Protecting PII - Passwords, Bank Accounts, and Email Addresses?
About 5 years ago I set myself the task of reading every state's data privacy law. There were 44 states that had passed some form of data privacy law, and several were in the process of updating them. I also created a spreadsheet and cross-referenced information what each state considered Personally Identifiable Information (PII) that needed to be protected. The State of California had led the way with SB-1386, and many states followed.
I learned a few interesting things from the process:
A significant number of states just lifted verbatim what other states had written into law. A rough guess is that about one third of the states had almost identical data privacy laws.
But the remaining two thirds of the regulations varied greatly, even in defining what PII is. It was common to consider the First Name and Last Name in combination with a Social Security number, bank account number, or driver's license number as information that constituted PII that needed to be protected. But after reading and collating all 45 states, there were some states that had a list of up to 41 data items that were considered PII! In addition to the standard data items, I found passport numbers, military IDs, medical numbers, email addresses, and much else. I even found definitions of PII that went something like this: "Any information in aggregate that can identify an individual must be protected." It was a lot of ground to cover.
Shortly after this exercise I remember having a conversation with a mid-western CIO about that information. She said "Really, email addresses? But what do I do about Outlook?"
It was a good question then, and it is even more cogent today. When an email address is lost with other information about an individual, it can lead to big problems.
Just look at the news today about Amazon and Apple. Information routinely exposed by Amazon was used to gain access to sensitive data on Apple's services. And the email address was an important piece of the information used in this attack.
So, should you be protecting email addresses? Absolutely!
As many of the recent data breaches demonstrate, an email address combined with a password or other information can lead directly to a data breach. Just think of eHarmony, LinkedIn, Yahoo, and many others recently in the news. It is common to store email addresses in business databases used for Customer Relationship Management (CRM), Enterprise Resource Management (ERP), and similar types of systems. If you store email addresses, you should start working now to place them under encryption control with good encryption key management. And you should start bugging your software and cloud vendors to provide you with this capability. For more information on how you should be encrypting your PII, download our white paper "AES Encryption and Related Concepts."