The Challenges Organizations Face Managing Personally Identifiable Information

Approximately 83% of organizations are expected to have moved their data to the cloud in 2020. However, this comes with a risk. Hackers attack every 39 seconds and on average 2,244 times a day. Therefore, an organization’s private and personal data is quite vulnerable. Especially customer’s personally identifiable information, or PII.

What is Personally Identifiable Information?

As the name identifies, Personally Identifiable Information contains all the necessary information required to identify an individual.

It’s used to distinguish and trace a person’s identity and includes social security numbers, biometric records, contact number, email address, date of birth, and bank account details.

The cost of a data breach can be huge. Fine alone can be quite expensive for organizations. For instance, the breach of healthcare records is a direct violation of the Health Insurance Portability and Accountability Act (HIPAA), costing up to $1.5 million per year.

Fines aside, the consequences of not protecting PII include reputation damage, loss of customer trust, employee dissatisfaction and turnover, and clean-up costs.

How Do Hackers Misuse PII?

PII is considered a profitable asset for criminals. For starters, it can be used for identity theft. With personal details such as full name and credit card number, criminals can benefit at the victim’s expense.

Other reasons why hackers use and steal PII include:

  • Selling PII to Other Criminals is Lucrative – PII data can be sold to other criminals on the dark web. This data is then used for buyers’ own criminal purposes.
  • Login Details are Used for Account Takeover – Using PII enables hackers to obtain login credentials and, eventually, break into accounts with payment details. Also known as account takeover, this act results in the victim losing access to their account.
  • Criminals Can Launch Phishing Attacks – Phishing scams enable criminals to get information such as credit card details. Victims may willingly share these details as the attackers use their personal information to get in touch.
  • Stolen PII Can be Used to Extort Companies – With stolen personal data, criminals can target personnel to make payments or share sensitive information. That data, in turn, can be used for targeted phishing attacks or to gain access to company networks.

With so much at stake, organizations need to properly protect PII. This brings us to the major challenges of managing it.

Three Major Challenges of Managing PII

As the world of tech grows more innovative, so do hackers. As a result, PII is constantly in danger. Three main challenges organizations especially face are –

1) Securing PII Everywhere

Personal information of customers is usually a challenge to monitor because it’s stored in more than one format. Most organizations keep this data in electronic as well as physical formats.

This adds pressure on organizations as they need to be cautious and track where information goes. As a result, they need to maximize the security of protecting this information. Especially to meet regulatory requirements such as GDPR.

2) Security Issues of IoT Devices

With Bring Your Own Device (BYOD) becoming more common, potential security issues are on the rise. Especially since most devices aren’t secured to handle company data.

Once an organization has allowed the workforce to use personal devices, there’s always a great possibility of information leaks.

While this can be countered by using Enterprise Mobility Management (EMM), Mobile Device Management (MDM), and Mobile Application Management (MAM) services, many employees may resist them.

3) Human Error

Most of the errors occur while incorporating data due to the lack of employee training on data security.

If an employee is uninformed on the best practices of cybersecurity, they’ll probably make mistakes such as using a weak password, failing to recognize phishing scams, or deleting data incorrectly.

Training employees currently is more crucial than ever, especially as they work from home. However, it’s equally as difficult due to the same reason.

PIMS is the Solution

In order to comply with the data protection regulations, organizations can benefit from the Privacy Information Management System (PIMS).

Integrated with ISO/IEC 27001, a PIMS adds trust in an organization’s ability to manage personal information with fewer breaches. The standard used for creating it helps establish improved internal competence and processes while enhancing transparency on controls for privacy management.

As a personal data store, a PIMS ensures users can access their individual data while organizations can keep up with the obligation to keep data up to date and accurate.

If you are up for having a PIMS in your organization, consider having an ISO/IEC 27701 certified professional as part of your workforce. Due to their understanding of PIMS implementation, they can deliver their benefits to your organization.

The certificate you should focus on in this regard is ISO/IEC 27701 Lead Implementer. Just training for this certification helps adds to professionals’ knowledge on the concepts of ISO 27701, practical implications of data protection regulations, and the principles of PIMS in compliance with ISO/IEC 27701.

And with LearningCert, you get more benefits from training, including access to accredited training materials and experienced trainers, free exam retakes, and much more.

Discuss your training needs with our Training Advisors for more details and guidance.

About the Author

Currently serving as the Director Advisory Services at Business Beam, Syed Nabeel Iqbal is a lead trainer at LearningCert. In addition to being an established GRC lead consultant, he has over 16 years of industry experience, in which he conducted 10+ successful training sessions. He’s also an internationally accredited trainer for 15+ standards and frameworks, including COBIT, ITIL, and ISO standards.

Leave a comment


User Registration


Reset Password