Get Picky With PII

Picky eater

Meet David.  He is 10 years old, he is my son, and he is a very picky eater.  Not only does David dislike certain foods, he gets pretty upset if they even touch. We’ve all known someone like this.  Sometimes it’s your friend’s child. Sometimes it’s your aunt. Sometimes it’s your coworker. Picky eaters are everywhere.

I can’t give them too much of a hard time, though--because I spend my days doing to my data exactly what my son does to his food.

Most businesses have to deal with Personally Identifiable Information (PII) on a regular basis.  When it comes to PII, I’m just like David. With our databases, I start to get pretty twitchy if PII comes anywhere near the rest of our data.  

I'm writing this blog post to make the case that you should be a picky eater too when it comes to consuming PII.  As it turns out, being picky can save your proverbial bacon.  Let’s dig in.

What Is Personally Identifiable Information Anyways?

That’s an excellent question. Very broadly, any subset of information that can uniquely identify a person is Personally Identifiable. Some examples of PII:

  • Full Name
  • Tax Identifiers like Social Security Numbers
  • Home Address
  • Photographs
  • Date of Birth
  • Zip Codes

The list goes on. Wikipedia covers this pretty well.  As you can see, PII is a pretty broad classification and it’s very easy for it to get all over everything.

Who Cares About PII?

As it happens, pretty much everyone wants a slice of the PII pie.

  • Customers care about PII because their privacy is important to them, and fraud related to identity theft can hit their pocketbook.
  • Advertisers care about PII because it helps them target their audience.
  • Businesses care about PII because identity theft opens them to lawsuits, reparation costs, and damages their reputation when they’ve been hacked.
  • Governments care about PII because citizens and businesses expect them to safeguard their privacy
  • Criminals care about PII because it’s a valuable resource to make malicious hacking more effective.

According to the U.S. Bureau of Justice Statistics, identity theft alone cost victims a total of $15.4 billion dollars as recently as 2014 (see Victims of Identity Theft, p7). PII is big business--especially if your business is crime.

Now I Care About PII, What Should I Do With It?

The first important thing you must do with PII is track it. Whether you work in a startup or an enterprise, PII is like honey on the hands of a toddler — it gets everywhere. Starting from zero knowledge of where your PII is can be daunting. The best cure here is prevention. If it’s too late for that, find it. It may take a serious effort on behalf of your engineers, but it’s one of the best investments you’ll ever make.

The second important thing you must do with PII is keep it contained. Once the syrup leaks from your pancakes onto your bacon, there’s no getting it off again. This can mean separate databases. In general, try to build your systems such that services only have PII on a need-to-know basis. Make sure that they don’t record it in logs or save it with other data. If they do store it, make sure that storage is encrypted, secured, and cleanly disposed of.

The third important thing you must do with PII is limit access to it. When everybody has access to everything, you’ve got basically the worst possible security profile. According to IBM’s 2016 Cyber Security Intelligence Index, 60 percent of information security threats come from inside of your organization. By carefully limiting who has access to information, the chances of PII being mishandled or outright stolen is drastically reduced.

Building on those three basics, you’ll be in a good position for the most important thing you can do with PII--comply with the law. While the GDPR has made headlines recently, PII has been a concern even in the United States as far back as the Privacy Act of 1974, with further refinement in later bills, such as HIPAA in 1996.  The state of California even considers privacy to be an inalienable right in its Constitution and has enshrined it statutorily in the 2003 Online Privacy Protection Act (OPPA) and SB 1386. Compliance is a full time job and it’s impossible to achieve it in an organization with an ad hoc approach to managing PII.

What Does Valimail Do With PII?

We feel the best solution to a problem is not to have it at all.  All of our products are designed with a zero-PII approach. We recommend this approach to anyone who has the option. The best quantity of PII is zero PII.

Granted, not every company is able to take such a stringent approach to PII. But with careful handling of PII, you can keep your business focused on getting ahead of the competition instead of responding to legal briefs. Attacks can and do happen. I know this for a fact, because here at Valimail, preventing those attacks is our business. I sleep well at night knowing that we keep our customers safe.

With the above engineering practices, you can do it, too.  It’s no more difficult than dinner with David. Just don’t let your potatoes touch your peas -- or your PII touch non-PII.

Jayson Vantuyl is an operations architect with Valimail, working with the engineering team to build, maintain, and operate the infrastructure underlying the world's leading email authentication platform. As his 10-year-old puts it, “Daddy builds clouds.” He is an entrepreneur, a business nerd, and a computer scientist with substantial development experience and pervasive knowledge of technology. Jayson is particularly interested in advancing the state of the art in distributed computing and operations in general.