For most retailers, complying with the Payment Card Industry Data Security Standard (PCI DSS) was their first foray into protecting customer information. Complying with PCI DSS involves securing customer credit card and debit card numbers wherever they reside or travel within the retail organization or with business partners.
Most large merchants either are in or near compliance and the smaller retailers aren’t far behind. This is all well and good, but there’s another kind of customer data that needs protecting: Personally Identifiable Information (PII).
PII can include information such as social security and driver’s license numbers; date of birth; postal and e-mail addresses; phone numbers; passwords and password hints, to name a few. This information can exist throughout a retail chain at store locations, warehouses, corporate headquarters or with business partners such as suppliers. While PII may be structurally utilized in applications like human resources payroll and benefits, it is also often part of ad hoc exchanges of Word and Excel documents via e-mail, arguably the most widely used transport protocol.
Much like the Payment Card Industry has mandated the securing of payment card data through PCI DSS, states have passed breach notification laws to define what personal information must be guarded from a regulatory standpoint for all types of businesses. California led the way with the passing of California Senate Bill 1386 in 2002. Forty states now have breach notification laws and the federal government has several in legislation.
While these laws are less technical than the PCI DSS mandate and do not require audits, they do specify what information must be safeguarded. They also require organizations to notify all of the residents of that state regardless of where the breach took place. Most breach security laws provide a safe harbor that states if you render the data useless through encryption to anyone who gains access to it; you don’t have to report it. Not having to report a breach against secured data preserves corporate reputation.
In addition to state breach notification laws, the government and multiple industries have issued laws with data protection clauses that affect the retail industry. These include the industry-wide Sarbanes-Oxley Act for public companies, the Gramm-Leach-Bliley Act, which dictates interactions with financial institutions, and the Health Insurance Portability and Accountability Act for self-insured companies.
There are also several laws in Canada, the United Kingdom, Europe and Japan regulating protection of PII.
Five Steps to Securing PII
Making the transition to protecting personally identifiable information is straightforward if you approach it systematically.
1. Classify the data — Identify all types of personal data your company collects and stores and determine if it really needs to be collected, and if so, if it needs to be stored. After culling the unnecessary data types, create a hierarchy separating the remaining data types into broad security categories: data everyone can see, data some people can see, and data very few people can see.
2. Find out where the data resides — Identify all points where the data enters your company, track how confidential consumer and employee information flows throughout your organization, and locate where all existing electronic and hard copy PII data resides. Software utilities that scour the network inside applications and databases can help find this information.
3. Remediate and secure the data — Many IT managers thought it would be easy to encrypt credit and debit card data to comply with PCI DSS. In reality, the challenge in remediating and securing the data has been the associated encryption key management, which involves maintaining the keys used by authorized employees to encrypt and decrypt the data wherever it resides throughout the organization. The same is true for encrypting PII. Look for a solution that provides enterprise-wide encryption key management.
4. Enable process and procedures — Securing PII also requires changes in policies and procedures. Because most breaches are internal and accidental, periodic employee education on security best practices is vital.
5. Ongoing security and continual maintenance — Security is an ongoing program of compliance. Continually monitor your electronic and physical security processes and procedures to maintain the level of security necessary to protect confidential information throughout your enterprise and with business partners
Simply protecting payment card data is no longer enough. Retailers need to approach data protection from a broader sense, considering the rise of state breach notification laws and other industry mandates. By adopting general data security best practices, merchandisers can adequately guard all sensitive data entrusted to their organization from customer credit card information to customer, employee and supplier PII.
Gary Palgon is vice president of product management for nuBridges.