Personally Identifiable Information (PII) refers to any information that can be used to identify an individual. It's not just about names and social security numbers. PII encompasses a broad spectrum of data, from addresses and phone numbers to biometric data and online identifiers.
We live in an era where data is the new oil. Everyone, from hackers to businesses, is trying to grab all the information they can. That makes PII a prized possession for both legitimate entities and malicious actors.
This information can lead to identity theft, financial fraud, and other cybercrimes when mishandled or misused. Hence, we must understand what constitutes our PII and how to protect this information.
What is PII?
PII is often categorized into non-sensitive and sensitive. Non-sensitive PII refers to information that can be easily accessed or gathered from public records or directories. This could include your name, company name, or email address.
On its own, non-sensitive PII may not be enough to identify an individual, but when combined with other data, it can.
On the other hand, sensitive PII is information that, when disclosed, could result in harm to the individual, such as identity theft or financial fraud. Examples of sensitive PII include social security numbers, bank account numbers, passport numbers, and biometric data.
This information must be transmitted and stored securely, often encrypted, to prevent unauthorized access.
PII in Information Security Environments
In the realm of information security, PII plays a crucial role. Organizations use the concept of PII to understand which data they store, process, and manage that identifies people. It's not just about having the data but also about recognizing the need for greater security.
For example, companies that store or process PII must comply with heightened security requirements and, in some cases, legal or compliance requirements.
Examples of PII
PII can take many forms. Some common examples include full names, home addresses, email addresses, social security numbers, passport numbers, driver's license numbers, credit card numbers, date of birth, telephone numbers, and biometric data like fingerprints or retina scans.
However, PII is not limited to these examples. Even digital data like IP addresses, login IDs, social media posts, or digital images can be considered PII, as they can be used to trace back to an individual.
The key is that the information can be used to identify, contact, or locate a single person or to identify an individual in context.
How PII is Seen Across Global Borders
The definition of PII varies across different countries and territories, reflecting the diverse legal and cultural contexts in which data privacy laws are formulated.
In the United States, the National Institute of Standards and Technology (NIST) defines PII as information like names, social security numbers, and biometric records, which can distinguish or trace an individual's identity.
The European Union takes a broader approach. Directive 95/46/EC defines “personal data” as information that can identify a person via an ID number or factors specific to physical, physiological, mental, economic, cultural, or social identity.
Australia's Privacy Act 1988 defines “personal information” as information or an opinion, whether true or not, about an individual whose identity is apparent or can reasonably be ascertained—a much broader definition than in most other countries.
In New Zealand, the Privacy Act defines “personal information” as any information related to a living, identifiable human being, including names, contact details, financial health, and purchase records.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act define “personal information” as data that can identify an individual on its own or combined with other pieces of data.
Industry-Specific Privacy Regulations
Specific industries also have their own data privacy regulations. In the US, the Health Insurance Portability and Accountability Act (HIPAA) governs how healthcare organizations collect and protect medical records and patient PII.
Similarly, the Payment Card Industry Data Security Standard (PCI DSS) is a global financial industry standard for how credit card companies, merchants, and payment processors handle sensitive cardholder information.
Why Legal Definition is Important for PII
These varying definitions significantly affect how PII is handled in different jurisdictions. They influence what kind of data is protected, how it's protected, and the penalties for failing to protect it.
Understanding these differences is crucial for organizations that operate across borders, as they must comply with the data privacy laws of all the countries where they do business.
Information Types That Qualify as PII
As we delve deeper into PII, we must understand that not all PII is created equal. There are different types of PII, each with implications for privacy and security.
According to the National Institute of Standards and Technology (NIST) PII Guide, certain items unequivocally qualify as PII because they can directly identify a human being. These include;
- Full names (if not familiar)
- Home addresses
- Email addresses
- ID numbers
- Passport numbers
- Vehicle plate numbers
- Driver’s licenses
- Fingerprints or handwriting
- Credit card numbers
- Digital identities
- Dates of birth
- Genetic information
- Phone numbers
- Login names or screen names
These are often referred to as “clear identifiers.”
Quasi or Pseudo Identifiers
Beyond these explicit identifiers, “quasi-identifiers” or “pseudo-identifiers” can identify a person when combined with other information. For example, a combination of gender, ZIP code, and date of birth can uniquely identify a significant portion of the population.
