What must you do when emailing personally identifiable?

Have you ever sent or received information about yourself or someone else via email? If so, it’s possible you’ve handled personally identifiable information (PII), a type of restricted data that requires a high level of information security — data that shouldn’t be in your inbox.

PII includes but is not limited to such stand-alone elements as a full Social Security Number or passport number. It also includes a full name in combination with such elements as date of birth or ethnic affiliation. (Access the infobox below for more examples of personal identifiers.)

The Department of Homeland Security (DHS) defines PII more broadly — “any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.”

The definition and identifiers are part of the U’s Data Classification and Encryption Rule, which provides guidance on how university organizations and users should handle PII and other restricted data to comply with myriad legal and regulatory standards.

Ultimately, it comes down to privacy, said Trevor Long, associate director for the Information Security Office’s (ISO) Governance, Risk & Compliance (GRC) team.

“It's 2022. We need to ensure that we're not sending confidential information through email. There are better ways,” Long said.

Email, he said, is an inherently insecure mechanism to transmit and receive restricted and sensitive data, including PII. The ISO is particularly concerned about online forms and web apps that collect PII and other confidential information through user submissions, and send that data by email. This method is called being “sent in the clear” or “clear text.” In other words, anyone between the online form or web app server and the receiving inbox can read the message. When this happens, there are no protections around the data as it crosses the internet.

Long said alternatives exist that align with university policies and regulations.

Some services, such as UBox and the PeopleSoft admin tool for Human Resources, already have controls in place, he said. When an item is available for review, rather than sending the restricted data insecurely by email, the service sends users a notification or message with a link to the file or platform, where they must log in to access the information.

“That’s the standard now, and it is supported by the growing body of privacy regulation. Organizations are updating their processes to make sure that confidential information is not sent through email,” he said. “Instead, you log in to a portal where there's multifactor authentication like Duo 2FA, logging, and other controls, and then you view the confidential information through an encrypted session.”

The ISO encourages those still using outdated tools or business processes to handle PII to make updates to comply with university policy. Such policies and state and federal regulations, Long said, exist to better protect the data of the university and its students, faculty, staff, and patients, as well as the privacy of its guests.

“We need to be willing to change as regulations and laws are updated and criminals change their tactics,” he said. 

Anyone with questions about the U’s Data Classification and Encryption Rule or handling personally identifiable information can contact the GRC team at for assistance.   

Depending on the conversation, you may get very different definitions of what personally identifiable information (PII) is. Generally, people agree that it’s information hackers could use to perform any number of crimes against a person. Most frequently, the specific crimes seem to be fraud and identity theft. A hacker could also use PII to blackmail or stalk a person. The possibilities are, unfortunately, endless.

And so are the breaches. Since 2005, there have been over 5,000 data breaches, which have leaked almost 1 billion records. And that number only includes breaches where more than 9 records were leaked, and the breach was publicized.

Let’s give your company the benefit of the doubt. We’ll assume you don’t want your customers stalked or their identities stolen. (And you probably don’t want to deal with the fines and bad publicity that come with data breaches.) So, your concern will be around keeping customers’ information secure while not interrupting or hindering your business processes. You’ll need to know when and how to secure PII.

Know what PII you have

In order to secure personal information, you’ll need to know what kind your company handles.

The most intuitive PII to identify doesn’t change and is regulated, including the following:

• Social security numbers (local laws)
• Bank account numbers (state data protection laws)
• Healthcare information (HIPAA)
• Medical insurance information (HIPAA)
• Student information (FERPA)
• Driver’s license and state ID information (state data protection laws)
• Credit and debit card numbers (state data protection laws)

Unfortunately, it’s not always that simple. All PII is not the same. A person’s social security number is more sensitive than his or her email—yet both are PII. And a person’s fingerprint is more sensitive than that person’s phone number.

To make sure you’re prioritizing correctly, we’ll distinguish between public and sensitive PII.

Public

Public PII is available to the public, if you know where to look. Voter registration can be public record. Phone books are also available to the public. And websites—including personal blogs and social media—display various elements of PII, depending on the person’s web presence and privacy settings.

