What is personally identifiable information (PII)?

Personally identifiable information (PII) is information that, when used alone or with other information, can be used to identify an individual. This data can enable the identification of an individual either directly or indirectly with quasi-identifiers and can be found digitally or on paper. 

Characteristics of personally identifiable information are that it: 

• Can be used in conjunction with other data elements to identify an individual 
• Can be used to contact an individual in person or online 
• Directly identifies an individual 

Examples of PII include: 

• Full name 
• Address  
• Phone number 
• Date and place of birth
• Social Security Number  
• Bank account number 
• Biometric records (e.g., fingerprints)  
• Credit or debit card numbers 
• Driver’s license number 
• Email addresses 
• Mother’s maiden name 
• Passport information 

It is worth noting what is not considered to be personally identifiable information. Non-personally identifiable information (non-PII) cannot be used on its own to find or identify a person.  

Examples of non-PII include shared data (e.g., business phone numbers, workplace, and job titles) and anonymized data (e.g., information collected and presented as part of a survey or demographic reports).  

What are direct vs indirect identifiers? 

Direct identifiers

Indirect identifiers

Direct identifiers are unique to an individual and are considered unique enough to determine a person’s identity. Examples of direct identifiers are:  -Names -Address (e.g., street address, city, region, municipality, and zip or postal code)  -Telephone numbers  -Email addresses -Social Security Number -Full-face photographic images    -Biometric data -Bank account numbers -Driver’s license numbers        -Internet protocol (IP) address numbers    -License plate numbers  -Medical records        -Vehicle identification number

Indirect identifiers, also called quasi-identifiers, are not unique to individuals, and a single indirect identifier cannot be used to determine a person’s identity. However, in combination, multiple indirect identifiers could be used to determine a person’s identity. Examples of indirect identifiers include:  -Age -Gender -Date of birth   -Occupation -Approximate location    -Zip code  -Medical diagnosis

Sensitive PII vs non-sensitive PII

There are overlaps between direct identifiers and sensitive personally identifiable information and indirect identifiers and sensitive personally identifiable information. It is important to note that direct identifiers are always considered sensitive, while the sensitivity of indirect identifiers can be context-specific. 

Sensitive PII

Sensitive personally identifiable information is data that directly identifies an individual and could cause significant harm if leaked or stolen. This is information that is not publicly available and, according to multiple laws, should be protected from unauthorized access.  

In addition to legal restrictions, sensitive personally identifiable information is often protected by contractual and ethical requirements. The origin of the term is credited to the 2020 California Privacy Rights Act (CPRA).

Non-sensitive PII 

Non-sensitive personally identifiable information can be easily gathered from public records, websites, and other open sources and would not cause significant harm to a person if leaked or stolen.  

While some privacy laws exclude non-sensitive personally identifiable information from data protection requirements, many organizations choose to secure it, because it can become sensitive personally identifiable information when aggregated with other data.

Sensitive personally identifiable information

Non-sensitive personally identifiable information

Examples of sensitive personally identifiable information include:  -Full name  -Social Security Number  -Account login credentials  -Biometric data    -Credit card information  -Driver’s license number  -Employer Identification Numbers (EINs)    -Financial records  -Government-issued ID numbers  -Medical records  -Passport number  -Password credentials  -School identification numbers and records    -Tax information

Examples of non-sensitive personally identifiable information include:  -Date of birth  -Gender  -Mailing address  -Email address   -Telephone number  -Employment information  -IP address  -Mother’s maiden name  -Place of birth  -Race or ethnicity  -Religion  -Social media posts  -Zip code

PII and data privacy laws

Federal personally identifiable information privacy laws

There is no single federal law governing personally identifiable information in the United States. Following are several laws that make up the patchwork of federal personally identifiable information legislation. 

