If your organization collects, retains, generates, uses, transforms, shares, or disposes of personally identifiable information (PII) at any point of your business operations, you should consider developing a comprehensive information security policy as part of your business plan and risk management strategy.
Simply defined, PII is any information that can be used to identify a particular person. Examples include an individual’s full name, Social Security number, driver’s license or ID number, passport number, bank account numbers, e-mail addresses, IP addresses, geolocation, and biometric information. In 2008, Illinois led the way and became the first state in the U.S. to regulate processing of biometric information, acknowledging the risks associated with widespread application of biometric identifiers in business settings e.g. facilitate financial transactions, manage employee attendance records or administer employee access to the physical facilities or organization’s digital assets. The Biometric Information Privacy Act of Illinois (“BIPA”) defines biometric PII as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Businesses should be aware that processing of PII comes with government regulations aimed at protecting such PII from reasonably anticipated threats and unnecessary disclosures.
One of the best ways to assure information security is to rely on recognized information security standards published by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Center for Internet Security (CIS) as guidelines for developing information security management programs to address administrative, technological, and physical PII security safeguards.
In the coming weeks I will share a series of posts titled “Time for Cybersecurity: 12 Steps to Improve your Information Security Practices.” The posts will be adapted excerpts from my article “Cybersecurity Through Balanced Information Security Policies.” The main goals of the series are to educate businesses on the benefits of Cybersecurity Awareness and emphasize the importance of developing comprehensive information security policies to avoid expensive and time-consuming enforcement legal actions from government authorities charged to police data security violations and protect PII.