logo

Salesforce Security 101: What is PII Compliance?

Your Salesforce Org stores some of your customers’ and prospects’ most sensitive information. This sensitive information, also known as personal identifiable information (PII), is the lifeblood of your sales and marketing operations — but it can also lead to huge security concerns. 

Unfortunately, it only takes one security breach for your customers to lose trust in your company — and for your business to suffer as a result. Failure to secure PII leads to heavy regulatory fines and lawsuits, and even worse, it could cause irreparable damage to your business.

In this post, we’re breaking down what exactly PII is, and how to maintain security and compliance while continuing to run effective revenue operations. 

What is PII?

Personally identifiable information is any data that can be used to directly identify a specific individual. It includes, obviously, a person’s first and last name, email address, social insurance number, phone number or address — but also more obscure things like IP addresses.

There are two types of PII: sensitive and non-sensitive. Non-sensitive PII is generally anything in the public record, like an address or business phone number. Sensitive PII, on the other hand, includes things like bank account numbers, passport information or credit card details — data that is typically protected by legal or regulatory privacy frameworks. 

What is PII compliance?

There are several regulatory standards that govern PII compliance. Some of them only affect organizations based in a specific country/region; others, like the EU’s GDRP,  affect any business operating in that region. Here’s a rundown of some of the regulations that are more commonly in scope for North American businesses:

  • GDPR. The General Data Protection Regulation is a regulatory framework that focuses on data protection in the EU (European Union) and EEA (European Economic Area). Among other things, the GDPR addresses misuse and exploitation of consumer data. The fines for breaching these PII compliance requirements are some of the highest in the world, going up to 20 million euros. 
  • CCPA. The California Consumer Privacy Act (CCPA) is the first of its kind in the US. The  CCPA provides California residents with the ability to control how businesses process their personal information. Businesses will now have to honor requests from California residents to access, delete, and opt out of sharing or selling their information. 
  • GLBA. The Gramm-Leach Bliley Act is a US-based framework that focuses on how financial institutions protect and share sensitive data about their customers. The GLBA requires that institutions communicate with consumers about how their data is being used and give them the option to opt-out of data-sharing. 
  • PCI DSS. The Payment Card Industry Data Security Standard specifies information security standards for companies that work with credit card information. This law requires all companies working with credit card information to maintain cybersecurity through the use of firewalls, encryption, regular updates, access restrictions, etc. Learn how to leverage File Integrity Monitoring for PCI DSS here.
  • HIPAA. The Health Insurance Portability and Accountability Act is a well-known compliance standard that aims to protect patients’ sensitive information, also known as protected health information (PHI). HIPAA requires healthcare providers and other companies working with PHI to have proper redundancy and security measures in place, with specific requirements around things like physical and online access, data transfer and regular audits. 

Salesforce’s New PII Security Setting

To ensure the safety and security of consumers, Salesforce introduced a new security setting in their Winter ‘22 release called the Enhanced Personal Information Management permission. This permission restricts external users from viewing personal information in your user records. By default, this new feature allows you to choose up to 20 fields to secure by setting each field’s compliance category as “PersonalInfo”. Admins can choose which fields are considered personal information — and once a field is set as “PersonalInfo”, it will be hidden from other external users.  

For instructions on how to set up this new permission, click here

Protecting PII

Protecting PII extends well beyond the scope of Salesforce. It encompasses both technical and physical controls, and will often depend on the specifics of the organizations — how they work, what they work with and what compliance requirements they’re subject to. With that said, some general best practices for protecting PII include:

  • Locating all of the sensitive information in your system
  • Utilizing data classification to accurately identify and categorize the types of information in your system. We have a post walking you through data classification here. 
  • Deleting or archiving any sensitive information that is no longer needed or in use
  • Using encryption (this one might be the most important!)
  • Implementing proper offboarding processes for employees
  • Identifying and eliminate any permission errors
  • Minimizing data collection

The Cost of a Data Breach

As we mentioned, customer information is some of the most critical data your company works with — but it’s also the most vulnerable. In 2018, PII accounted for 97% of security breaches, leading to significant financial consequences for impacted companies. 

IBM’s Cost of a Data Breach Report states that the average cost of a PII breach in 2020 was $3.86 million dollars — a number that jumps to $7.13 million for the healthcare industry. To put those figures in context, PII data beaches typically cost an organization $150/record; the more customer data you store, the more vulnerable you are.

With all of this said, it’s critical for organizations to know the importance of protecting PII in Salesforce. The data protection techniques above will get you on the right track — but if you store a lot of data in your Salesforce Org (or any business application), you should consider investing in a data security software to help you effectively protect your PII while also monitoring for security threats.

Get in touch with Netwrix to learn how our data security tools can help get you started.

As VP of Sales and Marketing, Paul is responsible for driving growth of of the Infrastructure and Applications products in the Netwrix portfolio. His main areas of focus are security and compliance for NetSuite, Salesforce and Network Infrastructure. He is passionate about Go To Market Strategies and driving positive outcomes for customers. Previously, Paul served as the VP of Sales and Marketing at Strongpoint where he ran Go To Market functions before it was acquired by Netwrix. Paul holds a Bachelor of Arts degree and a Masters in Business Administration from McMaster University in Hamilton, Ontario, Canada.