Will your customers be as forgiving should their PII be leaked? Let\u2019s not find out \u2026<\/p>\n
It may be tempting to dive in and just start scrambling sensitive data, but as with any project, we need to do some planning first.<\/p>\n
Make your Plan<\/h2>\n
Here are 5 steps to create your own PII privacy plan:<\/p>\n
Step 1 – Identify PII<\/h3>\n
Take your customer\u2019s perspective: what would they not want published on the Internet? Note that groups of seemingly harmless information can combine as PII (e.g., postal code, birth date, gender).\u00a0 If in doubt, include it.<\/p>\n
Step 2 \u2013 Check with Authorities<\/h3>\n
List all related legislation, government guidelines, requirements for standards compliance and your own organization\u2019s privacy policies. A few examples that may apply to you are: PCI-DSS<\/a>, Identity Theft Protection Act<\/a>, Social Security Protection Act of 2010<\/a>, PIPEDA<\/a>, HIPAA<\/a>. Your customers and the government will not be very forgiving if you plead ignorance, so consult with industry groups, security specialists and read up!<\/p>\n To know how to protect PII, first you need to consider its lifecycles in your organization. If you\u2019re lucky enough to have documented your organization\u2019s workflows, take a second pass through each with an eye on PII privacy.\u00a0Here\u2019s a high-level sample lifecycle: No doubt, your organization\u2019s PII lifecycles will differ. This is not an issue if you know what they are.<\/p>\n You now need to match technologies and techniques to each element of PII in your PII lifecycle.<\/p>\n If you\u2019re the type that spends evenings and weekends monitoring hackerwatch.org<\/a> (my condolences)<\/em>, this may be a simple task. Others may be advised to seek some expertise from your trusted technology provider.<\/p>\n Let\u2019s consider an example.\u00a0You\u2019re a federal electric utility with a desire to survey your customers on their consumption habits and willingness to support green<\/em> initiatives.\u00a0Funny \u2026 this was supposed<\/em> to be a fictitious example, but then I easily found a Scottish Hydro survey<\/a>. Cool! The publicly available online form is capturing: name, email, age range, telephone, address, house ownership status, government benefits, house features and the appetite for green initiatives.<\/p>\n Now let\u2019s go through the high-level PII lifecycle mentioned above and see what technologies can help us.<\/p>\n Standard 128 bit SSL Encryption should be used to protect the data stream between the user\u2019s browser and the web server. That way, if the data stream is intercepted, it\u2019s worthless to a hacker.<\/p>\n SSL protection ends when the data hits your web application, so all the PII is in memory in clear text format.\u00a0At this point, additional data could be combined before storage. Maybe the house features are combined to predict an overall energy efficiency rating. Maybe the address is cross-referenced to an existing utility account number.\u00a0Maybe the data on home ownership, government benefits and appetite for going green are combined to create a marketing priority level (i.e., the homeowner has money and wants green energy).\u00a0You can start to see how a simple survey becomes powerful information \u2013 in good hands or bad.<\/p>\n Storing the data is really the key<\/em> (pun intended)<\/em>.\u00a0You have a lot of options:<\/p>\n Clear text<\/strong> is perhaps the default of most developers. After all, you have a physically secure building, network security and security on the database objects themselves right? Umm \u2026 wrong. You don\u2019t want to rely on these layers alone. All it takes is one disgruntled insider and all your customer survey PII is exposed \u2014 and now your organization is backpedaling for years!<\/p>\n Data scramble<\/strong> This is my own non-technical categorization of little custom\u00a0algorithms to modify data before storage.\u00a0For example, change the order of the characters, mix with some predefined static characters, use the ASCII 3-digit equivalent of each byte of data and perform some mathematical operation like multiplying by 47. This approach will stop a snoop<\/em> but not a motivated hacker<\/em>.<\/p>\n Hash<\/strong> functions like MD5 and SHA-2 scramble the data in more sophisticated ways and produce harder to decipher output.\u00a0They’re relatively simple to implement and pretty common.\u00a0Unfortunately, they’re so common that hackers have some pretty common attacks to break them.\u00a0Going back to the most recent headlines, Sony indicates that their data was hashed.\u00a0If a couple of customers\u2019 records were leaked, the hash would have deterred most hackers, but in this case 77 million records were leaked \u2014 enough to make the computing effort of hash-cracking worthwhile for the nefarious.\u00a0One other practical limitation of hash algorithms is that they are one-way<\/em>.\u00a0For example, for an application to see if a user supplied a valid password, it must MD5-hash their password and compare to see if it matches the MD5-hashed value in the database.