Sending PII Over Email: Security & Compliance Considerations
If your business receives PII over email from customers, contractors, or other individuals, there are strict regulations you must follow to avoid costly fines.
Is it safe to send PII via email? No, you should never send PII over email. However, if you must send PII over email, it needs to be encrypted and certain security protocols must be met to ensure that if it’s intercepted, the PII won’t be readable.
What Is Personally Identifiable Information (PII)?
Simply stated, PII is any information that allows someone to “infer” someone else’s identity directly or indirectly. “Inferred,” in this case, can mean anything that makes someone’s identity determinable.
While this seems self-evident, PII is rather ill-defined in the U.S. As such, it can be hard to separate what constitutes PII and what doesn’t—especially when different contexts can change what it means to disclose confidential information.
NIST divides PII into two categories: linked and unlinked. Linked information can allow someone to ascertain an identity directly. PII examples in this category include:
- First and Last Name
- Home Address
- Work Address
- Social Security Number (SSN)
- Phone Number (Work, Home, or Cell)
- Information About Personal Property (Vehicle Identification Numbers, etc.)
- Credit or Debit Card Numbers
- Email Addresses
- IT-associated Information (Device-specific MAC Addresses, IP Addresses, Serial Numbers, etc.)
Unlinked information is less direct and requires an outside party to combine two or more pieces of information to identify someone. Unlinked information includes:
- Common First and Last Names
- Racial and Gender Categories
- Job Title
- Broader Address Items (City, State, Country, or Zip Code)
Unlinked PII may appear “safer” than linked PII; however, you don’t know what combination of unlinked PII will accidentally disclose someone’s identity. It is important therefore to use platforms, tools, and processes that protect data within your specific business cases.
With that in mind, PII is defined and treated slightly differently under different data privacy regulations:
- Under HIPAA, PII is better understood as protected health information (PHI). HIPAA defines PHI under the Privacy Rule as any information regarding a patient’s health, healthcare or treatment, or billing and payment related to health and treatment.
- PCI DSS emphasizes card payment data, so emailed PII will almost exclusively refer to credit card numbers as well as any combination of name, address, phone number, or email address that can identify a customer.
- FedRAMP is split into three Impact levels (Low, Moderate, High) and PII types differ by level. Many Low Impact systems for example might not contain PII outside of login credentials (username and password) while High Impact systems may handle data like PHI. Emailing PII is prohibited under FedRAMP unless it is encrypted.
Is PII Different From Personal Data?
While PII is a bit ill-defined in the United States, the European Union has taken steps to make the definition more concrete. That’s why the concept of “Personal Data,” as defined in the General Data Protection Regulation (GDPR) framework, is spelled out on the legal framework and referred to repeatedly in legal documentation and requirements.
What Is PII Under General Data Protection Regulation (GDPR)?
Under GDPR regulations, personal data is specifically linked to any information “relating to an identified or identifiable natural person (data subject) … directly or indirectly.” GDPR also specifies general items that fall under personal data, including any name, ID number, online identifier, or “one or more factors specific to the physical, physiological, genetic, economic, cultural, or social identity of that natural person.”
While PII and personal data are only slightly different, the legal ramifications are much more diverse. Anything that can be used to identify anyone is considered personal data and must remain secure, private, and confidential. This includes items like security logs, consent forms, cookies, and any tag or token used to maintain a customer’s presence or experience on an online platform.
It also means that you could face steep penalties—like up to 4% of your total revenue—for emailing PII under GDPR jurisdiction.
PII and Sending Information With Email
Abstinence is the best remedy for protecting PII over email.
Think about what it takes to handle PII: secure servers, encryption, policies, procedures, audits, and more. Your email platform therefore must adhere to stringent security requirements. Sending PII over public email won’t comply with any data privacy regulation requirements, much less maintain customers’ privacy.
Organizations should consider using these data protection capabilities to comply with the regulations listed above:
Encrypted email: The most straightforward way to secure email is to encrypt it. Several email platforms will include an encryption option, which sounds nice until you realize how unwieldy email encryption actually is.
If you choose to encrypt email, then you must either facilitate public key encryption or use an integrated email service that all your clients use as well. Since most public email providers don’t offer encryption, you must assume the cost. Additionally, most users are not going to understand, much less want to work with, encrypted emails.
