In an era when consumers are more concerned than ever about data security, it's imperative for businesses to do everything they can to protect consumers’ personal information. With security breaches up 11% in the past year, businesses have a responsibility to know what information is considered personally identifiable so that the proper data encryption techniques can be used. Personally identifiable information (PII) is typically captured through a website form, so understanding which fields are considered PII will help you plan your digital projects, and protect your site visitors’ sensitive personal information.
What fields constitute PII?
Let's pretend someone just started a new job that offers a retirement plan. In order to join the company’s provided plan, that person must complete an online form that requests a lot of personal information, ranging from non-sensitive to sensitive PII.
Non-sensitive PII can be shared in an unencrypted application because if the data leaks, it does not threaten the security of the individual. According to The United States Department of Homeland Security (DHS), this non-sensitive information encompasses items easily found in public records. Below are standard non-sensitive PII that would be standard to include on this example form:
-
ZIP code
-
Race identification
-
Gender identification
-
Location of birth
-
Religion identification
Sensitive PII is the data you need to keep secure and that if compromised, can cause great harm. Below are typical examples of sensitive PII that could also be asked in this form:
-
Full name
-
Mailing address
-
Phone number
-
Email Address
-
Social security number (or last 4 digits)
-
Driver's license number
-
Passport number
-
Alien registration documentation
-
Financial information
-
Biometric information (DNA)
-
Citizenship documentation
-
Medical information
-
Ethnic affiliation/identification
-
Sexual orientation
-
Account passwords
-
Date of birth
-
Criminal history
-
Mother’s maiden name
-
Credit card number
How does encryption work?
When it comes to sensitive personal data, it's a business’ responsibility to securely capture and store that information. In a world where everything is shared digitally, that can be easier said than done. That is where encryption should be used both to protect “in-flight” or “at-rest” PII.
Because protecting your information is such an important topic, it's important to understand the difference between protecting in-flight and at-rest data. Encryption used at the server level (known as “at-rest” data) focuses on protecting files stored on your computer – which may contain secure PII. That data is sitting on a server or in a database and will not be encrypted unless you provide the recommended whole disk or partial disk encryption for servers and SQL encryption for databases. When you plan on moving information between a client browser and web server hosting the website, you need to use SSL/TLS encryption at the “in-flight” level. Encryption in this manner secures the sensitive PII that needs to be sent over the web. Currently, there are different standards depending on the compliance needed but best practice is a minimum TLS level of 1.1 or greater.
Having an SSL certificate not only protects this data but also is an important credibility signal to search engines. In 2018, Google’s Chrome browser began marking sites without HTTPS as “not secure”. Therefore, an SEO best practice is to have all sites implement an SSL whether or not they plan to collect secure information.
Let the experts at ZAG Interactive help you strategize and implement your secure forms and setup a hosting environment that keeps your visitors’ information protected.