\u00a0One cannot just run the hashed value through some algorithm to get back the clear text.<\/p>\n Encryption<\/strong> uses a more sophisticated algorithm involving large prime numbers, mod and exponentiation.\u00a0Public key cryptography (RSA) is the basis of SSL. With large enough numbers, it\u2019s generally considered the gold standard.\u00a0Also, unlike hash functions which are one-way, encryption has two keys.\u00a0The public key is used for encryption while the private key is used for decryption. The cool part is that knowing the public key doesn\u2019t help you decipher anything.\u00a0Of course, it’s critical that the private key remain private!\u00a0However, even encryption has limitations.\u00a0If the same public key is used, two encrypted messages will have the same cipher.\u00a0So, you may not know what postal code a person has by looking at the encrypted data, but you\u2019ll know that they share a postal code with 200 other people on file.\u00a0If somehow you determine one, you have them all.<\/p>\n Tokenization<\/strong> is a step beyond encryption.\u00a0Tokenization aims to create a data vault<\/em> in which all PII is kept.\u00a0Outside the data vault, the operational database contains only tokens<\/em> to the data in the vault.\u00a0The data in the vault is encrypted such that it is virtually useless to a hacker. The tokens themselves are typically unique keys, which when appropriately passed to the token server<\/em> get you back the clear text data.\u00a0You could just as easily store the encrypted data in the operational database, but then your database would need to accommodate very long strings for each encrypted PII field \u2014 this can pose problems especially when retrofitting security into an existing system.\u00a0If the data tokens in the operational database need to be readable for pragmatic purposes (e.g., last 4 digits of a customer\u2019s phone number for CSRs to validate a caller), that can be left in clear format \u2014\u00a0either as part of the token or in a separate database field.\u00a0As with any encryption, the decryption key(s) need to be stored in the most secured location possible, entrusted to a bare minimum of individuals.<\/p>\n The above options for PII storage go from simple to sophisticated. There\u2019s no one right answer for all situations, so consider your needs and consult an expert.<\/p>\n Using and communicating data has always been a part of business, but with the advent of websites, email engines, web services and other automated interchange methods, data is being transmitted en masse outside of your organization more than ever.\u00a0Use and communication of PII should be planned<\/em>.\u00a0Who should be exposed to it?\u00a0Why?\u00a0In turn, how will they respect PII privacy?\u00a0For new initiatives (like the electric utility survey), a privacy policy<\/em> should be created or affirmed and published.\u00a0For PII in the more traditional business, communication of a privacy policy may not be appropriate \u2014\u00a0but rather may be governed by contracts such as confidentiality agreements.\u00a0Regardless, the process is similar: plan and implement your PII communications and ensure your policies or contracts match.<\/p>\n Beyond “copying” of data for communications as outlined above, organizations often create copies of data for dashboards, reports, marketing, telemarketing, etc.\u00a0In our example, marketing will no doubt want access to the survey database so that they can run queries, extract the data to an Excel pivot table, feed email campaigns, etc. Without proper encryption in the database, control over PII would quickly be lost, or left up to the honor system<\/em>. Under the tokenization approach, users can be given more freedom to query the operational database, because it is only through authorized applications that PII is available in clear text format.<\/p>\n System backups and mirroring create copies of the database as well.\u00a0Without proper encryption in the database, the backup media\/disk needs to be secured and controlled as much as the original. With proper encryption techniques, there is no readable PII in the database to worry about.<\/p>\nStep 3 \u2013 What\u2019s Your PII Lifecycle?<\/h3>\n
\n
\n![\"PII](\"\/wp-content\/uploads\/2022\/06\/lifecycle.jpg\" "\\"PII")
\n<\/a>
\n
\n![\"PII](\"\/wp-content\/uploads\/2022\/06\/PII-Table.png\" "\\"PII")
\n<\/a><\/p>\nStep 4 \u2013 Target Technologies<\/h3>\n
![\"Capture\"](\"https:\/\/lansa.com\/wp-content\/uploads\/2022\/06\/capture.jpg\" "\\"Capture\\"")
<\/p>\n![\"Transform\"](\"https:\/\/lansa.com\/wp-content\/uploads\/2022\/06\/transform.jpg\" "\\"Transform\\"")
<\/a><\/p>\n![\"Store\"](\"https:\/\/lansa.com\/wp-content\/uploads\/2022\/06\/store.jpg\" "\\"Store\\"")
<\/a><\/p>\n![\"Comm\"](\"https:\/\/lansa.com\/wp-content\/uploads\/2022\/06\/com_.jpg\" "\\"Comm\\"")
<\/a><\/p>\n![\"Copy\"](\"https:\/\/lansa.com\/wp-content\/uploads\/2022\/06\/copy.jpg\" "\\"Copy\\"")
<\/a><\/p>\n
![\"Destroy\"](\"https:\/\/lansa.com\/wp-content\/uploads\/2022\/06\/destroy.jpg\" "\\"Destroy\\"")
<\/a><\/p>\n![\"Smiley](\"https:\/\/lansa.com\/wp-content\/uploads\/2022\/06\/Smiley-Face-3.png\" "\\"Smiley")
<\/a><\/p>\n