Sending PII Over Email: Security & Compliance Considerations
If your business receives PII over email from customers, contractors, or other individuals, there are strict regulations you must follow to avoid costly fines.
Is it safe to send PII via email? No, you should never send PII over email. However, if you must send PII over email, it needs to be encrypted and certain security protocols must be met to ensure that if it’s intercepted, the PII won’t be readable.
What Is Personally Identifiable Information (PII)?
Simply stated, personally identifiable information (PII) is any information that allows someone to “infer” someone else’s identity directly or indirectly. “Inferred,” in this case, can mean anything that makes someone’s identity determinable.
While this seems self-evident, PII is rather ill-defined in the U.S. As such, it can be hard to separate what constitutes PII and what doesn’t—especially when different contexts can change what it means to disclose confidential information.
NIST SP 800-122 Guidelines on Categorization of PII
The National Institute of Standards and Technology (NIST) divides PII into two categories: linked and unlinked. Linked information can allow someone to ascertain an identity directly. PII examples in this category include:
- First and Last Name
- Home Address
- Work Address
- Social Security Number (SSN)
- Phone Number (Work, Home, or Cell)
- Information About Personal Property (Vehicle Identification Numbers, etc.)
- Birthdate
- Credit or Debit Card Numbers
- Email Addresses
- IT-associated Information (Device-specific MAC Addresses, IP Addresses, Serial Numbers, etc.)
Unlinked information is less direct and requires an outside party to combine two or more pieces of information to identify someone. Unlinked information includes:
- Common First and Last Names
- Racial and Gender Categories
- Age
- Job Title
- Broader Address Items (City, State, Country, or Zip Code)
Unlinked PII may appear “safer” than linked PII; however, you don’t know what combination of unlinked PII will accidentally disclose someone’s identity. It is important therefore to use platforms, tools, and processes that protect data within your specific business cases.
With that in mind, PII is defined and treated slightly differently under different data privacy regulations:
- Under the Health Insurance Portability and Accountability Act (HIPAA), PII is better understood as protected health information (PHI). HIPAA defines PHI under the Privacy Rule as any information regarding a patient’s health, healthcare or treatment, or billing and payment related to health and treatment.
- The Payment Card Industry Data Security Standard (PCI DSS) emphasizes card payment data, so emailed PII will almost exclusively refer to credit card numbers as well as any combination of name, address, phone number, or email address that can identify a customer.
- FedRAMP is split into three Impact levels (Low, Moderate, High) and PII types differ by level. Many Low Impact systems for example might not contain PII outside of login credentials (username and password) while High Impact systems may handle data like PHI. Emailing PII is prohibited under FedRAMP unless it is encrypted.
Is PII Different From Personal Data?
While PII is a bit ill-defined in the United States, the European Union has taken steps to make the definition more concrete. That’s why the concept of “Personal Data,” as defined in the General Data Protection Regulation (GDPR) framework, is spelled out on the legal framework and referred to repeatedly in legal documentation and requirements.
What Is PII Under General Data Protection Regulation (GDPR)?
Under GDPR regulations, personal data is specifically linked to any information “relating to an identified or identifiable natural person (data subject) … directly or indirectly.” GDPR also specifies general items that fall under personal data, including any name, ID number, online identifier, or “one or more factors specific to the physical, physiological, genetic, economic, cultural, or social identity of that natural person.”
While PII and personal data are only slightly different, the legal ramifications are much more diverse. Anything that can be used to identify anyone is considered personal data and must remain secure, private, and confidential. This includes items like security logs, consent forms, cookies, and any tag or token used to maintain a customer’s presence or experience on an online platform.
It also means that you could face steep penalties—like up to 4% of your total revenue—for emailing PII under GDPR jurisdiction.
Encryption Techniques to Secure PII
Encryption is a widely used technique to secure personally identifiable information (PII) before sending it over email. Protecting PII is critical because it contains sensitive information that can cause harm if it falls into the wrong hands, such as identity theft, credit card fraud, and other malicious activities. Encryption provides an additional layer of security to emails containing PII, ensuring that the information remains confidential and secure. It is a vital tool for organizations to protect their clients’ confidential information while in transit. By encrypting PII, organizations ensure that the information is secure and inaccessible to unauthorized individuals. Here are some common ways to encrypt PII:
Symmetric Encryption for Protecting PII
The symmetric encryption technique uses a single secret key to both encrypt and decrypt content. This technique is ideal for securing PII because it guarantees confidentiality and authenticity of the content. The key is kept secret and only authorized users can access it.
Asymmetric Encryption for Protecting PII
The asymmetric encryption technique uses two keys—one to encrypt content and the other to decrypt it. The sender encrypts content using the recipient’s public key and the recipient decrypts content using their private key. This technique is particularly useful to secure PII content during transmission.
Hashing for PII Protection
Hashing is a technique that creates a unique digital fingerprint of PII content that cannot be reversed. It is particularly useful for securing PII because even if an attacker gains access to the hashed content, it is practically impossible to derive the original content from it.
