Secure the PII data, BEFORE you invest
Would you risk investing into a startup that shares the Personal Information of its users?
In our recent Tech Due Diligence for an Investment fund, the potential startup entity was a tech platform that had to capture end user’s PII data as part of on-boarding new users.
Personally Identifiable Information aka PII, is a piece of information that can identify a particular individual. This can be name, address, email id, phone number, social security number etc. Different countries define the nature of PII to suit their constitutional, legal and national provisions. Some countries even treat an individual's fingerprints as PII data.
We observed that this particular platform was not masking their user’s PII data before storing it. It also did not have access control in place for this piece of data in their storage. We raised it as a critical severity finding as it could attract serious legal and other consequences, and cost millions of dollars in compensation in the future once the startup scales.
Why should tech platforms secure PII data?
Securing PII data is essential for an individual's privacy and data protection rights. If an unauthorized and undesirable person gets access to someone else’s PII data, it directly exposes that individual. Unauthorized person having access to the platform's PII data can misuse it in many ways.
Securing PII data is also essential for data retention policies.It is a valuable way to gain customer / user trust.
How can tech platforms secure PII data?
- First of all, classify your PII data. Not all platforms will have the same data points as their sensitive and non-sensitive PIIs. So identify for your own.
- Use masking and encryption algorithms to store PII data fields.
- Do not log PII data in log files / log messages unmasked.
- Implement access control and privileges for accessing PII data
- Document your platform’s policies and procedures for storing and accessing PII data
- Ensure periodic reviews
Why should Investment Funds be worried?
Given the sensitive nature of this piece of information, funds are directly subject to risks of
- Exposure to non-compliance
- Exposure to security loopholes
- Leakage of Sensitive Information
- Threat to fund’s brand and reputation
- Loss of customer / user trust in brand
We help Investment Funds to identify the Technology Risks and security loopholes before investing into start-ups, to avoid future risks and ensure that the start-up is built on a future-proof Tech. This can help them to de-risk their investments and have more confidence in the investments they are making.