Why Protecting PII is Paramount to Business Success

As evidenced by the September breach at credit-reporting agency Experian, which exposed the data of some 143 million Americans, the need for financial service providers to employ cutting edge information security solutions is paramount. Even the largest and presumably most well-protected entities have found their client data for sale on the Dark Web, causing a backlash of bad press, potential litigation and burdensome cleanup costs.

In the course of conducting due diligence for a loan, lease or other business transaction, banks, independent finance companies, private equity firms, and other specialty lenders must handle a range of sensitive and potentially valuable information. Each day, millions of pages of documentation are sent through cyberspace in the form of e-documents, attached files and plain old email correspondence. Yet many if not most people are largely unaware of the many dangers lurking in cyberspace. New threats emerge daily; and nefarious actors are aggressively pursuing new avenues to unlocking data that doesn’t belong to them.

Unfortunately, essential paperwork often contains information that could cripple a client’s business or personal life if it falls into the wrong hands. When asked to identify high-risk data, most people are aware that information contained
in medical records and bank statements, and unique identifiers such as credit card and social security numbers are in high demand by fraudsters. However, so-called “Personally Identifiable Information,” or PII, also covers a number of seemingly innocuous variables. Indeed, the federal government defines PII as any piece of information “that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”

This covers identifiers such as name, address, social security number, telephone number, or email addresses, among others. While not every individual data point carries the same level of risk, when used in conjunction with more sensitive information even something as simple as a client’s date of birth can hold value for cybercriminals.

But the risks associated with lax data security go beyond any potential financial loss experienced by the information’s owner. That’s because mishandling client PII can have serious blowback even in cases where no actual fraud is committed or financial loss demonstrated. In most cases the mere acknowledgment of a breach carries fiduciary and possibly regulatory penalties for the responsible party. And that doesn’t even account for the damage a serious data breach can inflict on a business’s reputation and credibility in the market.

Even so, the vast majority of American businesses think too little about the cyber risk environment. According to one survey conducted in 2017, only 2 percent of small businesses view data security as their top priority, despite the fact that nearly half of all cyberattacks target the small business sector.

According to Hemu Nigam, founder of the internet security firm SSP Blue, “most small-business owners take the attitude of ‘Why would anybody care about me? I’m just the little guy.’”

On the contrary, says Nigam, hackers love small businesses for that very reason, as smaller firms have fewer resources to protect against data theft. Although large breaches like Sony or Experian are more likely to capture headlines, most data exposures affect just thousands, or even hundreds of records. One analysis of PII for sale on the Dark Web found that 90% of it came from breaches of 5,000 accounts or fewer. Accordingly, it is critical for lenders and businesses of all types sizes to be aware of these risks and to take proactive steps to secure their client data when processing a credit application.

Some simple tactics for protecting data include automating networks to require regular password changes to limit the window of risk, and avoiding the use of public WiFi networks that are open to multiple unknown users and/or administrators. Many businesses are also employing two-factor authentication — which requires both a password and a randomly generated key code for network access. Housing documents securely on servers that are safety behind a firewall is also critical to protecting client documentation during the due diligence stage.

Still, even the strongest safe only protects what’s inside it, and small-scale data breaches often happen when information is in transit or housed improperly on employee or vendor devices. One way to keep sensitive documents out of the wrong hands is to use encrypted messaging and file sharing platforms in lieu of email. While email remains one of the most accessible avenues for cyber-intrusion, many lenders still routinely transmit documents that include personal financial information back and forth over this relatively unprotected channel. Thankfully there are dozens of “secure” enterprise collaboration tools on the market. However, not all employ the same level of protection. Businesses should be mindful about researching messaging and document sharing platforms carefully before adopting them for sensitive tasks, and consider both in-house and third party options.

Most cyberattacks are successful because hackers first target employees with identity theft schemes to steal their access information. In the end, the most important tool in a lender’s infosecurity arsenal is also the cheapest: education. Keeping employees up to speed on the risks associated with sending information over unprotected channels, and warning of the impending threats from phishing attacks, malware and ransomware can prevent breaches before they happen, saving both time and money. It’s important for all enterprises to have written policies in place that employ simple best practices.

Lenders and other business transaction professionals should embrace mandatory and frequent training to make sure all employees — from sales to underwriting staff — are aware of the current cyber risks. Policies should also include guidelines for proper handling of electronic correspondence; warnings against clicking unknown URLs or downloading attachments from unverifiable sources; and instructions for keeping devices used for work secure while away from the office. The free flow of sensitive information between businesses and their clients is essential to many different industries, and the growth of technology has increased the speed and efficiency of the due diligence process. Companies that handle PII during a background check or due diligence process have an obligation to their clients to put the security of their personal data above the desire to quickly close a deal. When it comes to data security, not understanding the risks can result in costly and sometimes irreparable mistakes.