Five Key Questions to Answer When Working with Personally Identifiable Information
While there are several factors in deciding to commission custom software versus buying off the shelf, one area that requires extra care and discussion while setting up a project is the set of choices around handling personally identifiable information (PII). In case you’re skeptical, recall that Target suffered a massive breach in 2013, resulting in damages costing $252 million, before the 140 filed lawsuits against the corporation.
Whether you’re Target or a new small business, you are likely familiar with the CCPA (now CPRA), and policies for the App Store and Play Store. (If you don’t know about the latter, your app being removed will get your attention). In the US, there are state-by-state digital privacy laws coming into effect in 2024 and beyond. In Europe, the GDPR has been in effect since 2018.
During these discussions on how your project will handle PII, we recommend five key questions to discuss with your development team. These will help you stay ahead of security requirements and aligned with the law.
Question 1: Where will the data come from?
Why it matters: If your data is coming from a third party API, you and your development team will want to be mindful of whether the vendor is fully aware of, and meeting, their compliance requirements for supplying PII and clarify up front what you need to do as a customer.
We once had a project that required credit report data, and the vendor came back to us (more than once) with urgent requirements around encryption and data retention well into the project. We were told that if their customers were not compliant with security guidelines, they the vendor would lose access to the credit bureau data.
Question 2: What data do we absolutely need?
Why it matters: The more data you have, the more responsibility for safeguarding. It’s worthwhile to go through and map which types of data are absolutely required for this project at this time, and why.
Question 3: How spread out geographically is our user base now? What about as we grow?
Why it matters: If you are only based in the US right now, but anticipate growing into Europe, it may be worthwhile to set up your data security infrastructure to comply with GDPR now, rather than have to go back, audit, and initiate a change management project. The laws protect residents of those places, so you must comply even if your business is not registered or located there.
Question 4: What preventative security measures can we take with the data we receive and use?
Why it matters: The old saying goes, an ounce of prevention is worth a pound of cure. When you’re planning a project, if you take time to work through roles and permissions and how data will be securing in transit and in your project’s UI, you decrease your chances of a breach.
Additionally, we strongly recommend ensuring software testing is part of your project’s budget. Testing makes sure the code is as resilient as possible, although as soon as it’s released into the wild there will of course be opportunities to further improve it.
For example, as a standard, TSL includes checks on APIs as part of automated backend tests. Big companies like Meta, Github, Atlassian, and so on also host bug bounty programs, where they pay above-board hackers to find security risks and report them, before they turn into real data breaches. While most companies don’t have a Big Tech budget, it’s still common practice to contract an individual Certified Ethical Hacker hacker to test your project too. (Sometimes, it’s actually a policy to require a third party hacker to do testing in order to use certain organizations’ PII!) The developer team likely knows someone they can recommend.
Question 5: What kind of data contingency plan can we create?
Why it matters: Consider a data contingency plan like an insurance policy – you spend the time and money up front on creating it, in hopes you’ll never need to use it. The effort up front will never be more than the effort required to clean up a breach. Further, if you want to do business with entities like municipalities, enterprises, or non-governmental organizations, you will likely have to produce a contingency plan as well as a data retention policy. It will make closing deals easier if you prepare in advance.
Top Takeaway
In software, we can never reduce security risk to zero, but having conversations early and often including these five questions can at least reduce needless risk. As always, if you have questions or want to talk through anything you read, please get in touch. We’re happy to chat.