Got PI or PII or PHI? - Personal Information (PI), Personally Identifiable Information (PII), and Protected Health Information (PHI) is held by nearly every organization. In fact, it takes very little to make PI:
- first and last name or first initial and last name; PLUS
- some identifying information such as a credit card number, a social security number, a drivers license ID number, a state-issued ID card, a credit/debit card number, a financial account number or similar identity information.
If your organization collects, owns, holds, or even transmits certain types of Personal Information, various state and federal laws require that it be protected. Data theft, identity theft, and especially ransomware are a growing concern. Not a week goes by without a report of another stunning data breach.
Data theft or loss triggers reporting duties, potential fines, possible legal liability, and potential reputational damage. The laws protecting consumers against the harms of data loss are growing stricter. Massachusetts has the status as the state with one of the most far reaching protections for the PI of its residents, wherever that data is located. That means, if you have financial information such as a check or credit card from a Massachusetts' resident, you must comply with the law - 201 CMR 17.00 - even if you are located outside Massachusetts. Data loss need not be related to theft; simply losing a laptop computer with protected information triggers reporting duties.
In the wake of the Facebook - Cambridge Analytica scandal the trend-line is moving toward the GDPR principle of "privacy by design".
Solutions to these challenges are both technical and legal. The Written Information Security Programs (WISPs) required to comply with the Massachusetts' law contain requirements for employee discipline, employee policies and training, as well as annual review. GDPR and CCPA push the requirements further. Legal issues are also implicated by the need to update or create retention and information governance (IG) policies for the organization. Regardless of where in the solutions process your organization is, we can help guide you toward appropriate solutions.