Handling Private and Confidential Information
Published: March 29, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
What exactly is “private or confidential information?” That can be a difficult question. People often use the term "confidential information" when referring to personally identifiable information (PII). However, there are some subtle differences. PII is most certainly confidential. However, not all confidential information is PII. An example of confidential information to your organization may be documents related to its business strategy. While certainly management wouldn’t want that to get into the wrong hands, it doesn’t contain any PII.
To thoroughly define PII is difficult. That’s because what it means differs across states and countries. For example, the recent release of the General Data Protection Regulation (GDPR) in the European Union covers any information that could identify a person. Well, that’s a very broad definition. For example, an IP address may identify a person. But is that really PII?
In the United States, it’s a little easier to say what is PII. Primarily it applies to documentation, communications between persons in email or by voice, with respect to file transfers, and of course what is written in email messages.
The following list contains some examples of what is PII in the U.S. It is not all-inclusive, of course. However, it does provide a good overview.
Social Security Number (SSN)
Driver’s license number or state-issued identification card number
Passwords and phrases to any account, computer, or system
Security codes, access codes, or passwords that could permit access to an individual’s accounts
Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
Health insurance information, including an individual’s health insurance policy number or subscriber identification number
Any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history
Place of birth
Date of birth
Mother’s maiden name
Answers to security questions stored within accounts
Personal financial information, including credit scores and history
Credit card or purchase card account numbers
Potentially sensitive employment information, e.g. personnel ratings, disciplinary actions, and results of background investigations
Any information that may stigmatize or adversely affect an individual
Protecting Personally Identifiable Information
Email has outpaced voice and personal interaction as the most common way for people to communicate and share information, especially when it comes to conducting business. Employees have found that quickly sending an email can be especially helpful when dealing with customer support issues, answering internal company questions, and transferring documents and other types of useful information. A report by McKinsey Global Institute and International Data Corp found that we spend approximately 28% of our time, daily, perusing our in boxes. This is the second most time-consuming part of our work day. A separate report by Radicati estimates that by the end of 2018, business users will send/receive 140 each day on average. Included in many of those messages will be PII that may be used by criminals to commit identity theft and/or other crimes.
Most states in the United States now have separate laws that require organizations to protect PII. Generally, these laws prohibit the inclusion of confidential information or PII in email messages. However, there is also a perception that if the email is sent directly from one individual to another individual, then the information has been kept private. After all, by all appearance, only those two people had access to whatever information was in the email.
Unfortunately, that is not true. While some organizations provide internal security to ensure emails are secured and/or encrypted when sent to other internal employees, it isn’t always the case and likely, if someone gets his or her hands on the email, it will be readable. Check with your organization to confirm if you are allowed to send emails containing sensitive information between and among internal employees.
Email should never be considered private or confidential. This is true even when it is being transferred internally to fellow co-workers. These days, it’s not uncommon for email to be accessed by unauthorized parties. Take the Sony Entertainment incident for instance. Someone breached the network, stole the email messages of executives and not only forced the company to hold off release of a film, but embarrassed the executives and others for what was included in their email conversations. Something similar happened when hackers accessed data within the Democratic National Committee (DNC). All it takes is for someone to fall victim to a phishing attack and unknowingly provide login and password information for his or her email account. This could be after clicking a link or opening an attachment that goes to a malicious website. It could be the result of someone hacking into the organization’s email server, as is what happened in the DNC incident. There are also situations where criminals have monitored the traffic passed over a network and plain text emails were captured in that process.
The simple fact is that email is not secure. There is never a situation in which an email should be sent to anyone containing PII, either in the body of the email or as an attachment. In fact, it’s best not even to save a message containing PII in a draft. If someone accesses the email server, they will also get to any drafts, sent messages, or anything left in the spam or “trash” folders in the accounts.
When sending an email, take a moment to review the contents of the messages to confirm no PII items are included in the email. In addition, if there is something attached to the message, the data in that attachment must also be carefully reviewed. Excel spreadsheets, Word documents, and PDF documents are the most common types of attachments to be sent that inadvertently contain information considered to be PII.
While it’s better if mistakes are not ever made when it comes to PII, the fact is that they do. Sometimes information is sent in email and only discovered later. However, if this happens, contact management right away to find out the proper procedures. The sooner management is made aware of the mistake, the more opportunity there is to mitigate the accident. In addition, if you receive an email from a customer or third-party vendor that contains PII, you should also notify management immediately.
If there is confidential information or PII that you need to send to a co-worker, vendor, or customer, check with your manager for the best way to accomplish this. Many organizations use third-party solutions to securely share information.
There may be cases where you need to send confidential or PII data via a website. It is important to always confirm that you are approved to transfer any of it to any third-party site. If you are transferring via a website, make sure the site is using encryption for the file transfer. To confirm, look for "https://" in the URL of the website. If you only see "http://", it indicates that the page is not using encryption and you should not send the file. There are other indicators that it is secure. Sometimes there is a lock icon on the address bar or at the bottom of the window. The text at the beginning of the URL may also turn green to indicate security. Just make sure that the site is most certainly secure before entering text into it or attaching documents.
Also, be sure to confirm that you are connected to the correct web address. Criminals often purchase domain names that are just one character off legitimate ones or look very similar to the most popular or well-known sites in hopes that you may mistype the URL and end up at their websites instead. If you don’t notice right away, you could end up giving up valuable data to a bad actor.
If you are working with a co-worker or third-party vendor who requests that you send a file containing PII using FTP, confirm that the file transfer will be completed via an SSH tunnel and not via FTP (File Transfer Protocol). Often FTP is used, but unfortunately that is not a secure protocol and any data transferred can be monitored by a snooping criminal on a network. When in doubt, contact your manager.
Always keep in mind, if you are transferring files on your internal network, PII should never be transferred without encryption whether by email, file transfer, or otherwise.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org