Personally identifiable information has a life cycle and as a small business, it is your legal responsibility to protect it.
You need to know what PII is, because you will be seeing this acronym more and more: Personally Identifiable Information (PII).
PII can mean a whole host of things, such as the following: name, phone number, email address, home address, marital status, passport number, financial information, credit card numbers, bank data and medical information, and certainly, more kinds of data.
As you can see, this is not the type of information that you will want out there. Though the PII on you that’s stored in the computer databases of your health plan carrier, bank, employer, etc., isn’t all necessarily super private, most of it is sensitive and would cause harm if released publicly.
It’s quite reasonable, then, as a consumer, if you’re concerned how easy it might be for these databases to get shared. And as a small business, it is your legal responsibility to protect it.
Related Article: The Security Risks in Social Media: Interview with Joseph Steinberg
Let’s First Look at the PII Life Cycle: It Has Stages
- The collection of personal data based on the need for this gathering
- Storage and maintenance of the PII data
- Use of the data, and this can include the sharing of it without the person’s knowledge or authorization based on agreed terms of service.
- Disposition: dissolution of the data, a practice that should be implemented within a predetermined timeframe following the determination that the data is no longer needed.
Not all businesses, however, have a strict policy in place, or adhere to the policy, of disposing no-longer-needed PII data. And not all businesses that have your data in storage release it only when necessary. Clients and customers have a right to determine just when and how their data is used.
Small and large businesses, banks, employers, health plan carrier, etc., are supposed to properly manage and maintain PII, from creation to dissolution. Management includes also offline, hard copy formats. At the time of disposition, offline formats should be shredded and disposed where nobody could possibly find the shreds to reconstruct them.
If there’s a data breach from a hacker, the business, upon tightening up any leaks, should immediately notify its clients or customers. You should not learn, for instance, a year after a data breach has been determined that your medical records have been hacked into. Nor would your customers appreciate this.
Businesses have a strong incentive for properly containing your data: Punishment is stiff if they are guilty of a privacy violation.
Related Article: Internet of Things: Security, Compliance, Risks and Opportunities
What Are the Laws of Privacy?
- The Privacy Act of 1974: Guidelines for the collection, use and sharing of personal data.
- HIPPA: Health Insurance Portability and Accountability Act. This protects consumers’ health information from getting into the hands of people, including family members, who are not “on the HIPPA form,” that is, not authorized by the patient to obtain information. This is why, when a high profile medical case hits the news, so little information is given about what’s actually going on.
- The Office of Management and Budget Mandate M-07-16: This requires protection for personal data in online and offline form.
- COPPA: Standing for Children’s Online Privacy Protection Act, this policy requires a parent’s consent for websites to gather information on kids under age 13.
- National Institutes of Standards and Technology (NIST) Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations: Privacy controls in Appendix J.
- The E-Government Act 2002, Title II and III: Requires federal agencies to analyze privacy influence for systems that gather public data.
- Policy Number - HHS-OCIO-2008-0001.003: When events occur relating to PII that raise a red flag, action must be promptly taken, and this policy makes sure of that.
So how secure is the PII on your network? Just how many databases contain it? How is it being accessed, stored, shared, sold, protected? Do you even know the privacy policies of the many businesses that have your own personal data?
A good start would be to visit the websites of the organizations that you do business with, such as your bank and health plan carrier, and read their privacy policies. Work with IT, HR, your corporate attorney among others to develop a PII Lifecycle Strategy.