Protecting PII with Threat Protection Strategies

The task of protecting PII (Personally Identifiable Information) is one faced by many industries, but primarily is top-of-mind for those in healthcare, financial services, retail, education, and government. These business sectors not only are responsible for protecting PII such as Social Security numbers, health records, credit card details, student addresses, and more for the sake of their customers, but also must guard against heavy sanctions for non-compliance with regulatory entities.

Complying with various standards and regulations requires both technological tactics as well as good business practices such as conducting employee training and having an incident response plan at the ready. Protection of PII is addressed by these regulations:

• HIPAA (Health Insurance Portability and Accountability Act): This act focuses on protecting sensitive health information (PHI as well as ePHI) from being disclosed without consent or knowledge of the patient.
• GDPR (General Data Protection Regulation): This European Union’s regulation applies to organizations, regardless of location, which process personal information of individuals within the EU.
• FISMA (Federal Information Security Management Act): This U.S. law requires federal agencies, as well as their contractors, to safeguard sensitive data, which can include PII.
• PCI DSS (Payment Card Industry Data Security Standard): While primarily centered on protecting payment card information, other forms of PII are also covered by this standard related to payment processing.
• GLBA (Gramm-Leach Bliley Act): This U.S. regulation requires financial institutions protect the privacy of consumers’ financial information.
• CCPA (California Consumer Privacy Act): This state regulation helps protect and give more control over the personal data of California residents.

PII is Too Tempting to Cybercriminals

Cybercriminals seek PII primarily for financial gain and identity theft, often opening up credit cards or false accounts with the PII stolen. PII can also be used to socially engineer attacks using methods like phishing or by extortion. Data brokerage is another form of using PII to sell data on the dark web.

“Industries that fall under any compliance requirements around how to handle PII require a dual strategy of implementing software solutions as well as good business practices around protecting sensitive information,” said Chris Spargen, Associate Director, Solutions Engineering, Fortra. “In addition to establishing training and awareness of how your organization should handle the PII entrusted to you, layering targeted, integrated solutions to address encryption, threat protection, and data loss prevention can keep businesses rolling efficiently and allow for safe collaboration without the worry of malware, mishandled data, or the risk of a breach or noncompliance.”

Recent statistics show that the risk and impact of data breaches involving PII are substantial:

• According to Verizon’s Data Breach Investigation Report for 2024, about 60 percent of data breaches involved some form of personal information.
• IBM’s 2024 Cost of a Data Breach Report reveals the average cost of a data breach at a whopping $4.88 million.

Customers are understandably worried about their personal information out in the wild and want to trust organizations and the people working within those organizations to do all they can to protect their PII from ransomware attacks as well as inadvertent misuse or misdirection.

Threat Protection Can Help Protect PII

“With some human element involved with more than half of breaches reported in the latest Verizon Data Breach Report, solutions should be easy to use to help with user adoption, and robust in automation to help with screening and protecting your organization. By taking a layered approach that addresses threats to PII, you can ensure your organization has the necessary tools to steward sensitive data” added Spargen. "Organizations need to ask, ‘How is access granted?’ ‘How is it authenticated?’ ‘Can data access be tracked, controlled, and revoked?’ Answering these questions and finding solutions to close the security gaps can help form a more solid defense for your PII.”   

A standalone managed file transfer (MFT) solution is not enough to fully protect PII as it moves around and out of your organization's network. It will provide the security of the file at rest or in-transit but integrating Threat Protection will allow you to take action when PII is found in the data moving in and out of the organization through your MFT solution. You can think of Threat Protection like a content engine or rule set, it can inform the masking, removal, or allowance of PII data based on pre-defined rules.

Related Reading: MFT’s Role in Data-Centric Security

Fortra’s Threat Protection bundle merges a robust secure file transfer solution with deep content inspection and data loss prevention via a Secure ICAP Gateway to add additional protection to the myriad pieces of PII data exchanged each day.

The bundled solution blocks the ability to send sensitive data that could contain PII and acts to redact specified information so that sanitized files can still continue on their way – minus any sensitive data, or even block that file from going further if it cannot be sanitized.

Image

Use Case: Medical PII Protected with Threat Protection

A large medical enterprise needed to transfer attachments between employees and trading partners containing detailed billing information. The organization had used a managed file transfer solution for years to exchange files containing PII within and outside the organization. After reviewing their process, they found they needed to protect that PII further with deep content inspection to add additional safeguards to their patients’ sensitive data.

They integrated GoAnywhere MFT with Secure ICAP Gateway, to add anti-virus protection as well as structural sanitization. This combo is a powerful one. Threat Protection works to:

• Inspect for malware and viruses
• Intercept content based on the threat protection and data loss prevention requirements.
• Run rule sets such as renaming, script removal, keyword searches to control if content is allowed in or is blocked.
• Sanitize PII content. If it can be sanitized the transfer can continue to keep business moving.
• Block transmission if content cannot be sanitized.

With integrated solutions in place PII data files can be exchanged and travel to their destination free from viruses, malware, and sensitive information.

Threat Protection Helps Define How PII is Controlled

Adding more control to data handling is another plus for incorporating Threat Protection. For example:

• You can allow specified individuals the ability to transmit PII, but not everyone.
• You can apply role-based access to PII.
• You can audit who is sending what information.
• GoAnywhere’s encryption can be enhanced by limiting both who can transfer PII data, and what that data contains.

The automatic detection and sanitization of PII data helps take some of the human factor risks away and helps shoulder that major responsibility so employees can focus on more priority tasks with less manual intervention.