Personally Identifiable Information (PII)

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is data that can be used to distinguish an individual’s identity. These can include identifiers that pinpoint the person exactly, such as Social Security Numbers (SSNs), or quasi-identifiers like age, which can be combined with other quasi-identifiers like gender to further determine identity.

Exact identifiers are also classified as sensitive information and quasi-identifiers as non-sensitive information, and the rules governing their use vary depending on their classification. A more comprehensive list includes:


  • Name
  • Address
  • SSN
  • Email address
  • Telephone number
  • Passport number
  • Driver’s license number
  • Credit or debit card number


  • Gender
  • Race
  • Date of birth
  • Place of birth
  • Zip code
  • Religion

In addition, information leading to the direct contact of an individual, such as email address, mobile number, or LinkedIn profile is defined as Personally Identifiable Information. PII can be stored online, in paper form, or in other forms of electronic media.

The Legal Collection and Protection of PII

When we engage online, any information we disclose about ourselves is at risk of being collected and recorded. This can include companies to whom we voluntarily give our data, such as when we fill out online forms or social media platforms where we also offer up our information under no obligation.

Also, we divulge PII when we engage in business or consumer services, such as when we sign up for a bank account or join a retail rewards program. The user agreement defines how the organization can use our personal information based on government and industry laws governing its use and misuse.

Those laws include:

  • General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • The California Consumer Privacy Act (CCPA)
  • Payment Card Industry Data Security Standard (PCI DSS)

Many local laws, industry standards, and international government rules also include rules about data privacy.

Risks Associated with Personally Identifiable Information

Unfortunately, cybercriminals do not follow these laws, and PII gets stolen and used for nefarious purposes. PII is lost in 52% of data breaches and can be compromised in a myriad of ways, including:

  • Physically – People digging through trash or office waste bins often find the discarded sensitive documents they are looking for.
  • Phishing and social engineering attacks – By duping us in our inboxes or getting us to click a link in a text or private messaging app, threat actors can route us to deceptive lookalike websites where we’ll accidentally give away our personal information.
  • Careless online behavior – Many personal details are swiped from social media platforms where we may unintentionally divulge identifying details about our lives. Even if these are public pieces of information, these quasi-identifiers need only to be corroborated with a stolen password list from the dark web to identify who we are.

Securing PII Properly

Aside from legal protections, there are personal and cybersecurity precautions for keeping PII safe. They include:

Personal Precautions

  • Keeping your social security card in a safe place – never in your wallet.
  • Destroying paper mail containing personally identifiable information.
  • Being judicious about what you post on social media.
  • Avoiding links in unsolicited emails – they could be fakes.

Cybersecurity Techniques

  • Comply with all data privacy standards.
  • Regularly scan for, and patch vulnerabilities.
  • Secure your supply chain to avoid downstream attacks.
  • Follow industry guidelines on the collection of sensitive data.
  • Have a comprehensive cybersecurity strategy in place.

For more information on essential cybersecurity terms, visit our blog post.

Return to Cybersecurity Glossary

Personally Identifiable Information (PII)
Scroll to top