Sending PII Over Email: Security & Compliance Considerations
If your business receives PII over email from customers, contractors, or other individuals, there are strict regulations you must follow to avoid costly fines.
Is it safe to send PII via email? No, you should never send PII over email. However, if you must send PII over email, it needs to be encrypted and certain security protocols must be met to ensure that if it’s intercepted, the PII won’t be readable.
What is Personally Identifiable Information (PII)?
Simply stated, PII is any information that allows someone to “infer” someone else’s identity directly or indirectly. “Inferred,” in this case, can mean anything that makes someone’s identity determinable.
While this seems self-evident, PII is rather ill-defined in the U.S. As such, it can be hard to separate what constitutes PII and what doesn’t – especially when different contexts can change what it means to disclose confidential information.
NIST divides PII into two categories: linked and unlinked. Linked information can allow someone to ascertain an identity directly. PII examples in this category include:
- First and Last Name
- Home Address
- Work Address
- Social Security Number (SSN)
- Phone Number (Work, Home or Cell)
- Information about Personal Property (Vehicle Identification Numbers, etc.)
- Credit or Debit Card Numbers
- Email Addresses
- IT-Associated Information (Devices-Specific MAC Addresses, IP Addresses, Serial Numbers, etc.)
Unlinked information is less direct and requires an outside party to combine two or more pieces of information to identify someone. Unlinked information includes:
- Common First and Last Names
- Racial and Gender Categories
- Job Title
- Broader Address Items (City, State, Country or Zip Code)
Unlinked PII may appear “safer” than linked PII, however, you don’t know what combination of unlinked PII will accidentally disclose someone’s identity. It is important therefore to use platforms, tools and processes that protect data within your specific business cases.
With that in mind, PII is defined and treated slightly differently under different data privacy regulations:
- Under HIPAA, PII is better understood as Protected Health Information (PHI). HIPAA defines PHI under the Privacy Rule as any information regarding a patient’s health, healthcare or treatment, or billing and payment related to health and treatment.
- PCI DSS emphasizes card payment data, so emailed PII will almost exclusively refer to credit card numbers as well as any combination of name, address, phone number or email address that can identify a customer.
- FedRAMP is split into three Impact levels (Low, Moderate, High) and PII types differ by level. Many Low Impact systems for example might not contain PII outside of login credentials (username and password) while High Impact systems may handle data like PHI. Emailing PII is prohibited under FedRAMP unless it is encrypted.
Is PII Different from Personal Data?
While PII is a bit ill-defined in the United States, the European Union has taken steps to make the definition more concrete. That’s why the concept of “Personal Data”, as defined in the General Data Protection Regulation (GDPR) framework, is spelled out on the legal framework and referred to repeatedly in legal documentation and requirements.
Under GDPR regulations, personal data is specifically linked to any information “relating to an identified or identifiable natural person (data subject)… directly or indirectly.” GDPR also specifies general items that fall under personal data, including any name, ID number, online identifier, or “one or more factors specific to the physical, physiological, genetic, economic, cultural or social identity of that natural person.”
While PII and personal data are only slightly different, the legal ramifications are much more diverse. Anything that can be used to identify anyone is considered personal data and must remain secure, private and confidential. This includes items like security logs, consent forms, cookies and any tag or token used to maintain a customer’s presence or experience on an online platform.
It also means that you could face steep penalties–like up to 4% of your total revenue–for emailing PII under GDPR jurisdiction.
PII and Sending Information with Email
Abstinence is the best remedy for protecting PII over email.
Think about what it takes to handle PII: secure servers, encryption, policies, procedures, audits, and more. Your email platform therefore must adhere to stringent security requirements. Sending PII over public email won’t comply with any data privacy regulation requirements, much less maintain customers’ privacy.
Organizations should consider using these data protection capabilities to comply with the regulations listed above:
- Encrypted email: The most straightforward way to secure email is to encrypt it. Several email platforms will include an encryption option, which sounds nice until you realize how unwieldy email encryption actually is.
If you choose to encrypt email, then you must either facilitate public key encryption or use an integrated email service that all your clients use as well. Since most public email providers don’t offer encryption, you must assume the cost. Additionally, most users are not going to understand, much less want to work with, encrypted emails.
- Avoiding email for SFTP or other file transfers: SFTP, configured properly, can provide a secure and compliant way to share and transfer data. Again, however, you risk alienating the recipient. No customer is going to use an SFTP program to handle data (unless they operate in an industry in which SFTP is the norm).
- Secure email links: Secure email links blend the best of secure servers and emails into one package. Instead of sending encrypted data, organizations send a secure email link to an encrypted server that contains the message in a simple email inbox. The user must authenticate him/herself to gain access to that server and the message containing PII.
This last option is the simplest and most manageable way to protect PII over email. Not only does it remove the burden on users to learn or adopt new technologies, but it also shifts responsibility from the user to the IT infrastructure. With secure email links, you can ensure you meet other email compliance requirements like audit logging and user access management.
Send Secure Email Links with the Kiteworks Platform
The Kiteworks Content Firewall provides secure email and secure file sharing services that comply with several key data privacy requirements without sacrificing usability or enterprise functionality. When you adopt the Kiteworks platform, you can send secure email links to customers to ensure your email communications, especially those containing PII, stay protected and confidential. The Kiteworks platform provides several critical features to help you maintain your compliance and business strategies:
- A platform that helps you meet key data privacy requirements like HIPAA, NIST 800-171, FedRAMP, DPA, CCPA, GDPR and others. It also includes SOC 2 attestations for Amazon AWS and Microsoft Azure cloud environments.
- High-level encryption standards, including AWS-256 encryption for data at rest and TLS 1.2 encryption for data in transit.
- Secure, easy access to all enterprise content repositories (without requiring migration), including cloud storage, file servers, ECM, ERP and CRM systems.
- One-click auditing and reporting to demonstrate adherence to internal processes and external compliance regulations.
- On-premise, private cloud, hybrid or FedRAMP deployment options with no intermingling of your data or metadata with other customers.
- A robust CISO Dashboard to help you monitor file activity (who sent what to whom) and access while providing forensic data in the event of an audit or forensic investigation.
- Advanced security features like threat detection, unified logging, and SIEM integration.
To learn how your email impacts your security and compliance, schedule a custom demo of Kiteworks today.