Achieve PII Compliance through Security Awareness Training
When the internet started gaining momentum, personally identifiable information (PII) seemed like an afterthought. Times have changed. As the U.S. Department of Labor puts it, "safeguarding information is a critical responsibility that must be taken seriously at all times." But it's not just government agencies that prioritize the stewardship of PII. Everyone in an organization must understand PII protection requirements — and put that knowledge to work — to avoid breaches and fines.
Learn what PII is and how you can meet PII compliance requirements using security awareness training.
See Infosec IQ in action
What is personally identifiable information (PII)?
Personally identifiable information is defined by the National Institute of Standards and Technology (NIST) as, “Information that can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc., alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.”
With the widespread and ever-increasing requirement that such data be processed (and stored and transmitted) in an IT environment, it is vital that security measures are in place to maintain public confidence in organizations that work with PII.
In addition, PII has been subject for some time to a plethora of state, federal and international privacy laws (privacy frameworks like GDPR and CCPA), as well as sector-specific legislation, such as HIPAA (Health Insurance Portability and Accountability Act).
Who needs security awareness training for PII?
Everyone in your organization who interacts with customer or company data needs security awareness training for PII. By providing them with training, you not only ensure they understand how to protect sensitive data, but you also protect your company from violating various data protection regulations.
Federal data privacy regulations
What is PII compliance from the perspective of lawmakers? The U.S. government places a high value on the responsible handling of its citizens' data. For instance, the Privacy Act has PII compliance standards for appropriate procedural, technical and physical security measures to be implemented to protect that data. Also, with the increased use of IT systems and networks in the processing of PII by federal agencies, the E-Government Act was introduced to provide the public with assurance regarding electronic government services specifically.
The E-Government Act also requires federal agencies to carry out privacy impact assessments (PIAs) to ensure PII policies are in place and available on agency websites.
Similar legislation is in place in most areas of the world: Canada, Australia and New Zealand all have their own Privacy Acts. The UK has its Data Protection Act and Germany's Federal Data Protection Law is perhaps the strictest of the national regulation sets.
In the U.S., to help enable organizations who process PII to demonstrate compliance with the relevant legislation and provide assurance to the citizens whose personal information they hold, the NIST's Information Technology Laboratory (ITL) — essentially the technical authority for U.S. federal government — has developed standards and guidelines for the protection of PII.
State-level data privacy regulations
While some states may rely on federal regulations to guide their data protection policies, others design their own. Some of the more notable regulations include:
- The California Consumer Privacy Act (CCPA): This went into effect in 2020. It gives consumers the right to know and delete the personal data organizations keep on them. They also have the right to opt out of having their data sold to third parties.
- The Virginia Consumer Data Protection Act (VCDPA): This is a relatively new law, having been introduced at the start of 2023. It gives consumers the right to access their data and get information regarding how businesses use it. Like CCPA, VCDPA gives people the right to delete their data as well as make corrections, opt out of data collection and obtain a copy of the data organizations keep on them.
- The Colorado Privacy Act (CPA): Colorado passed the CPA in 2021. It has many of the same provisions as the CCPA and VCDPA regarding access, deletion and correction, as well as opting out of data collection.
See Infosec IQ in action
Security awareness training across your organization
Many organizations have employees who regularly interact with sensitive data — at least to some degree. All of these people need training. But you also must keep the following professionals in mind:
- Those in the C-suite because they must make decisions that may impact how the company collects or uses data.
- Human resources employees and managers who must be aware of their responsibilities regarding the data of current and former employees, as well as job candidates and recruits.
- Marketing team members that may interact with the personal data of customers via a customer relationship management (CRM) system or while they foster leads.
PII compliance and security awareness training
Even though your PII compliance steps will vary based on your business model and the data your organization works with, here are some of the things your security awareness program should include:
- How different encryption methods work.
- Ways to store data without sacrificing security.
- How data gets shared, both by people and systems.
- The role of access controls, including role-based access and the technologies used to verify identity.
- What to do if there's a breach. This training should also include the specifics of your organization's incident response plan broken down by department, responsibility or individual.
Sensitive vs non-sensitive PII
There are different levels of sensitivity when it comes to PII. The line is drawn based on the amount of risk involved in sharing the information. If your sensitive PII gets exposed, someone could use it to commit fraud or identity theft. If non-sensitive PII gets into the wrong hands, it may be helpful to an attacker, but it doesn't give them enough information to commit full-on fraud.
For example, sensitive PII tends to include data that makes one person fully distinguishable from someone else. In other words, even if someone only has a single piece of sensitive PII, that information alone is enough to set you apart from others in the same area — or even with the same name. The one exception would be your birth date. That's often considered "sensitive" because it only has to be combined with your full name to be enough to distinguish you from most, if not all, other people.
Examples of sensitive PII include:
- Bank account numbers
- Credit card information
- Passport numbers
- License numbers
- Social Security number
- Medical records
- Biometric data, such as fingerprints and facial recognition data
- Date of birth
Non-sensitive PII on its own often presents minimal risk. For instance, if an attacker has any of the following forms of PII, they will likely need additional information to execute fraud or steal money:
- Email address
- Gender
- Full name
- ZIP code
- Phone number
- Job position
- University you attended
Cybersecurity best practices for handling PII safely
Personally identifiable information isn't necessarily a hot potato you have to get rid of as soon as possible. There are ways of managing it without incurring excessive risk. Here are some best practices you can start implementing right away:
- Encrypt all sensitive data, both while it's going from its source to its destination and while it's at rest. Attackers can't read encrypted data without the secret decryption key.
- Minimize the amount of PII you keep: You don't have to protect PII you don't have, so only keep what you will definitely need in your operations.
- Establish access controls that restrict those who can view PII. If you don't have access controls already in place in front of PII, having a developer incorporate them is relatively straightforward.
- Hide portions of PII. For instance, make sure that only the last few digits of a social security card are visible.
- Get rid of PII when you no longer need it. For example, you can delete the accounts of former customers.
- Classify the data you keep. For some organizations, this may involve labeling certain PII as "sensitive" and other data as "non-sensitive." Then, if a section of your database holds sensitive information, such as payment data, you'd design your encryption and access controls accordingly.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
What is security awareness training?
Security awareness training in the context of PII security compliance is all about making individuals more mindful of cyber threats that could endanger the safety of personal information. The right training program demystifies issues like phishing scams, password management and social engineering tactics to keep personal data safe.
The regulatory landscape around PII makes getting your employees the right training essential. Regardless of the sensitivity of the PII you hold, it is prudent to ensure your team members know how to handle it and what to do if there's a security incident.
Cybercriminals continue to innovate new methods that capture personal information, steal data and disrupt businesses for profit — and employees may make mistakes that put your organization at risk. By understanding these risks and how to avoid them, you can actively prevent cyber incidents and protect valuable data.
Review our additional security awareness training resources or speak with someone at Infosec if you have any questions about how to get the best training for your team.
In this Series
- Achieve PII Compliance through Security Awareness Training
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness