I love movies. I love the drama, the conflict, and the resolution. I love movies that are sappy. I love epic tales and stories that include some form of redemption. I love romance, courage and sacrifice. I love it all….
The one theme in a movie I don’t typically enjoy is a movie based on deception. Watching the characters intentionally break trust with other characters is disconcerting to me. In those stories, it’s obvious that at some point the deception is going to be uncovered, and the anxiety I experience waiting for that moment often steals away my movie-viewing enjoyment.
Deception breaks trust…in families, in friendships, and even in business.
PII, PHI, PCI – Are you at Risk?
In our highly regulated business culture, compliance measures have generally not kept pace with legislation concerning the security of personal information. If you are an information governance professional, or have some some expertise in records management, you will already be familiar with the following terms, but it might be helpful to define some key terms:
Personally Identifiable Information (PII)
PII is defined as any piece of data that could potentially identify a specific individual. The list of PII includes but is not limited to:
- Full name (if not common)
- Home address
- Email address (if private from an association/club membership, etc.)
- National identification number
- Passport number
- IP address (when linked, but not PII by itself in US)
- Vehicle registration plate number
- Driver’s license number
- Date of birth
- Telephone number
- Login name
Click here for more information on PII.
Protected Health Information (PHI)
PHI, under US law, is any information about health status, provision of health care, or payment for health care that is created or collected by a “Covered Entity” (or a Business Associate of a Covered Entity), and can be linked to a specific individual. It is often used in the context of Health Insurance Portability and Accountability Act (HIPAA) rules that govern this private data. Preserving the privacy of the 18 HIPAA identifiers is critical in the healthcare sector, and non-compliance can lead to extensive fines – ranging from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.
Click here for more information on PHI.
Payment Card Industry Data Security Standard (PCI)
PCI is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. The rules specify twelve requirements for compliance:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Click here for more information on PCI.
As you can see from these three compliance areas, the security parameters are tightening for any business collecting personal information. While the news is full of companies that have been compromised by external threats, the vast majority of companies suffering from data loss are compromised from within.
How to mitigate internal security threats
What are the best strategies to identify and protect critical personal data? Rather that subject you to a longer blog post, let me suggest you download our free e-book! And if there is any other way in which we can serve you, please contact us!