Why PII Security Should be a Top Priority for Devs, part 1

Introduction to PII

PII - Personally Identifiable Information. PII includes any data that can be used to distinguish one person from another, such as:

• Name, including full name, maiden name, aliases
• Date and place of birth
• Home address, including street name and name of city or town
• Email address, IP addresses and online identifiers (such as usernames or links to social profile)
• Social Security number (or equivalent national identification number)
• Passport number, driver's license number, or other government-issued identification number
• Biometric data, including fingerprints and facial recognition data
• Medical information, including health records and insurance information
• Financial information, including bank account numbers and credit card numbers
• Employment information, including employment history and salary information

Why it is important?

1. Privacy: PII can be used to identify an individual, and it is important to protect this information to ensure people's privacy. Individuals have the right to control how their personal information is collected, used, and shared.
2. Security: PII is often targeted by cybercriminals, who can use it to commit identity theft, fraud, or other crimes.
3. Reputation: A data breach or other security incident that results in the exposure of PII can damage an organization's reputation and erode customer trust.
4. Legal Compliance: Many countries have laws and regulations that require organizations to protect PII and to notify individuals in the event of a data breach. Failing to comply with these regulations can result in legal and financial consequences.

PII laws and regulations

Failure to comply PII laws can result in significant legal and financial consequences for businesses and organizations. Here are some examples of PII regulations:

• GDPR (General Data Protection Regulation) - European Union
• HIPAA (Health Insurance Portability and Accountability Act) & CCPA (California Consumer Privacy Act) - USA
• PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
• PIPA (Personal Information Protection Act) - Japan
• PDPA (Personal Data Protection Act) - Singapore
• NDB (Privacy Act and Notifiable Data Breaches scheme) - Australia
• etc..

The Cost and Consequences of Exposed PII

As example, under GDPR, fines can be up to €20 million or 4% of an organization's global annual revenue, whichever is greater.

Here is a list of the largest fines for such violations:

1. Amazon - €746 million, 2021

The Luxembourg's regulator (CNPD) opened an investigation into how Amazon processes personal data of its customers and found infringements regarding Amazon’s advertising targeting system that was carried out without proper consent.

2. Meta - €405 million, 2022

According to Ireland’s regulator (DPC), Meta failed to take measures to provide child users with information using clear and plain language, lacked appropriate technical and organizational measures, and failed to conduct a Data Protection Impact Assessment where processing was likely to result in a high risk to the rights and freedoms of child users.

3. Meta - €390 million, 2023

Meta considered that, by accepting Terms of Services, users would enter into a contract with Meta, claiming that processing of personal data was necessary for the delivery of Facebook and Instagram services and performance of the contract, so any personalized and behavioral advertising would be considered in line with the GDPR. However, two complainants contended that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta was, in fact,?“forcing” them to consent.

4. Again Meta and €265 million, 2022

The fine is over a data breach that saw the personal details of hundreds of millions of Facebook users published online. Phone numbers and emails of up to 533m users appeared on an online hacking forum...

5. WhatsApp -?€225 million, 2021

The fine relates to an investigation which began in 2018, about whether WhatsApp had been transparent enough about how it handles information. The issues involved were highly technical, including whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough. Those policies have since been updated several times.

The role of developers in PII security

Developers play a critical role in ensuring PII security in software development. They are responsible for implementing security measures, such as encryption and access controls, to protect PII from unauthorized access. They must also ensure that data is properly stored and deleted when it's no longer needed.

In the second post, I will give some tips on protecting personal data from a developer's point of view.