Avoiding Email for SFTP or Other File Transfers
SFTP, configured properly, can provide a secure and compliant way to share and transfer data. Again, however, you risk alienating the recipient. No customer is going to use an SFTP program to handle data (unless they operate in an industry in which SFTP is the norm).
Secure Email Links
Secure email links blend the best of secure servers and emails into one package. Instead of sending encrypted data, organizations send a secure email link to an encrypted server that contains the message in a simple email inbox. The user must authenticate him/herself to gain access to that server and the message containing PII.
This last option is the simplest and most manageable way to protect PII over email. Not only does it remove the burden on users to learn or adopt new technologies, but it also shifts responsibility from the user to the IT infrastructure. With secure email links, you can ensure you meet other email compliance requirements like audit logging and user access management.
Legal and Compliance Issues When Sending PII Over Email
Sending PII over email can be insecure and lead to unauthorized access to private and confidential data. Most email services are not encrypted and can therefore be intercepted in transit, allowing hackers to access sensitive data. There are other risks organizations face when sending PII over email, including:
- Data Protection: Sending PII over email may violate data protection laws in the jurisdiction which the sender is receiving the data. Data protection laws may require the sender to undertake additional measures to ensure that the email is secure and that data is not disclosed inappropriately.
- Privacy and Consent: Sending PII over email may violate privacy and consent laws in the jurisdiction which the sender is receiving the data. In some cases, permission must be obtained from the user before personal data can be sent.
- Anti-spam Laws: Sending PII over email may violate anti-spam laws in the jurisdiction which the sender is receiving the data. Unsolicited emails may be prohibited and any emails containing PII must be sent in accordance with the law.
- International Transfers: Sending PII over email may also involve moving data between countries, triggering additional legal and compliance obligations, such as the EU General Data Protection Regulation (GDPR).
NIST PII Standards
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides PII Standards to protect the PII of individuals. The framework provides organizations guidance when designing and implementing an information security program. The PII standards contain controls for protecting PII in areas such as data collection, data storage, data transmission, software development, physical access control, access control lists, and encryption. The standards also specify audit and reporting requirements.
Organizations should consider implementing NIST CSF’s PII standards to protect PII because they are comprehensive and actionable guidelines, established by a trusted and authoritative source, that provide a solid foundation to ensure the secure and responsible handling of sensitive customer data. Following these standards can help protect organizations from potential security risks and data privacy breaches. Additionally, data privacy regulations such as HIPAA utilize the NIST CSF’s PII standards as the minimum security requirements for organizations handling PII, so compliance with NIST CSF’s PII standards can help organizations avoid costly fines for violating these regulations.
Send Secure Email Links With the Kiteworks Platform
The Kiteworks Private Content Network provides secure email and secure file sharing services that comply with several key data privacy requirements without sacrificing usability or enterprise functionality. When you adopt the Kiteworks platform, you can send secure email links to customers to ensure your email communications, especially those containing PII, stay protected and confidential. The Kiteworks platform provides several critical features to help you maintain your compliance and business strategies:
- A platform that helps you meet key data privacy requirements like HIPAA, NIST 800-171, FedRAMP, DPA, CCPA, GDPR, and others. It also includes SOC 2 attestations for Amazon AWS and Microsoft Azure cloud environments.
- High-level encryption standards, including AWS-256 encryption for data at rest and TLS 1.2 encryption for data in transit.
- Secure, easy access to all enterprise content repositories (without requiring migration), including cloud storage, file servers, ECM, ERP, and CRM systems.
- One-click auditing and reporting to demonstrate adherence to internal processes and external compliance regulations.
- On-premises, private cloud, hybrid, or FedRAMP deployment options with no intermingling of your data or metadata with other customers.
- A robust CISO Dashboard to help you monitor file activity (who sent what to whom) and access while providing forensic data in the event of an audit or forensic investigation.
- Advanced security features like threat detection, unified logging, and SIEM integration.
To learn how your email impacts your security and compliance, schedule a custom demo of Kiteworks today.
- GlossaryWhat Is PCI Data Compliance?
- Blog PostWhat Is HIPAA-compliant Email?
- Blog PostHow to Make Your Email Subscribe Form GDPR Compliant
- Blog PostWhat Is PCI Compliance?
- Blog PostWhat Does Compliance Email Mean?
- Blog Post How To Protect Your Enterprise Email
- WebinarSeamless eDiscovery of Encrypted Email Across Archiving Platforms
- Blog PostWhat to Look for in a Secure Email Provider