Examples of public identifiers:

• Name
• Email
• Home address
• Phone number

Sensitive

Meanwhile, sensitive PII should not be in public record. When hackers get it, they can bring more havoc to that person’s life than they could with public PII. Sensitive PII can be a single, stand-alone identifier or an identifier paired with another identifier (such as a public identifier).

Note that single identifiers are still PII on their own. They’re just not sensitive until they’re paired with another identifier. For example, hackers who know the password “1234” exists can’t do much until they know what account it’s for. Once you know the kind of personal information your company handles, you can scale protection and encryption to match the sensitivity of the information. The more sensitive the information, the more concerned you should be about securing it.

Find your PII

Does your company send a lot of PII through emails? Do employees store it on their laptops? Do you keep it for weeks, days, or hours?

To create a proper privacy plan, you’ll need to know not only what kind you collect but also where it goes.

Here’s where you can start interviewing employees if you’d like. Employee practices are especially insightful if you already have a privacy plan in place and are updating it rather than starting from scratch. With truthful feedback from employees, you can adapt your privacy plan to be more user friendly while maximizing security.

Let’s take a look at some questions you might ask employees:

Where do you store documents?

There’s a big difference in security between documents stored on a remote server and documents stored on a laptop that an employee takes home every night. The average laptop simply isn’t secure enough for storing sensitive PII. Employees could also be storing PII on thumb drives, personal devices, consumer cloud solutions (e.g., Dropbox, OneDrive, and iCloud), and even (indirectly) copiers.

How do you share documents?

Employees should know when they’re handling PII. If not, they might share it the same way they’d share a document without it. Whether that’s through an email, a secure document management system, or file-sharing networks that enable peer-to-peer sharing will depend on your company’s policies. Generally, email is only secure if employees encrypt the documents. Document management systems can be quite effective if you’ve managed to get widespread user adoption. Finally, peer-to-peer sharing tends to be quite vulnerable.

How long do you keep documents?

If employees store PII on their personal computers, you’ll need to make sure they’re regularly deleting it. Better yet, try to coax them into only storing documents on a secure server rather than on their personal devices. But even on a server, it needs to be deleted regularly. Consult the regulations your company needs to comply with to determine how long you must keep PII. Your business policies will also help determine how long you need to keep certain PII.

Minimize your interactions with PII

Perhaps the best way to avoid a data breach is by not having PII. Granted, there’s a good chance that simply isn’t possible for your company. Since your company needs it, the best practice is to use caution during collection, storage, and sharing.

Don’t collect information you don’t need.

In 2012, the Federal Trade Commission (FTC) filed a complaint against a company that needlessly collected both a user’s email address and password. Really, just emails would have been enough. Collecting both (and storing them unencrypted) was an unnecessary risk. Avoid litigation and make sure you’re protecting PII by only collecting what’s absolutely necessary for your business processes.

Don’t keep information longer than you have to.

In 2005, the FTC filed a complaint against a retailer that held onto credit and debit card information for 30 days. The company did so even though it didn’t need the information for that long, and it was violating bank security rules. Combined with other poor practices, keeping the card information for 30 days enabled someone to steal it and make millions of dollars in fraudulent purchases. Delete PII that you don’t need as soon as you know you don’t need it.

Don’t share information with just anyone.

Whatever method you use to share and store documents with PII needs to be restricted. Limit permissions so it’s only viewable on a need-to-know basis. The more sensitive the information, the more caution you should establish among employees for viewing, sharing, and storing it. Accessing documents with PII should involve rigorous authentication steps and some way to guarantee that the employee actually needs to see it. If an employee needs a document but not the PII contained in it, find some way to redact the information before granting access. The same principles apply when you share PII with business associates.

Secure your PII

It’s important to know the sensitivity level of the information your company handles. And you should be familiar with how your company collects, retains, and restricts access. But now let’s talk about how you can secure the PII you do have.

