What classifies as personally identifiable information?
Personally identifiable information, or PII, is an issue every single company should consider a priority. All 50 states have passed a definition of what classifies as PII and how companies are required to handle it to ensure the security and privacy of their customers, though the regulations vary greatly from state to state.
In the health care world, the Health Insurance Portability and Accountability Act (HIPAA) governs the rules of patient privacy. In the financial world, the Gramm-Leach-Bliley Act sets forth the rules for protecting consumer’s financial and personal information.
While there’s no single federal regulation around privacy in the private investigations field, companies and investigators are accountable to the regulations set forth in each state regarding PII.
So what exactly is PII? Well, that depends on the state, but it typically goes beyond a name and social security number. If you’re sharing a person’s name and a claim number or case number, that’s PII as well and needs to be protected.
With the passage of the California Consumer Privacy Act of 2018 (CCPA), California has the strictest guidelines of any state regarding what classifies as PII, the standards companies must meet to protect that information, and the rights of consumers to know what information is being collected.
The best approach for companies seeking to be in compliance regarding PII is to take the definition of PII from the strictest state law and use that as a baseline definition for PII. Then, regardless of what state you’re working in, you’re in compliance. And managing one set of rules is certainly easier in the long run than managing rules for 50 different states.
How a company handles personally identifiable information impacts how you share information, how you create an investigation assignment, and how you share necessary information with the vendor doing your investigations. Once the information has left your hands, how is it being managed and handled by your vendor? Are your vendors signing an agreement that they’ll comply with your standards for protecting PII?
There are a few key aspects to consider regarding data protection when working with vendors: data in transit, data at rest, and data in use.
When data is in transit, it should be encrypted to protect PII, whether through an encrypted email service or an SSL secured website. Generally, an SSL secured website is a better option and presents less opportunity for error than an encrypted email.
For data at rest, it’s a question of how vendors are managing the data once they receive it. What information are they collecting about the person they’re investigating, and how are they protecting that information? If they’re storing information in a database, is it encrypted? If they’re using company email to discuss cases, are all employee cell phones password protected? Does the employer have access to delete any PII from the phone in the event of a separation? Are the deletion rules for how long a company keeps the data being followed for every state in which there’s an investigation?
When it comes to data in use, how are vendors collecting and storing and sending data across the internet? Are they using a secure firewall or SSL certificate? Is a unique login required so you can track every user who accesses the data?
When it comes to PII, these are important questions you should be asking every private investigations vendor you’re working with to ensure the data you’re releasing is protected at every step of the investigations process.