Personally identifiable information (PII) in cybersecurity is any data that could potentially identify a specific individual. It is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
As people have come to increasingly rely on information technology in their work and personal lives, the amount of PII that organizations gather grows. For example, companies collect customers’ data to understand their markets. Consumers also readily give out their telephone numbers and home addresses to sign up for services and shop online.
Sharing PII can have its benefits. It allows businesses to tailor products and services to the wants and needs of their customers. This includes serving up more relevant search results in navigation apps. However, the growing storehouses of PII accumulated by organizations attract the attention of cybercriminals. Hackers steal PII to commit identity theft, sell it on the black market, or hold it captive via ransomware.
According to IBM’s Cost of a Data Breach 2022 report, 83% of companies have suffered more than one data breach, with the average breach costing USD 4.35 million. Individuals and information security professionals must navigate a complex IT and legal landscape to maintain data privacy in the face of these attacks.
Understanding PII in cybersecurity
PII is any data that can be used to uniquely identify a person. This includes names, Social Security Numbers (SSNs), addresses, phone numbers, bank account numbers, and more. In short, all of your sensitive personal information falls under this umbrella.
When discussing cybersecurity, protecting PII is paramount. With many businesses storing customer data in their systems or networks, they need to invest in reliable security measures that will protect the data from cyberattacks or other forms of unauthorized access. Without proper protection, criminals can probably gain access to sensitive customer information, leading to identity theft or other serious financial crimes.
The purpose of a PII is to verify the identity of an individual. When a website or business collects and stores an individual’s information, they are essentially creating a digital image of a person that can be used for various purposes, such as to verify the customer’s identity online, track purchases, and even grant access to certain services.
PII is widely applicable in the banking sector. Many financial institutions use your personal information (name, address, SSN) to open accounts and approve loan applications. Therefore, these organizations must protect this sensitive data from unauthorized access or misuse.
PII comes in two types: direct identifiers and indirect identifiers. Direct identifiers are unique to a person and include things like a passport number or driver’s license number. A single direct identifier is typically enough to determine someone’s identity.
Indirect identifiers are not unique. They include more general personal details like race and place of birth. While a single indirect identifier can’t identify a person, a combination can. For example, 87% of U.S. citizens could be identified based on nothing more than their gender, ZIP code, and date of birth.
Personally Identifiable Information (PII) in Privacy Law
PII and similar terms exist in the legislation of many countries and territories:
- In the United States. The National Institute of Standards and Technology (NIST)’s Guide to Protecting the Confidentiality of Personally Identifiable Information defines “personally identifiable” as information like name, social security number, and biometric records, which can be used to distinguish or trace an individual’s identity.
- In the European Union. Directive 95/46/EC defines “personal data” as information that can identify a person via an ID number, or factors specific to physical, physiological, mental, economic, cultural or social identity.
- In Australia. The Privacy Act 1988 defines “personal information” as information or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained—a much broader definition than in most other countries.
- In New Zealand. The Privacy Act defines “personal information” as any piece of information that relates to a living, identifiable human being, including names, contact details, financial health, and purchase records.
- In Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act define “personal information” as data that on its own, or combined with other pieces of data, can identify an individual.
Examples of PII
The most commonly used PIIs are:
- Name: First, middle and last
- Social Security number (SSN)
- Date of birth
- Credit card information
- Driver’s license number
- Bank account numbers
- Home address and phone number
- Biometric data (fingerprints, voiceprint)
- Passwords
- Security questions and answers
- Online identifiers (ecookies, IP address)
- Sexual orientation
- Sex life
- Medical history
- Genetic data
- Trade union membership
- Religious or philosophical beliefs
- Political opinions
- Ethnic origin
- Race
All of this information is considered sensitive, so it’s important to protect it from unauthorized access. That’s why cybersecurity measures are in place to ensure that only authorized individuals can gain access to this data.
Who is responsible for protecting PII?
From a legal perspective, the responsibility for protecting PII is not solely attributed to organizations; responsibility may be shared with the individual owners of the data. Companies may or may not be legally liable for the PII they hold.
However, according to a study by Experian, 42% of consumers believe it is a company’s responsibility to protect their personal data, and 64% of consumers said they would be discouraged from using a company’s services following a data breach.
In light of the public perception that organizations are responsible for PII, it is a widely accepted best practice to secure PII. A common and effective way to do this is using a Data Privacy Framework.
Sensitive vs. non-sensitive PII
PII can be classified as sensitive and non-sensitive. The non-sensitive PII includes information like your name, address, phone number, and email address. This poses little risk, even if it falls into the wrong hands. However, sensitive PII includes data such as SSNs, bank account details, passwords, biometric data, etc. If stolen or accessed without authorization, it can lead to serious financial crimes, identity theft, etc.
While there are no hard and fast rules on what constitutes sensitive data, an effective strategy is to evaluate whether a piece of certain information can be easily accessed in public databases or phone books. For instance, while an individual’s personal telephone numbers can be considered private data, their names and email addresses from corporate directories can’t necessarily fit into this definition as they are usually available publicly.
