Are You Grappling with Privacy Mandates to Comply with PII – Personally Identifiable Information?
Hardening systems is first step in protecting you PII Personally Identifiable Information
Modern businesses collect data a lot of data. Regardless of your industry, your company relies on PII Personally Identifiable Information) to provide the best consumer experience possible. This reliance on information makes PII financially valuable. If it didn’t, malicious actors wouldn’t be looking to steal it. Legislative bodies and industry standards recognize this shift. In response, they look to compliance mandates as a way to hold businesses accountable. By hardening systems, you can create a strong foundation for meeting these stringent compliance mandates around protecting PII.
What is Personally Identifiable Information?
Personally identifiable information (PII) is a trail of personal information that has the potential to be left behind, often unknowingly, in a digital environment. PII can directly or indirectly identify consumers with or without consent, much like accidentally leaving a wallet somewhere in public.
What are some privacy mandates focused on PII?
In the last five years, state and federal lawmakers have begun focusing more heavily on protecting consumer privacy. As you look to mature your compliance posture, you need to know the laws that apply to you.
California Privacy Rights Act (CCPA)
In November of 2020, the citizens of California voted to amend the California Consumer Privacy Act, renaming it the California Privacy Rights Act (CPRA). Focusing on retailers and other businesses that market and sell to consumers, the CPRA’s reach makes meeting compliance requirements challenging.
The CPRA places the burden of responsibility for protecting citizen’s privacy on businesses that collect or process PII. It outlines eleven types of data that constitute “Personal Information.” Additionally, it outlines three general notification duties businesses have to customers:
- Data is being collected
- Data will be shared
- Data retention period
Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal law that safeguards the privacy of student education records and applies to all schools receiving U.S. Department of Education funding. With few exceptions, schools are required to have written permission from a parent or eligible student prior to releasing any information from a student’s educational record.
FERPA requires schools to notify parents and eligible students of their rights annually, but the law functions primarily to ensure that parents and students have given before consent to disclosure of information released from educational records.
Graham-Leach-Bliley Act (GLBA)
Under the GLBA’s Privacy Rule, financial institutions must provide their customers with annual notices regarding their privacy policies and explain that customers may opt out of sharing their personally identifying information with unaffiliated third parties. In addition, GLBA’s definition of financial institutions goes beyond traditional banks to include credit counselors, financial planners, tax preparers, accountants, and investment advisors.
Hardening Systems as a Step Toward Privacy Compliance
Privacy focuses on two things, securing data from unauthorized access and giving consumers control over how companies use their data. Hardening systems is fundamental to data security, as it allows companies to mitigate risks that come from known vulnerabilities more successfully.
Security Technical Implementation Guides (STIGs) are cybersecurity requirements commonly associated with the Department of Defense (DoD), but their security protocols have broad applicability for hardening system security regardless of industry. CIS Benchmarks also help harden systems by establishing baseline system configurations which allow organizations to implement additional layers of security and mature over time.
Hardening systems by utilizing STIGs or CIS benchmarks also allow industries with federal agency oversight to comply with their stringent cybersecurity requirements. For example, the IRS mandated that a national tax preparation service use STIGs to harden systems as part of meeting privacy requirements. Meanwhile, the Department of Education required a student loan company to use STIGs instead of CIS benchmarks.
As companies seek to meet strict mandates, they can look to STIGs even if they’re not within the DoD supply chain.
Automate System Hardening and Documentation to Comply with Privacy Mandates
Hardening systems are the cornerstone of an organization’s security and privacy program. However, implementing the low-level technical controls that mitigate risks arising from known vulnerabilities can be challenging. The interconnected nature of most enterprise IT stacks means that if you change one configuration, it can create a conflict that leads to system downtime. These outages cost your company money from business interruption and lost employee productivity.
SteelCloud’s patented ConfigOS makes it easy to implement STIGs and CIS Benchmarks. Our solution can scan your environment in just a few hours and automatically remediates conflicts, eliminating costly downtimes. Additionally, to help organizations comply with increasingly stringent compliance requirements, ConfigOS documents all changes for continuous assurance.