Interestingly, a US governmental study found that these three data points could uniquely identify 87% of the US population. While these pseudo identifiers may not be considered PII under United States legislation, they will likely be considered PII in Europe and other regions with more comprehensive data protection laws.
The Fluidity of PII
The categorization of PII is not static. As technology and data analysis techniques evolve, information that was once considered non-identifying can become identifiable. For instance, with the advent of big data and machine learning, patterns and correlations can be drawn from seemingly innocuous data, potentially leading to the identification of individuals.
This fluidity underscores the importance of continually reassessing and updating data protection strategies to ensure they keep pace with the evolving landscape of PII.
Who is Responsible for Protecting PII?
From a legal standpoint, protecting PII often falls on the organization that collects and processes the data. This includes businesses, government agencies, non-profit organizations, and even individuals who collect PII for professional purposes.
These entities must comply with various data protection laws and regulations, including obtaining consent for data collection, limiting data collection to what is necessary, securing the data against unauthorized access, and notifying individuals during a data breach.
Protecting PII is not just a legal obligation or personal responsibility—it's a societal imperative. The misuse of PII can lead to a range of adverse outcomes, from identity theft and financial fraud to the erosion of personal privacy.
What Happens to Companies That Don't Comply With PII Regulations?
Non-compliance with data privacy regulations can have severe consequences for organizations. These can range from financial penalties to reputational damage and loss of customer trust. In some cases, non-compliance can lead to legal action and criminal charges.
Financial penalties can be substantial. For instance, under the GDPR, companies can be fined up to 4% of their annual global turnover or $21.95 million (whichever is greater) for severe infringements. Other regulations, like the CCPA, allow individuals to sue companies for statutory damages in case of a data breach.
Reputational damage can also be significant. In an era where consumers are increasingly concerned about privacy, a data breach can lead to losing customer trust, which can be challenging from which to recover.
Case Study: Amazon's GDPR Violation
A prime example of the consequences of non-compliance is the case of Amazon. In 2021, Amazon was fined a record $888 million by Luxembourg's data protection authority for violating the GDPR.
The fine was issued in response to a complaint that Amazon's advertising practices did not comply with the GDPR's requirements for obtaining consent for data processing. This case underscores the importance of having robust data privacy practices.
How You Can Protect Your PII
While organizations bear significant responsibility for protecting the PII they collect, you, too, play a crucial role in safeguarding your data. As we increasingly live, work, and play in the digital world, it's essential to understand how we can protect our PII from falling into the wrong hands.
Be Selective About Sharing Information
The first step in protecting your PII is to be selective about who you share it with and why. Before providing your PII, ask why it's needed, how it will be used, and how it will be protected. If you're unsatisfied with the answers, consider whether you're comfortable sharing your information.
Use Strong, Unique Passwords
Strong, unique passwords for your online accounts can help protect your PII. Consider using a password manager to help you create and store complex passwords. Also, enable multi-factor authentication whenever it's available for an added layer of security.
Be Wary of Phishing Attempts
Phishing attempts often trick you into providing your PII. Be skeptical of unsolicited communications asking for your PII, especially if they ask for sensitive information like your social security number or bank account details.
Regularly Review Your Privacy Settings
Regularly review and update the privacy settings on your social media accounts, email, and other online platforms. Ensure you only share information with people you trust and that your accounts aren't publicly displaying PII.
Secure Your Devices
Ensure your devices, like smartphones, tablets, and computers, are secured. This includes using strong passwords, keeping your operating system and apps updated, and installing reputable security software.
Use a Virtual Private Network
A Virtual Private Network (VPN) can provide an additional layer of security when browsing the internet, especially when using public WiFi networks. A VPN encrypts your internet connection, making it harder for hackers to intercept and steal your PII.
Final Thoughts: We All Play a Role in Protecting PII
As we navigate the digital landscape of the 21st century, the importance of understanding and protecting PII cannot be overstated. From explicit identifiers to quasi-identifiers, PII forms the backbone of our digital identities, making its protection a societal imperative.
In today's digital world, PII is more than just data—it reflects our identities, lives, and humanity. Let's treat it with the respect and protection it deserves. Guard yours well and be wary of whom you entrust it to in cyberspace.