According to regulatory standards, all sensitive data must adhere to specific protocols for storage and transfer. To protect this information from malicious third parties, encryption is essential, no matter if the data is at rest (sitting on a drive or in a database) or in motion (traveling across the network).
Not only is a PII subject to regulations but healthcare data and financial data are also safeguarded by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA dictates the cybersecurity protocols for healthcare providers such as physicians, hospitals, dentists, insurance companies, etc., ensuring that all Protected Health Information (PHI) is safely handled.
A business needs to adhere to any of the stringent regulations imposed by governing bodies that oversee financial data, such as the Financial Industry Regulatory Authority (FINRA), and security benchmarks, such as Payment Card Industry Data Security Standard (PCI-DSS), the Sarbanes-Oxley (SOX) Act, the PCI-DSS, etc. If it fails to do so, it will be exposed to punitive fines running into millions of dollars.
When does sensitive information become PII?
Context also determines whether something is considered PII at all. For example, aggregated anonymous geolocation data is often seen as generic personal data because the identity of any single user can’t be isolated. However, individual records of anonymous geolocation data can become PII, as demonstrated by a recent Federal Trade Commission (FTC) lawsuit (link resides outside ibm.com).
The FTC argues that the data broker Kochava was selling geolocation data that counted as PII because “the company’s customized data feeds allow purchasers to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity.”
Advances in technology are also making it easier to identify people with fewer pieces of information, potentially lowering the threshold for what is considered PII in general. For example, researchers at IBM and the University of Maryland devised an algorithm for identifying specific individuals by combining anonymous location data with publicly available information from social networking sites.
How PII is used in identity theft
Several retailers, health-related organizations, financial institutions — including banks and credit reporting agencies — and federal agencies, such as the Office of Personnel Management (OPM) and the Department of Homeland Security (DHS), have experienced data breaches that put individuals’ PII at risk, leaving them potentially vulnerable to identity theft.
The kind of information identity thieves are after will change depending on what cybercriminals are trying to gain. By hacking and accessing computers and other digital files, they can open bank accounts or file fraudulent claims with the right stolen information.
In some cases, criminals can open accounts with just an email address. Others require a name, address, date of birth, Social Security number and more information. Some accounts can even be opened over the phone or on the internet.
Additionally, users can lose physical files — such as bills, receipts, physical copies of birth certificates, Social Security cards or lease information — in the event of a burglary. Thieves can sell PII for a significant profit. Criminals may use victims’ information without their realizing it. While thieves may not use victims’ credit cards, they may open new, separate accounts using their victims’ information.
PII laws and regulations
As the amount of structured and unstructured data available keeps mushrooming, the number of data breaches and cyberattacks by actors who realize the value of PII continues to climb. As a result, concerns have been raised over how public and private organizations handle sensitive information.
Government agencies and other organizations must have strict policies about collecting PII through the web, customer surveys or user research. Regulatory bodies are creating new laws to protect consumer data. Users are also looking for more anonymous ways to stay digital.
The European Union’s (EU) General Data Protection Regulation (GDPR) is one of a growing number of regulations and privacy laws that affect how organizations conduct business. GDPR, which applies to any organization that collects PII in the EU, has become a de facto standard worldwide. GDPR holds these organizations fully accountable for protecting PII data, no matter where they might be headquartered.
PII security best practices
As organizations continuously collect, store, and distribute PII and other sensitive data, employees, administrators and third-party contractors need to understand the repercussions of mishandled data and be held accountable. Predictive analytics and artificial intelligence (AI) are in use at organizations to sift through large data sets so that any data stored is compliant with all PII rules.
Additionally, organizations establishing procedures for access control can prevent inadvertent disclosure of PII. Other best practices include using strong encryption, secure passwords, and two-factor (2FA) and multifactor authentication (MFA).
Other recommendations for protecting PII are:
- encouraging employees to practice good data backup procedures;
- safely destroying or removing old media with sensitive data;
- installing software, application and mobile updates;
- using secure wireless networks, rather than public Wi-Fi; and
- using virtual private networks (VPNs).
To protect PII, individuals should:
- limit what they share on social media;
- shred important documents before discarding them;
- be aware to whom they give their Social Security numbers; and
- keep their Social Security cards in a safe place.
Individuals should also make sure to make online purchases or browse financials on secure HTTP Secure (HTTPS) sites; watch out for shoulder surfing, tailgating or dumpster diving; be careful about uploading sensitive documents to the cloud; and lock devices when not in use.
Recommended Articles
- CIA Triad in Cybersecurity: What Is It & Why Is It Important?
- Managed Cybersecurity Services: All You Should Know
- What is Tailgating in Cybersecurity & How to Prevent It
- Air Gapped Computer: What Is It & How Do You Secure One?
- Best Identity Theft Protection Services 2023
- Network Performance Monitoring: What It Is & All to Know
- Fraud Score: What Is It & How Does It Work?
References