• Children’s Online Privacy Protection Act (COPPA)
  Regulates how personal information from children under the age of 13 is collected, handled, and used
• Fair Credit Reporting Act
  Directs how credit agencies store, protect data, and share consumers’ credit data 
• Family Educational Rights and Privacy Act (FERPA)
  Protects educational information and related records
• Federal Trade Commission (FTC) Act
  Dictates that organizations must be abundantly clear about what information they will be collecting, particularly when that information may be shared with a third party 
• Gramm-Leach-Bliley Act (GLBA)
  Governs how financial institutions store and regulate access to customers’ data
• Health Insurance Portability and Accountability Act (HIPAA)
  Protects an individual’s medical records with standards for privacy, confidentiality, and consent for sharing
• US Privacy Act 
  Establishes rules for collecting, maintaining, using, and disseminating personally identifiable information by all federal agencies

State personally identifiable information privacy laws

Individual states in the United States have laws that impose requirements on how PII must be handled. These include: 

• California Consumer Privacy Act  
•  Colorado’s Privacy Act  
• Connecticut Personal Data Privacy and Online Monitoring Act  
• Delaware Personal Data Privacy Act  
• Indiana Consumer Data Protection Act  
• Iowa Consumer Data Protection Act  
• Maryland Online Consumer Protection Act  
• Massachusetts Data Privacy Law  
• Montana’s Consumer Data Privacy Act  
• New York Privacy Act  
• Oregon Consumer Privacy Act  
• Tennessee Information Protection Act  
• Texas Data Privacy and Security Act  
• Utah Consumer Privacy Act  
• Virginia Consumer Data Protection Act 

International personally identifiable information privacy laws

Among the international laws protecting the privacy of personally identifiable information are: 

• Australia’s 1988 Privacy Act  
• Brazil’s General Data Protection Law (LGPD)  
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)  
• China’s Personal Information Protection Law (PIPL)
• The European Union’s General Data Protection Regulation (GDPR)  
• India’s Digital Personal Data Protection Bill   

Protecting personally identifiable information

Personally identifiable information must be secured from malicious and accidental unauthorized access. Malicious actors seek out PII for a number of purposes, including committing identity theft to perpetrate additional crimes such as blackmail, and selling it on the dark web, where buyers use it to facilitate scams such as spear phishing for business email compromise attacks. 

Details about commonly cited best practices for protecting personally identifiable information follow. 

Collection and retention minimization policies

The more personally identifiable information an organization has, the greater the risk. Organizations tend to retain information that is not necessary to support their operations. Policies should be put in place to define criteria for collecting and storing PII.  

This should include directives for what data should be collected and retained, including what safeguards are required to protect it. In addition, policies should dictate when and how data should be securely destroyed to minimize PII footprints that put organizations at risk. 

Discovery and classification 

Organizations need to keep track of all personally identifiable information (i.e., on all devices, including servers, workstations, laptops, and removable storage) as well as classify it according to sensitivity. Then, safeguards need to be implemented that are appropriate for the type of data being collected, stored, and transmitted by internal sources (e.g., employees) and any third parties (e.g., partners or vendors). 

Incident response plan for PII leaks and breaches

Organizations should have an incident response plan ready to execute in the event of a data leak or breach. This minimizes the impact on the incident and can facilitate a smoother, faster recovery. Key parts of an incident response plan include: 

• Part one: Planning
  The efficacy of a response to a data privacy compromise incident is preparation. This starts with creating a blueprint for the response that includes roles and responsibilities and the prioritization of actions.
  
  Individuals or teams should be assigned to each of the roles and actions. These teams should consist of stakeholders and representatives from any area of the organization that could be impacted by a data privacy compromise (e.g., human resources, legal, communications, and IT). A leader of the overall effort should also be identified.
  
  The plan should reviewed regularly to confirm that it continues to follow best practices and meet the organization’s requirements.
• Part two: Testing
  Incident response plans should be thoroughly tested. Simulation testing is an effective way to ensure that the elements of the plan work as expected. This way, any deficiencies can be identified and remediated before an incident occurs.  
• Part three: Detection and analysis
  Early detection is also an important part of data privacy incident response. Systems should be in place to quickly identify an attempted attack or a breach to mitigate damage. This can include attack surface management, continuous network monitoring, intrusion detection, and security incident event management (SIEM) tools to identify network vulnerabilities and breaches proactively.
• Part four: Containment, response, eradication, and recovery
  As soon as an incident is detected, the team should have containment plans ready to execute. Many laws have rigid notification timelines. Organizations need to understand what their notification obligations are and have messages ready to send to anyone whose personally identifiable information has been compromised.
  
