To add to this (which is excellent btw), we have taken the following measures:
Rate-limiting on admin interfaces and APIs (so a "rogue" human with admin rights can't just suck out PII in bulk).
Access controls on sensitive data and dangerous operations (such as account deletion) that allow these things to be limited to a small number of admin staff.
Ability to mark specific accounts (e.g. celebrities, senior management) as inaccessible by admins, overridable only by special privileges that require sign off.
Regular audit of log files and raw database content to verify that no PII is leaking into uncontrolled areas.
There are probably other measures I can't remember but the basic idea is to throw sand in the face of a potential internal attacker while still allowing legitimate activities to be carried out. In a larger organization you might be able to use ML to detect anomalous admin activity.
Update : I remembered another thing -- don't collect sensitive data that you don't need. I've had several discussions over the years along the lines of "we found that we can get xxx (PII field of some sort , e.g. the user's cell phone number even if they didn't know they gave it to us), where should we store that?". Answer : don't.
Rate-limiting on admin interfaces and APIs (so a "rogue" human with admin rights can't just suck out PII in bulk).
Access controls on sensitive data and dangerous operations (such as account deletion) that allow these things to be limited to a small number of admin staff.
Ability to mark specific accounts (e.g. celebrities, senior management) as inaccessible by admins, overridable only by special privileges that require sign off.
Regular audit of log files and raw database content to verify that no PII is leaking into uncontrolled areas.
There are probably other measures I can't remember but the basic idea is to throw sand in the face of a potential internal attacker while still allowing legitimate activities to be carried out. In a larger organization you might be able to use ML to detect anomalous admin activity.
Update : I remembered another thing -- don't collect sensitive data that you don't need. I've had several discussions over the years along the lines of "we found that we can get xxx (PII field of some sort , e.g. the user's cell phone number even if they didn't know they gave it to us), where should we store that?". Answer : don't.