PII is the new PCI
Our personal data is only becoming more valuable (and vulnerable), and it’s past time to get serious about protecting it
What’s more valuable – your credit card number or your name? It may depend on the situation, but many of us never thought the information about us that’s freely and publicly available – our names, our addresses, our emails – or even less public data like our social security numbers, would be worth something to somebody someday. But the world of data has changed in the last few years, that day is here, and PII is now worth its weight in credit cards.
History of PCI Protection
As recently as the early 2000s, there was no clear way to deal with credit card fraud. Who was on the hook for the purchases made by a scammer with a stolen credit card number? Generally, it was the credit card company. That created an incentive for those companies to impose stronger security on companies that wanted to offer the benefits of credit card payments to their customers. Eventually the industry came together on the Payment Card Industry Data Security Standard (PCI DSS) in 2006.
In order for merchants and other vendors to be compliant with PCI DSS, they must meet requirements for secure networks and protection of cardholder data, validated by audit. And the requirements are scaled by the number of transactions handled, from less than 20,000 to more than 6 million annually. Non-compliance can result in fines from some major credit card companies. While compliance with PCI DSS is not required by federal law, it does have the effect of putting a focus on credit card data security.
PII is More Valuable Than We Ever Realized
Obviously, credit card companies had an incentive to ensure data was secure in order to limit their liability for fraud. But what’s the liability for breaches of personally identifiable information (PII)? Until recently, there was very little. One of the reasons was that we simply didn’t realize the data was valuable.
Around the same time credit card protections were being implemented in 2006, Facebook was ramping up. While we understood that credit cards could be stolen and used to purchase goods, we were putting our names, our hometowns, our mother’s names, our dog’s names, our employers, our favorite restaurants out there for the world to see without a thought for what could be done with this data.
It turns out that data is supremely valuable. Facebook and others turned our information into lucrative revenue streams by offering it to third parties for advertising targeting, political research, and more. A study calculated that internet companies earned an average of $202 per American internet user in 2018 from personal data. Many companies use the information they gather about us as customers to send targeted offers to increase sales, create new product lines, or optimize distribution channels. And the value of PII is not lost on cyber bad actors: PII can be used for everything from fraudulent tax returns to synthetic identity fraud. Because PII tends to be a longer-term identifier – you don’t change your name or your social security number that often – it has more value to thieves than credit card numbers that can be easily canceled and reissued.
It’s Finally Less Costly to Protect PII Than to Lose It
So, while the value of PII is increasing for both legitimate users and bad actors, the penalty for PII breaches is finally increasing as well. All 50 U.S states now have personal data breach notification laws. Europe’s General Data Protection Law (GDPR), the California Consumer Privacy Act (CCPA), and laws under consideration in 10 states add regulatory fines onto direct and indirect costs such as time and effort to deal with a breach and lost opportunities. According to the IBM 2020 Cost of a Data Breach Report, PII was the most frequently compromised data and more costly than other types. The average cost to companies is now $150 per PII record. The combined costs of a breach now create a significant liability for those companies that gather, hold and share PII.
The good news is that the cost and difficulty of securing that data is decreasing. Merchants have moved from encryption to tokenization when storing credit card data for its ease of use, low overhead, and the fact that breaches don’t result in data that can be utilized by thieves. Protectors of PII can do the same. Combine that with the increase in compute power promised by Moore’s law and SaaS-based solutions like ALTR’s can deliver low-cost, easy-to-implement data security that democratizes PII protection.
Just like there was a critical inflection point for PCI data where the amount of theft and fraud drove the credit card companies to require better security, there is an inflection point for PII where the cost of breaches outweigh the cost of security. And we’ve passed it. Especially as we move sensitive data to the cloud, where access is much more rampant than in your locked down data center, it’s critical to ensure that data is secure. Breaches are only going to get more expensive, and it’s past time protect PII as stringently as PCI.