In response to work by the US National Institute of Standards and Technology (NIST) on a cybersecurity framework, the law firm of Mayer Brown conducted a survey of executives and corporate lawyers around IT security. There were a number of interesting results, but one in particular stood out. Given a choice of several IT security threats, an overwhelming number of participants, 63% in fact, chose “breach of confidential personally identifiable information (PII)” over trade secret theft and sabotage of systems. It seems that protecting PII is now front and center for corporate America.
As well it should be. Over the last several years, we’ve seen a depressing litany of cases showing just how vulnerable PII is in the hands of large American companies. Target reported the loss of PII for 110 million customers in 2013 (resulting in the CEO resigning in May, 2014), Home Depot, over 60 million by September, 2014, Anthem, nearly 80 million in February, 2015, etc etc. Little wonder that many individuals feel helpless in protecting their private information in the face of continuing successes by well-organized cybercriminals.
Designing to reduce amount of information held
So, what are companies doing in the face of the always-present threat to corporate held PII? 37% reported they had a Chief Privacy Officer in place. 46% said they had developed global strategies for IT security and privacy. Yet 49% were unable to answer if they had a written data protection plan in place.
Given the results, it appears many companies are still working out their strategies to protect PII. As companies hopefully move quickly to remedy this situation, one recommendation is companies start by designing their IT systems with privacy and security safeguards built in from the beginning. Another suggestion is that companies use the design principle of trying to reduce the amount of PII they hold in their IT systems by the greatest extent possible. While it is tempting to hold onto as much data as possible, companies should consider the liability risks associated with PII and try to reduce what they hold wherever they can. Another option is to entrust the maintenance of this data to a trusted third party.