Handle Others PII as You Wish For Your PII to Be Handled

Brian Fajardo -

Privacy is often discussed when handling PII. Legal, human resources, and information security practitioners know very well the complex nature of not only protecting such information, but handling it as well. I say both protecting and handling because to me they are two different things. For example, protecting PII involves taking security measures such as encryption to protect confidentiality. Handling on the other hand is about who has access to what. Should someone in IT have access to an employee's address, cell phone number, personal email, and lastly social security number? Or should HR only have such info? To many, such questions are straight up obvious. However what happens when one party is not handling PII carefully? What happens when another party is not protecting such information? This is why both protecting and handling PII is complex. There is more than one party involved. There often may be a clash between parties involving on how to protect and handle PII the right way without overstepping on each other's boundaries. Let's take a look at some experiences I've had that touches base on some of the challenges faced when handling PII of others.

Teamwork Makes the Dream Work

Every security professional knows that security is a team sport. Often I see there is a disconnect and communication gaps between a security team and for example an HR team or even IT team. This is something that I feel is one of the most detrimental problems that can occur at an organization. However I would say that the problem does not lie simply there, it also lies within the leaders of the organization as well. For example, an appointed CISO, and CPO, should be having such conversations with the CEO on how to address such problems especially when it occurs often. I always like to describe the situation as minimizing as much friction as possible. What do I mean by this? I am saying that each team has different priorities and each team's priorities may not be aligned with your team's. What happens if someone on the IT team disagrees with the InfoSec team's high marked priority? Do they work it out? Or do they become bitter enemies and stop supporting each other? This is why security is a team sport. You need to be open minded and most importantly empathetic and honest on how priorities can be tackled without having to constantly go back and forth proving to another team why something is a higher priority than the other. As the saying goes, teamwork makes the dream work especially in security!

Handling PII the Right Way

Handling PII the right way is about not feeling guilty but feeling responsible and showing integrity to others. I have come across PII unintentionally twice in my career. I say unintentionally because I have only worked in IT and I did not touch such sensitive data unless I was authorized to do so (which I never was) :) . Once an employee had left a company and I had offboarded them from the company's systems. I also liked to help the office services team in clearing the departing employee's desk even though it was not my job to clear the entire desk and drawers. I only had to clear the desk of any IT related equipment. So I cleared the entire desk and drawers and found a W-4 completely filled out with the employee's SSN, address, DOB, you name it. Right away I was shocked on how could someone could just leave such sensitive data easily accessible since the drawers were not even locked. I informed HR about it and they told me to leave such paper on the desk of the HR employee whom I had reached out to hidden since it was already EOD. Right away I went to the HR employee's desk and hid the paper. Another unintentional PII event I had was interviewing. Interviewing? Yes you heard that right. Interviewing! A recruiter was showing me the org chart specifically the structure of the team I was interviewing for using a software called Pingboard and I came across an employee's personal cell phone number. Although such PII is not as risky as revealing someone's SSN, remember that PII has different value to different people. What would have happened if someone who does not have integrity and is not responsible would have leaked such info in the Dark Web? Fraud would occur and such individual affected would never know unless someone said something to that person or had some alert either through a subscription service that alerts of dark web related activity that such information has been compromised and leaked to the dark web. As soon as I uncovered such events, I let both the departed employee know about this privately as well as the recruiter that same day I was interviewing that such PII should be carefully handled. Thankfully I did not get any rude attitudes thrown at me and both individuals simply thanked me which is something that is definitely appreciated when you advocate for such information to be handled the right way!

Never Feel Guilty Feel Responsible

Handling PII involves being aware of your surroundings and having integrity as well as responsibility for your actions. You should never feel ashamed or guilty of anything unless you purposely wanted to cause harm to someone. The best way to describe the handling of PII is simply being empathetic and thinking to yourself, is this really how I would want someone else to treat my PII? Similarly how someone expresses that you treat others the way you wish to be treated, is just exactly how PII should be handled! Or as I said in the title, Handle Others PII as You Wish For Your PII to Be Handled.