I think it’s clear that things are changing. There was an article and project several years back to determine whether you could figure out who someone was by their search terms. Google had published a scrubbed listing of search terms with no (at the time) personally identifiable information. The purpose was to start seeing what people were searching on and that type of thing.
It quickly changed. It changed into a challenge to prove that even search terms can be considered personally identifiable when given comprehensive term listings. Researchers were able to nail down specific users based on the information provided in the searches. Down the address. Think about what you search on over a period of time, it really makes sense.
Does that make your search terms PII? Not in terms of what you’re required to protect today, but yes, they really are.
This leads to my suggestion. I think we need to pay close attention to protecting nearly all information, certainly that "at rest" and stored in our systems. Encrypt, secure and protect that information. I don’t think it’s really going to be acceptable in the very near future to limit the information you’re encrypting.
This has strong implications for our applications development. Depending on how you deploy your protection solutions, applications will have to change, will have to be protection-aware. How you search can be impacted (you may have to set up unencrypted information to search on) and how you handle security and access may have to be modified.
Performance tuning will surely be impacted, or at least we’ll be adding variables to the mix. If you don’t have a high-performance solution for data protection, you’ll see it impact your systems. You’ll need to know how to test that impact and how to tune it and what the impact of that tuning is.
I think the short answer is that we’ll soon be protecting *everything* – not just credit card numbers and social security numbers. It’s just too easy to pull different information bits together to get a far-too-complete picture of a person’s identity. We need to protect as best we can, plain and simple.
What do you think? Let me know…