  Once the situation has been stabilized, efforts should turn to eradication and recovery. For recovery, backups of critical data are crucial.  
• Part five: Post-incident assessments
  In the wake of an incident, a full assessment needs to be completed that considers what worked, what could have worked better, and what failed. Then, learning should be incorporated into an updated incident response plan.

Physical security

While many privacy protection strategies focus on digital safety, it is important not to overlook physical security. All physical points of entry to spaces where personally identifiable information resides should be secured (e.g., locks on file cabinets and windows, as well as strict access controls for all doors).  

Malicious actors regularly use physical security breaches as a means to access both physically and personally identifiable information (e.g., files) and digital information (e.g., laptops and external hard drives).

Privacy frameworks

Privacy frameworks detail processes and systems that can be used to protect PII. These can be created internally, but many organizations leverage privacy and security frameworks that are developed by government agencies, such as the United States National Institute of Standards and Technology (NIST) Privacy Framework, Fair Information Practice Principles (FIPPs), Organization for Economic Co-operation and Development (OECD) Privacy Guidelines, and the International Organization for Standardization (ISO) 27701. US and international laws and regulations also provide data and privacy protection frameworks. 

Privacy protection tools and programs

There are many options for privacy protection solutions. Below are the most commonly used systems and programs to protect personally identifiable information.

• Access controls, including: 
  • Least-privilege that minimizes access so users are limited to the information needed to perform approved tasks and for only as long as necessary 
  • Multi-factor authentication (MFA) 
  • Role-based access controls (RBAC) that grant privileges based on positions and functions 
• Privacy policies and procedures that document the rules for the collection, use, retention, disclosure, and destruction of PII  
• Training that includes instruction on: 
  • How to protect and handle PII 
  • Identifying social engineering attacks, such as phishing 
• Encryption to secure personally identifiable information in transit (e.g., email) and at rest (e.g., in databases, applications, or other storage media) 
• Data anonymization to remove the identifying characteristics of PII using techniques such as stripping identifiers from data, aggregating data, or strategically adding noise to the data 
• Cybersecurity tools: 
  • Anti-virus software 
  • Data loss prevention (DLP) tools 
  • Extended detection and response (XDR) tools 
  • Firewalls 
  • Identity and access management (IAM) systems 
  • Intrusion detection systems (IDS) 
  • Intrusion prevention systems (IPS) 
  • Network security monitoring tools 
  • Password managers 
  • Penetration testing 
  • Security incident event management (SIEM) tools
  • Virtual private networks (VPNs) 
  • Web vulnerability scanning tools 

Risk assessment

On a regular basis, risk assessments should be performed to ensure that privacy protection systems continue to meet compliance requirements and reflect best practices. This is an opportunity to identify gaps or underperforming processes or programs that could put personally identifiable information at risk of compromise.   

Understanding applicable compliance requirements

In addition to protecting PII to meet internal standards, it is important to identify all of the applicable laws and regulations. The number of privacy laws continues to expand, and their reach means that most organizations will be subject to privacy protection requirements for PII.   

Avoid missteps with personally identifiable information

Exposing PII can cause significant harm to individuals, ranging from theft to reputational damage. The volume of sensitive data that is collected and stored continues to grow with no end in sight as smartphones, applications, websites, and social media find new reasons and ways to gather data. Regardless of how or why individuals share PII, it is incumbent on the organization that collects it to protect it.  

Any organization that collects and stores personally identifiable information is subject to multiple laws across the United States and around the world governing its handling. Every one of these organizations must ensure that data protection practices are up to the task of keeping PII secure from unauthorized access. 

You might also be interested in: