Did you know that as a consumer, 25% of the apps you engage with are collecting your Personally Identifiable Information (PII)? Do you know why they are collecting it or where they are storing it? Also, do you realize as a company, General Data Protection Regulation (GDPR) fines can reach up to 4% of your global annual revenue?
PII encompasses any data that can be used to identify an individual, such as names, addresses, social security numbers, and financial details. The responsibility of safeguarding this sensitive information is often a topic of debate, which raises an important question:
Who does the burden of protecting PII fall on: consumers or companies?
In this blog post, we will delve into the roles and responsibilities of both parties in protecting PII and explore why it is essential for a collaborative approach to ensure data security.
The Responsibilities of Consumers in Protecting PII
“It is a company’s responsibility to protect PII; 42% of consumers believe so!” – Experian
While most can agree that companies have a significant role in securing PII, consumers also must accept specific responsibilities when it comes to protecting their data. Here are a few key actions consumers can take:
- Strong Passwords and Authentication: Consumers should create unique, complex passwords for all their online accounts and enable multi-factor authentication wherever possible. This simple step can go a long way in preventing unauthorized access to personal information.
- Exercise Caution in Sharing Information: Consumers must be cautious about sharing their PII online. This includes being mindful of the information they provide on social media platforms, avoiding oversharing, and being careful when responding to unsolicited requests for personal data.
- Regular Software Updates: Keeping devices, operating systems, and applications up to date with the latest security patches helps protect against known vulnerabilities that hackers may exploit to gain access to personal information.
- Educating Themselves: Consumers should stay informed about the latest cybersecurity best practices, common threats, and scams. By being aware of potential risks, they can make informed decisions and avoid falling victim to cybercrime.
Important Tip: Check if the companies you share sensitive information with are GDPR, CCPA, PCI DSS 4.0, and HIPAA compliant, as these regulatory mandates require companies to protect PII.
The Responsibilities of Companies in Protecting PII
Due to privacy concerns, more than 50% of users do not use web apps. Taking into account companies’ access to large volumes of personal data along with their ability to collect it, they play a critical role in protecting users’ PII data. To learn more about how to protect PII at its point of entry, read our ebook about how to fortify your data compliance with PCI and PII Mandates.
One of the major reasons for PII exposure is security misconfigurations.
Here are some ways in which security misconfigurations can result in PII exposure:
- Improper Access Controls: Misconfigurations in access controls can lead to unauthorized users gaining access to sensitive PII. For example, if access controls are not properly set up on a database containing PII, an attacker can exploit this misconfiguration to gain unauthorized access and extract sensitive information. Insufficient user authentication and authorization mechanisms can also allow unauthorized users to view or modify PII.
- Weak or Default Passwords: The use of weak or default passwords is a common security misconfiguration that can result in PII exposure. If default passwords are not changed or strong password policies are not enforced, attackers can easily guess or use brute force to find their way into systems and gain access to PII stored within those systems.
- Misconfigured Cloud Storage: Cloud misconfigurations can inadvertently expose PII to the public internet. For example, if cloud storage buckets or databases are misconfigured with overly permissive access controls, sensitive data can be accessed by anyone with knowledge of the misconfiguration. This can occur if administrators fail to properly configure access permissions, leaving PII unprotected and accessible to unauthorized individuals.
- Insecure Network Configurations: Misconfigurations in network settings, such as firewalls, routers, or intrusion detection systems, can open pathways for attackers to access PII. Failure to properly configure firewall rules or network segmentation can allow unauthorized access to sensitive data, exposing PII to potential breaches.
- Failure to Apply Security Updates: Neglecting to apply security updates and patches to software, operating systems, and applications can leave systems vulnerable to known exploits. Attackers can take advantage of these vulnerabilities to gain unauthorized access to systems containing PII. By keeping software and systems up to date, organizations can ensure that security vulnerabilities are addressed promptly, reducing the risk of PII exposure.
Here are some key steps in detail that your organization can take to safeguard PII:
- Continuous Discovery of PII Exposures: Use a cloud-based web application scanning product (such as Qualys WAS) to continuously detect PII exposures, runtime vulnerabilities, misconfigurations, and web malware across modern web apps and APIs.
- Data Encryption and Security Measures: Implement robust encryption mechanisms to protect PII during transmission and storage. Additionally, access controls, firewalls, and intrusion detection systems should be in place to secure sensitive data from unauthorized access.
- Privacy Policies and Consent: Always be transparent about your data collection practices and obtain explicit consent from consumers before collecting, storing, or sharing their PII. Clear and concise privacy policies should also be readily available to consumers, outlining how their data will be used and protected.
- Employee Training and Awareness: Provide comprehensive cybersecurity training to your employees, emphasizing the importance of data protection and best practices for handling PII. Employees should also be educated on how to identify and respond to potential security threats and breaches.
- Incident Response and Breach Notification: Be sure to have a well-defined incident response plan in place to detect, respond to, and mitigate data breaches effectively. In the event of a breach, timely and transparent communication with the impact on consumers is crucial to minimize potential harm and maintain trust.
Important Tip: To find out more about how misconfigurations can lead to PII exposure, read this blog about the real risk misconfigurations pose to organizations by Travis Smith, VP of Threat Research Unit, Qualys.
Taking a Collaborative Approach
While consumers and companies have distinct responsibilities in protecting PII, it is vital to recognize that an effective cybersecurity framework requires a collaborative approach. The collective efforts of both parties create a stronger defense against data breaches and identity theft. Consumers must be proactive in their own security practices, while companies must prioritize robust data protection measures and responsible data handling practices.
Government regulations and industry standards also play a crucial role in ensuring PII protection. Authorities should establish stringent regulations to enforce data security practices, conduct audits, and impose penalties for non-compliance. Meanwhile, industry stakeholders should collaborate to establish best practices, share threat intelligence, and promote data protection initiatives. Consider the following statistics:
- By 2023, it is estimated that 65% of the world’s population will have its personal information covered under modern privacy regulations, compared to just 10% in 2020. (Source: Gartner)
- In a recent survey, 79% of consumers expressed concerns about the protection of their personal data, underscoring the importance of effective data security measures and transparency. (Source: RSA)
In the battle to protect personally identifiable information, both consumers and companies have integral roles to play. While consumers must exercise caution, adopt best practices, and stay informed, companies have the responsibility to implement strong security measures, educate employees, and maintain transparent data-handling practices. Ultimately, a collaborative approach that includes consumers, companies, and regulatory bodies is essential to create a safer digital landscape and safeguard sensitive personal information from malicious actors.