AEP receives a lot of personal data from customers, employees and business partners. When they share information with us, they expect we are doing everything possible to protect it. We take that responsibility seriously. In 2016, AEP strengthened security around the personal data we hold related to employees, contractors and customers.
In 2015, AEP launched a PII (personally identifiable information) Data Protection Program which is designed to enhance security around PII that AEP collects in the course of conducting business. In 2016, AEP began blocking outbound emails containing unencrypted PII, installed an access monitoring system on all locations where PII is stored, and implemented a PII asset certification process.
A PII asset is any application, system or physical location where PII resides. The PII certification process resulted in a 28 percent reduction of PII assets across the enterprise. The PII certification will continue as an annual review during which data owners confirm that the PII in their possession is necessary for business and that it is properly protected. In most cases, AEP removed assets because they duplicated information held elsewhere in a more secure manner. Removing unnecessary or duplicate information is an important step in protecting our customers and others, and for reducing our risk of a loss of PII data.
In 2017, we launched a Personal Data Portal that allows the secure sharing of PII from external sources into AEP, such as that which had previously been transmitted via email or telephone, especially when onboarding contractors. Also in 2017, AEP will complete the process of encrypting all PII when the data is “at rest.”