Personally Identifiable Information (PII)

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is data that can be used to distinguish an individual’s identity. These can include identifiers that pinpoint the person exactly, such as Social Security Numbers (SSNs), or quasi-identifiers like age, which can be combined with other quasi-identifiers like gender to further determine identity.

Exact identifiers are also classified as sensitive information and quasi-identifiers as non-sensitive information, and the rules governing their use vary depending on their classification. A more comprehensive list includes:

Identifiers

• Name
• Address
• SSN
• Email address
• Telephone number
• Passport number
• Driver’s license number
• Credit or debit card number

Quasi-Identifiers

• Gender
• Race
• Date of birth
• Place of birth
• Zip code
• Religion

In addition, information leading to the direct contact of an individual, such as email address, mobile number, or LinkedIn profile is defined as Personally Identifiable Information. PII can be stored online, in paper form, or in other forms of electronic media.

The Legal Collection and Protection of PII

When we engage online, any information we disclose about ourselves is at risk of being collected and recorded. This can include companies to whom we voluntarily give our data, such as when we fill out online forms or social media platforms where we also offer up our information under no obligation.

Also, we divulge PII when we engage in business or consumer services, such as when we sign up for a bank account or join a retail rewards program. The user agreement defines how the organization can use our personal information based on government and industry laws governing its use and misuse.

Those laws include:

• General Data ProtectionWhat is Data Protection?Data protection refers to the practice of safeguarding sensitive information from unauthorized access, disclosure, alteration, or destruction. It involves implementing policies, procedures, and technologies to ensure that… Regulation (GDPRWhat is GDPR?The General Data Protection Regulation (GDPR) is widely regarded as the world’s strictest security and privacy law, promulgated by the European Union (EU) to regulate any organization that…)
• Health Insurance Portability and Accountability Act (HIPAAWhat is HIPAA?The Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive piece of legislation enacted by the United States Congress in 1996.It serves as a vital safeguard for…)
• The California Consumer Privacy Act (CCPAWhat is CCPA?The California Consumer Privacy Act, Enacted on 28 June 2018 and effective as of 1 January 2020 (CCPA) is one of the most significant pieces of privacy legislation…)
• Payment Card Industry Data Security Standard (PCI DSSPCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security best practices developed to ensure the secure handling of credit and payment card data.)

Many local laws, industry standards, and international government rules also include rules about data privacyData privacy is the process of safeguarding an individual’s personal information, ensuring it remains confidential, secure, and protected from unauthorized access or misuse..

Risks Associated with Personally Identifiable Information

Unfortunately, cybercriminals do not follow these laws, and PII gets stolen and used for nefarious purposes. PII is lost in 52% of data breaches and can be compromised in a myriad of ways, including:

• Physically – People digging through trash or office waste bins often find the discarded sensitive documents they are looking for.
• PhishingWhat is Phishing?Phishing is a type of cyberattack in which attackers send fraudulent communications, or direct people to counterfeit websites in order to trick those individuals into revealing sensitive information,… and social engineeringWhat is Social Engineering? Social engineering is a manipulative tactic cybercriminals use to deceive individuals into divulging confidential information or performing actions that compromise security. Unlike technical attacks, which exploit software… attacks – By duping us in our inboxes or getting us to click a link in a text or private messaging app, threat actors can route us to deceptive lookalike websites where we’ll accidentally give away our personal information.
• Careless online behavior – Many personal details are swiped from social media platforms where we may unintentionally divulge identifying details about our lives. Even if these are public pieces of information, these quasi-identifiers need only to be corroborated with a stolen password list from the dark web to identify who we are.

Securing PII Properly

Aside from legal protections, there are personal and cybersecurity precautions for keeping PII safe. They include:

Personal Precautions

• Keeping your social security card in a safe place – never in your wallet.
• Destroying paper mail containing personally identifiable information.
• Being judicious about what you post on social media.
• Avoiding links in unsolicited emails – they could be fakes.

Cybersecurity Techniques

• Comply with all data privacy standards.
• Regularly scan for, and patch vulnerabilities.
• Secure your supply chain to avoid downstream attacks.
• Follow industry guidelines on the collection of sensitive data.
• Have a comprehensive cybersecurity strategy in place.

For more information on essential cybersecurity terms, visit our blog post.