Who Protects PII – Consumers or Companies? (Meet Qualys WAS)

Examples include driver’s license numbers, social security numbers, addresses, full names, etc.

PII doesn’t only include obvious links to a person’s identity, such as a driver’s license. Data fragments which, when combined with other data sets, reveal an individual’s identity could also be classified as PII. Even data that could be used in de-anonymization techniques could be considered PII.

Examples of Sensitive PII
Sensitive PII includes, but is not limited to, the following unique identifiers:

• Name - Full name, maiden name, mother's maiden name, or alias.
• Address information - Street address, work address, or email address.
• Personal identification number: Social security number (SSN), passport number, driver's license number, taxpayer identification number, financial account number, bank account number, or credit card number.
• IP addresses - Some jurisdictions even classify IP addresses as PII.
• Medical Records
• Financial information

Examples of Non-Sensitive PII
Non-sensitive PII is any information that could potentially link to an individual. Examples include:

• Race
• Gender
• Place of birth
• Date of birth
• Religious beliefs
• Zip code
• Mobile numbers
• The telephone number on a public register.

By understanding the conditions that warrant a PII classification, your organization will understand how to use information security to store, process, and manage PII data correctly.

You can’t protect PII if you don’t know how to identify it.

Did you know that as a consumer, 25% of the apps you engage with are collecting your Personally Identifiable Information (PII)? Do you know why they are collecting it or where they are storing it? Also, do you realize as a company, General Data Protection Regulation (GDPR) fines can reach up to 4% of your global annual revenue? 

PII encompasses any data that can be used to identify an individual, such as names, addresses, social security numbers, and financial details. The responsibility of safeguarding this sensitive information is often a topic of debate, which raises an important question: 

Who does the burden of protecting PII fall on: consumers or companies? 

The Responsibilities of Consumers in Protecting PII 

While most can agree that companies have a significant role in securing PII, consumers also must accept specific responsibilities when it comes to protecting their data. Here are a few key actions consumers can take: 

• Strong Passwords and Authentication: Consumers should create unique, complex passwords for all their online accounts and enable multi-factor authentication wherever possible. This simple step can go a long way in preventing unauthorized access to personal information. 
• Exercise Caution in Sharing Information: Consumers must be cautious about sharing their PII online. This includes being mindful of the information they provide on social media platforms, avoiding oversharing, and being careful when responding to unsolicited requests for personal data. 
• Regular Software Updates: Keeping devices, operating systems, and applications up to date with the latest security patches helps protect against known vulnerabilities that hackers may exploit to gain access to personal information. 
• Educating Themselves: Consumers should stay informed about the latest cybersecurity best practices, common threats, and scams. By being aware of potential risks, they can make informed decisions and avoid falling victim to cybercrime.

The Responsibilities of Companies in Protecting PII

Due to privacy concerns, more than 50% of users do not use web apps. Taking into account companies’ access to large volumes of personal data along with their ability to collect it, they play a critical role in protecting users’ PII data.

One of the major reasons for PII exposure is security misconfigurations.  

Here are some ways in which security misconfigurations can result in PII exposure:

• Weak or Default Passwords: The use of weak or default passwords is a common security misconfiguration that can result in PII exposure. If default passwords are not changed or strong password policies are not enforced, attackers can easily guess or use brute force to find their way into systems and gain access to PII stored within those systems.
• Improper Access Controls: Misconfigurations in access controls can lead to unauthorized users gaining access to sensitive PII. For example, if access controls are not properly set up on a database containing PII, an attacker can exploit this misconfiguration to gain unauthorized access and extract sensitive information. Insufficient user authentication and authorization mechanisms can also allow unauthorized users to view or modify PII.
• Misconfigured Cloud Storage: Cloud misconfigurations can inadvertently expose PII to the public internet. For example, if cloud storage buckets or databases are misconfigured with overly permissive access controls, sensitive data can be accessed by anyone with knowledge of the misconfiguration. This can occur if administrators fail to properly configure access permissions, leaving PII unprotected and accessible to unauthorized individuals.
• Insecure Network Configurations: Misconfigurations in network settings, such as firewalls, routers, or intrusion detection systems, can open pathways for attackers to access PII. Failure to properly configure firewall rules or network segmentation can allow unauthorized access to sensitive data, exposing PII to potential breaches.
• Failure to Apply Security Updates: Neglecting to apply security updates and patches to software, operating systems, and applications can leave systems vulnerable to known exploits. Attackers can take advantage of these vulnerabilities to gain unauthorized access to systems containing PII. By keeping software and systems up to date, organizations can ensure that security vulnerabilities are addressed promptly, reducing the risk of PII exposure.
   

Here are some key steps in detail that your organization can take to safeguard PII:

• Continuous Discovery of PII Exposures: Use a cloud-based web application scanning product (such as Qualys WAS) to continuously detect PII exposures, runtime vulnerabilities, misconfigurations, and web malware across modern web apps and APIs. 
• Data Encryption and Security Measures: Implement robust encryption mechanisms to protect PII during transmission and storage. Additionally, access controls, firewalls, and intrusion detection systems should be in place to secure sensitive data from unauthorized access.
• Privacy Policies and Consent: Always be transparent about your data collection practices and obtain explicit consent from consumers before collecting, storing, or sharing their PII. Clear and concise privacy policies should also be readily available to consumers, outlining how their data will be used and protected.   
• Employee Training and Awareness: Provide comprehensive cybersecurity training to your employees, emphasizing the importance of data protection and best practices for handling PII. Employees should also be educated on how to identify and respond to potential security threats and breaches.
• Incident Response and Breach Notification: Be sure to have a well-defined incident response plan in place to detect, respond to, and mitigate data breaches effectively. In the event of a breach, timely and transparent communication with the impact on consumers is crucial to minimize potential harm and maintain trust.

In conclusion,  both consumers and companies have integral roles to play. While consumers must exercise caution, adopt best practices, and stay informed, companies have the responsibility to implement strong security measures, educate employees, and maintain transparent data-handling practices. Ultimately, a collaborative approach that includes consumers, companies, and regulatory bodies is essential to create a safer digital landscape and safeguard sensitive personal information from malicious actors.