This article originally appeared in the October 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Click on any website and there is a box to accept website cookies it seems these days. While seemingly benign, that box is a visualization of what many public and private organizations are facing with security today. The opt-in box allows the user to acknowledge that their Personal Identifiable Information (PII) is being collected and stored.
While PII concerns have been around for many years, in 2018 the European Union (EU) fully implemented the General Data Protection Regulation (GDPR) – and as an instantaneous result, PII became a concern for every company. No, PII is not a function of GDPR’s aftermath, only that many businesses now look at PII in a much different light.
As an emerging technology discussion, PII now has a part in these discussions. PII transcends the traditional security installation – it creates an additional complexity that requires the technology installed to meet certain requirements, both in functionality and cybersecurity; and it forces the end-user to have a PII policy in place to protect not only employees, but also the PII of anyone who steps foot on the property.
Security implementations have changed. No longer is it just about securing a building, campus, or a city; but now it involves protecting the PII of each person who interacts with the technology. While PII is not a technology, most public and private organizations review technology through a lens of PII dependencies. Strict polices must be adhered to, preventing a data breach or unlawful use of PII.
The U.S. Department of Labor defines PII as “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
This definition is much narrower than the GDPR definition. While the EU definition may have been the inception of PII that we know today, as public and private organizations adopt PII solutions, this more stringent definition is being applied to how data is captured and stored. In fact, according to the U.S. General Services Administration (GSA), “The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.”
There are some very specific markers that are PII, such as full name, Social Security Number (SSN), Identification Numbers (Driver’s license, employee ID, Google or Apple ID), and biometrics – to name a few. A person’s image is PII. There are other non-PII markers that by themselves are not PII, but when linked with other non-PII markers become PII, for example: GPS data, gender, race, date of birth, mother’s maiden name, etc.
The Integrator’s Responsibility
Security Integrators provide solutions where PII is being recorded as part of each solution, and therefore must be mindful of how it is being obtained and stored. They must work within the PII policy of the end-user to ensure the data is secured safely.
Biometrics are a huge database of PII, since no two persons are alike (not even identical twins). While many biometric markers are visible, with limited expectation of privacy, a well written policy should be adhered to, preventing abuse of PII.
The National Institute for Standards and Technology (NIST) suggests that PII should be protected through a combination of measures including operational safeguards, privacy-specific safeguards and security controls aligned to a risk-based approach.
While private organizations have the justification to record both video and access control on their property, public organizations must follow a two-prong implementation: Create a public video surveillance system only to further a clearly articulated law enforcement purpose; and create permanent public video surveillance systems only to address serious threats to public safety that are of indefinite duration. In the security industry, this may be a very simple justification that can be articulated well; however, the employee still has a right to privacy.
This is why many companies are looking at new technologies that provide the same level of information while still keeping an employee’s right to privacy. The move to Internet of Things (IoT) sensors over traditional security devices is forcing security providers – both integrators and manufacturers – to pivot the types of technology they offer. Additionally, the industry is finding that non-traditional security vendors, such as IT and HVAC vendors, are providing IoT sensors to accomplish what was once the domain of a camera or access control reader.
Look for more public and private organizations to require stricter policies limiting access, institute strict PII controls over technology, and conduct both internal and/or third-party penetration testing – all of which will affect technology solution providers.
There are two major areas where PII can be abused:
1. Data Breaches: The number of data breaches and cyberattacks by bad actors who realize the value of PII continues to climb. As a result, concerns have been raised over how public and private organizations handle sensitive information. While many times these are seen as IT breaches, there have been a number of incidents that have occurred by infiltrating security systems.
While a majority of these have occurred with minimal damage, earlier this year the security industry was ablaze with the Verkada incident (www.securityinfowatch.com/21213804), where PII and other regulated information was compromised through the hacking of more than 150,000 cameras.
2. Unlawful use of PII: Many public and private organizations are now faced with the concern of what is the lawful use of PII. They must identify how PII is accessed and used, such as via access control logs, images recorded, biometric analytics or physical biometric data. While PII is somewhat clearly defined, there are concerns over non-PII markers, such as race or gender, used in conjunction with other non-PII markers to create PII. When the person of interest has no opt-in ability, how the PII information is used must be considered.
The Rise of the DPO
PII, along with other proprietary data must be secured appropriately. This typically will fall under the purview of a Data Protection Officer (DPO) – typically either a Chief Data Officer (CDO) or a Chief Information Security Officer (CISO) or their assigned equivalents. While both the CDO and CISO operate mainly in a consultative role at many companies, PII policies reflect an organization’s direction and will affect how technology is implemented.
This of course becomes another executive at the security table, when integrators make their proposals and presentations. The DPO’s primary goal is to secure data and ensure continuity of business.
Jon Polly is the Chief Solutions Officer for ProTecht Solutions Partners www.protechtsolutionspartners.com, a security consulting company focused on smart city surveillance. Connect with him on linkedin: www.linkedin.com/in/jonpolly.