Whether your PII is in motion or at rest will decide how you should hide it from hackers. It may also vary depending on the sensitivity and the recipient of the information.

Secure your electronics

The Internet of Things means there are more devices than ever that can store personal information. Your privacy plan will likely need to address electronics from copiers to approved computers to mobile devices. You might want to restrict laptop users so that they can access but not store PII. Make sure that the only information stored on a computer (instead of on a secure server) is essential for a business process.

Monitor overall network security.

Firewalls are designed to keep hackers from entering your network. For them to be effective, you’ll need to regularly update them. It’s important that you don’t rely only on your firewall for security, though. In addition to updating your firewall, make sure you’re updating and monitoring any third-party software and applications. Check vendors’ and experts’ websites for alerts about the latest vulnerabilities.

Manage passwords.

Employees with simplistic passwords aren’t helping anyone—not even themselves—in the long run. It can be frustrating to create and memorize passwords with multiple requirements. But passwords with a variety of uppercase and lowercase letters, numbers, and symbols are drastically more secure than a password like “greencar.” By requiring employees to create complex passwords, you’ll be involving them in a concrete line of defense against hackers.

Encrypt PII in motion.

When you’re sharing PII, it’s considered to be in motion. It’s important to encrypt all information that’s in motion. For example, say your customers enter their phone number, email, and home address into a form online. Of course, you’ll encrypt that as it travels from them to you. But once it’s within your organization, are you still encrypting it? Even within a secure network, you should encrypt any PII in motion—whether through email, file sharing, or another medium.

Detect breaches.

Hopefully, you’ll never have to deal with a data breach. But, if someone gets into your system, the faster you can find out, the better. Consider installing an intrusion detection system. IT may also monitor central log files of security-related information. By monitoring incoming and outgoing traffic, you’ll know if someone is suddenly transferring out more files than usual or if a system is testing passwords to get into your network.

Train employees well and frequently

You’ve probably heard it a thousand times, but that doesn’t make it any less true: the best policies and procedures are worthless if your employees won’t follow them. When it comes down to it, well-trained employees are the most effective defense against hackers.

Ongoing training for employees might be just as pivotal as the training you do for new employees. Reminders about important practices and updates about new ones will keep PII security at the forefront of employees’ minds.

How you can apply this to your company

The road to securing PII can be confusing. Understanding what regulations are relevant to your company and understanding how it’s handled in your company can take a while. In the meantime, here are some small steps you can take to find out how employees are helping or hindering PII security.

1. Ask employees if they encrypt their emails. As we’ve seen, it’s important to encrypt PII that’s emailed within and outside of your company. Find out whether employees know they need to encrypt PII sent to a coworker as much as they do for PII sent to a business associate.
2. Look around for passwords. This doesn’t mean looking over employees’ shoulders as they log in to see if they use numbers in their passwords. What this means is look for Post-Its with passwords written on them. A strong password is much less strong if it’s sitting out in the open.
3. Find out the date of the last training session. Has it been years since employees were reminded how they can be securing PII? Or maybe your company is on top of things and had a training session last month. If there hasn’t been a training session in 3 years, you shouldn’t be surprised if employees aren’t following policies. However, if your last training session was last month, but employees still aren’t following policies, something’s up.

Keep learning

• https://www.ftc.gov/system/files/documents/plain-language/bus69-protecting-personal-information-guide-business_0.pdf
• http://searchfinancialsecurity.techtarget.com/tip/Data-masking-best-practices-for-protecting-sensitive-information
• https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf
• http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
• http://www.esecurityplanet.com/browser-security/how-to-protect-pii.html
• http://www.isaca.org/Journal/archives/2014/Volume-1/Pages/Auditing-for-PII-Security-Compliance.aspx
• http://www.commerce.gov/sites/commerce.gov/files/media/files/2016/eu_us_privacy_shield_full_text.pdf.pdf

---

Free guide: Checklist to help you secure your PII

---

What must you do when emailing personally identifiable information?

What must you ensure before transmitting personally identifiable information or PHI via email?

Is email a personally identifiable information?

Is it OK to send PII via email?