equally severe. Data breaches can result in substantial financial losses due to legal penalties, regulatory fines, and compensation claims. The loss of customer trust can lead to a decline in business, as clients may choose to take their business elsewhere. Moreover, the damage to an organization's reputation can be long-lasting, affecting its ability to attract new customers and retain existing ones. In some cases, the fallout from a data breach can be so severe that it threatens the very existence of the organization.

Frequency of Data Breaches Involving PII

Data breaches involving PII are alarmingly frequent. According to recent statistics, in the first quarter of 2023 alone, 6.41 million data records were leaked in worldwide data breaches[1]. Additionally, 52% of all breaches involved some form of customer PII, an increase of 5% compared to 2022[2]. The Privacy Rights Clearinghouse estimates that there have been 9,044 public breaches since 2005, exposing more than 10 billion records, including passwords, credit card numbers, and even passports[3]. These statistics underscore the critical need for robust data protection measures to safeguard PII.

The Role of Cybersecurity Experts

Each of these categories highlights why cybersecurity experts must exercise rigorous controls when handling PII. FOIP, along with other regulations, provides a legal framework that ensures individuals’ privacy rights are respected and protected. However, it is ultimately up to cybersecurity professionals to apply these regulations in their daily operations, safeguarding data against unauthorized access, breaches, or misuse.

?

Examples of PII as per FOIP *

To provide clarity on what is considered PII under the FOIP Act, here are some examples:

Background Information:

• A demographic profile form stating: "Name: Sarah Lee; Gender: Female; Nationality: Canadian; Ethnicity: Asian; Religion: Buddhism; Age: 35."
• A survey response: "Person’s race: Black; Sexual Orientation: Heterosexual; Marital Status: Divorced; Family Status: Single Parent of Two Children."

Education, Employment, and Financial Transactions:

• A résumé or job application for "John Doe" including: "Education: Bachelor’s in Computer Science from University of Toronto, 2010; Employment History: Software Engineer at XYZ Corp (2011–2016), Lead Developer at ABC Inc. (2016–Present); Criminal Record Check: No prior convictions."
• A bank transaction record showing: "Account Holder: Emily Rogers; Bank Account Number: 1234-5678-9012; Recent Transactions: Payment of $1,200 for rent on 2024-10-01; Purchase of $50 at Grocery Mart on 2024-10-02."

?Identifying Numbers and Contact Information:

• A driver’s license for “Michael Thompson,” containing: "Driver’s License Number: A1234-56789; Home Address: 123 Maple Street, Vancouver, BC; Contact Number: (604) 555-1234."
• An employee ID for a government worker: "Employee Name: Maria Gonzalez; Employee ID: GOV-987654; Department: Ministry of Finance."

Personal Opinions or Views:

• A written opinion submission to a government consultation: "I, Thomas Brown, believe the proposed tax reforms are unfair to middle-income families."
• A response to a workplace survey: "Employee ID: EMP-2023; Opinion on remote work policy: 'I find it enhances productivity and work-life balance, and I believe more flexibility should be given.'"

Private Correspondence:

• An email from "Jane Smith" to the Ministry of Health, marked confidential: "Dear Health Department, I am writing regarding my recent health concerns and the support I need for my family’s ongoing care."
• A government response referencing the original private email: "Dear Ms. Smith, regarding your concerns on family healthcare, we understand the need for ongoing support and can suggest the following options…”

Opinions About an Individual:

• A supervisor’s notes about an employee: "Supervisor: Linda Watson; Employee: Alan Park; Feedback: 'Alan demonstrates excellent technical skills but could benefit from developing interpersonal skills to improve team collaboration.'"
• A manager’s comments in a personnel file: "Employee: Sarah Lee; Observation: 'Sarah is proactive and completes tasks ahead of deadlines. Her attention to detail has contributed to fewer project errors.'"

Tax and Financial Details:

• A tax return document for "Lucas Miller," showing: "Income: $80,000; Deductions: $10,000 for mortgage interest, $5,000 for charitable donations; Tax Credit: $1,500 for tuition expenses."
• A credit report showing: "Name: Emily Chen; Credit Score: 780; Outstanding Debt: $5,000 on credit card; Recent Transactions: $2,000 payment on 2024-09-15; Credit Worthiness: Excellent."

Name Paired with Personal Information:

• An internal government record: "Name: Jacob Taylor; Marital Status: Married; Employment Status: Employed at Ministry of Infrastructure; Age: 45; Address: 456 Oak Avenue, Toronto, ON."
• A public document: "Petition signed by Lily Roberts, 32, Address: 789 Birch Lane, supporting the introduction of a community center in her neighborhood.

?

Conclusion

To sum up, understanding and protecting PII is a core element of cybersecurity work. With laws like Saskatchewan’s FOIP Act setting clear guidelines, cybersecurity experts have a robust starting point for their privacy and data protection strategies. By defining, classifying, and rigorously protecting personal information, cybersecurity professionals can help create a safer digital world where personal privacy is respected, and data security is paramount.

?

?

References

*The names used in this article are fictitious and do not correspond to any real individuals.

[1] Data breaches worldwide | Statista

[2] 101 of the Latest Data Breach Statistics for 2024 - Secureframe

[3] By the numbers: How common are data breaches - PolitiFact

?