Tokenization for PII Protection
Tokenization replaces sensitive content with a unique identifier, or token, that has no value or meaning outside of the system where it is used. This technique is particularly useful for securing PII in storage or during transactions, as it ensures that the sensitive content remains protected even if the system is compromised. Tokenization also allows for more efficient processing of transactions and reduces the potential for data leakage.
Encryption Key Management for PII Protection
Proper encryption key management is critical to maintaining the security of encrypted content. Keys must be stored securely and only provided to authorized parties. Key rotation and revocation are also important to ensure that compromised keys do not compromise the security of encrypted data.
While implementing a combination of these encryption techniques can create a strong and comprehensive security strategy for protecting PII, it is important to regularly review and update encryption methods to ensure that they are up to date and effective against emerging threats.
PII and Sending Information With Email
Abstinence is the best remedy for protecting PII over email.
Think about what it takes to handle PII: secure servers, encryption, policies, procedures, audits, and more. Your email platform therefore must adhere to stringent security requirements. Sending PII over public email won’t comply with any data privacy regulation requirements, much less maintain customers’ privacy.
In addition to encryption (covered above), organizations should consider using these data protection capabilities to comply with the regulations listed above
Avoiding Email for SFTP or Other File Transfers
SFTP, configured properly, can provide a secure and compliant way to share and transfer data. Again, however, you risk alienating the recipient. No customer is going to use an SFTP program to handle data (unless they operate in an industry in which SFTP is the norm).
Secure Email Links
Secure email links blend the best of secure servers and emails into one package. Instead of sending encrypted data, organizations send a secure email link to an encrypted server that contains the message in a simple email inbox. The user must authenticate him/herself to gain access to that server and the message containing PII.
This last option is the simplest and most manageable way to protect PII over email. Not only does it remove the burden on users to learn or adopt new technologies, but it also shifts responsibility from the user to the IT infrastructure. With secure email links, you can ensure you meet other email compliance requirements like audit logging and user access management.
Legal and Compliance Issues When Sending PII Over Email
Sending PII over email can be insecure and lead to unauthorized access to private and confidential data. Most email services are not encrypted and can therefore be intercepted in transit, allowing hackers to access sensitive data. There are other risks organizations face when sending PII over email, including:
- Data Protection: Sending PII over email may violate data protection laws in the jurisdiction which the sender is receiving the data. Data protection laws may require the sender to undertake additional measures to ensure that the email is secure and that data is not disclosed inappropriately.
- Privacy and Consent: Sending PII over email may violate privacy and consent laws in the jurisdiction which the sender is receiving the data. In some cases, permission must be obtained from the user before personal data can be sent.
- Anti-spam Laws: Sending PII over email may violate anti-spam laws in the jurisdiction which the sender is receiving the data. Unsolicited emails may be prohibited and any emails containing PII must be sent in accordance with the law.
- International Transfers: Sending PII over email may also involve moving data between countries, triggering additional legal and compliance obligations, such as the EU General Data Protection Regulation (GDPR).
NIST PII Standards on Protecting PII
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), as well as the NIST Privacy Framework, provide PII Standards to protect the PII of individuals. The framework provides organizations guidance when designing and implementing an information security program. The PII standards contain controls for protecting PII in areas such as data collection, data storage, data transmission, software development, physical access control, access control lists, and encryption. The standards also specify audit and reporting requirements.
Organizations should consider implementing NIST CSF’s PII standards to protect PII because they are comprehensive and actionable guidelines, established by a trusted and authoritative source, that provide a solid foundation to ensure the secure and responsible handling of sensitive customer data. Following these standards can help protect organizations from potential security risks and data privacy breaches. Additionally, data privacy regulations such as HIPAA utilize the NIST CSF’s PII standards as the minimum security requirements for organizations handling PII, so compliance with NIST CSF’s PII standards can help organizations avoid costly fines for violating these regulations.
Send Secure Email With Kiteworks
The Kiteworks Private Content Network (PCN) provides advanced protection and compliance for sensitive content, such as personally identifiable information (PII), and other confidential information that enterprises share with trusted partners across various communication channels.
The Kiteworks PCN provides secure email and secure file sharing services that comply with several key data privacy requirements without sacrificing usability or enterprise functionality. It combines a hardened virtual appliance, end-to-end encryption, and audit logging to ensure that employees can securely share, collaborate, and manage confidential information from any device or location.
In addition, the Kiteworks Email Protection Gateway automates email protection with end-to-end encryption to protect private email content from cloud service providers and malware attacks.
Kiteworks also provides detailed visibility and audit trails to ensure that documents remain compliant with industry regulations and standards, such as GDPR, HIPAA, the Cybersecurity Maturity Model Certification (CMMC), and many others. This makes Kiteworks an invaluable tool for organizations that need to protect PII and demonstrate compliance with relevant regulations.
Additonal Resources