Personally identifiable information (PII) is data that could identify a specific individual. Information that can be used to distinguish an individual's identity from another or be used to deanonymize anonymous data is also considered PII.
While PII has several formal definitions, think of it as any information that can be used on its own or with other information to identify, contact or locate a particular person.
By understanding the concept of PII, your organization will understand how to use information security to store, process and manage PII data correctly. In most jurisdictions, PII must be protected with additional security requirements and many industries have legal or compliance requirements.
Organizations can't protect PII they don't know about. In this article, we cover a broad definition of PII and as many sources of PII as possible (e.g., databases, shared network drives, backup tapes and third-party risk and fourth-party risk that stem from vendors).
Table of contents
- Who is responsible for safeguarding personally identifiable information (PII)?
- Minimize use, collection and retention of personally identifiable information (PII)
- How to categorize personally identifiable information (PII)
- How to protect personally identifiable information (PII)
- What privacy laws relate to personally identifiable information (PII)?
- What counts as personally identifiable information (PII)?
- What are common personally identifiable information (PII) security controls?
- Use UpGuard to protect personally identifiable information (PII)
From a legal perspective, the responsibility for protecting PII may range from no responsibility to being the sole responsibility of an organization. Generally, the responsibility is shared with the organization holding the PII and the individual owner of the data.
That said, while you might not be legally responsible. Most consumers believe that it is your responsibility to protect their personal data. This means you could suffer from reputational damage even if your organization is not legally responsible. In light of this, it's commonly accepted best practice to protect PII.
The ever increasing occurrence of data breaches involving personally identifiable information (PII) has contributed to billions of dollars of shareholder loss, millions of dollars of regulatory fines and an increased risk of identity theft for the individual's whose sensitive data was exposed. Data breaches are hazardous to individuals and organizations:
- Individual harms: Identity theft, embarrassment or blackmail.
- Organizational harms: Loss of public trust, legal liability, reduced enterprise value, closure of business or remediation costs.
To protect the confidentiality of PII, organizations need to use cyber security risk assessments, third-party risk management, vendor risk management and information risk management. If we guard our public information and sensitive information with equal zeal, we'll expose less public information and more sensitive data. Organizations need to have a risk-based approach to protecting the confidentiality, integrity and accessibility (CIA triad) of its and its customer's PII.
The likelihood of harm caused by a data breach involving PII is reduced when organizations minimize the amount of PII they use, collect and store. Your organization must minimize its requests for PII to only what is absolutely necessary. It should also regularly review what personal information it holds and whether the personal data is still relevant and necessary.
- Review current holdings of PII and ensure it is accurate, relevant, timely and complete.
- Reduce PII holdings to the minimum needed to operate.
- Regularly review PII holdings.
- Establish a plan to remove any unnecessary collection and use of PII.
Like any form of data, not all PII is equal. PII should be evaluated by determining its PII confidentiality impact level.
PII confidentiality impact levels range from low, moderate or high to indicate the potential harm that could result to an individual or organization if the data was accessed, used or disclosed.
Each organization needs to decide on what factors it will use to determine impact levels and then create and operationalize the appropriate policies, procedures and controls. That said, there are six general factors:
- Identifiability: How easy can the PII be used to identify a specific individual?
- Quantity of PII: How many people would be exposed in a data breach?
- Data field sensitivity: How sensitive is each individual PII data element?
- Context of use: How is the PII being collected, stored, used, processed, disclosed or disseminated?
- Obligations to protect confidentiality: Does your organization have any legal or regulatory obligations to protect PII? Obligations include laws, regulations or other mandates like the Privacy Act, General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and OMB guidance
- Access to and location of PII: Who can access the PII and where can they access it from?
Not all data should be protected in the same way. Organizations must apply appropriate safeguards to protect the confidentiality of PII based on how it categorizes PII in its confidentiality impact levels.
Some PII does not even need to be protected. Imagine your organization operates a public phone directory that allows plumbers to share their phone number. In this case, the PII (phone number) does not need to be protected because your organization has permission to release it publicly.
For sensitive PII you do need to protect, you should use operational, privacy-specific and cybersecurity controls such as:
- Policies and procedures: Develop comprehensive policies and procedures to protect the confidentiality of PII.
- Training: Reduce the possibility of unauthorized access, usage or disclosure of PII by requiring all employees receive appropriate training before being granted access to information technology that contains PII.
PII exists in legislation in most countries and territories:
- United States: The National Institute of Standards and Technology (NIST) Guide to Protecting Confidentiality of Personally Identifiable Information defines PII as any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identify such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and any information that is linked or linkable to an individual with additional information, such as protected health information, educational, financial and employment information.
- European Union: Directive 95/46/EC defines personal data as information which can identify a person such as an ID number or factors specific to physical, physiological, mental, economic, cultural or social identity.
- Australia: The Privacy Act 1988 stipulates a number of privacy rights known as the Information Privacy Principles (IPPs). These principles dictate how the Australian Government and businesses can collect PII. It also mandates that Australians have the right to know why information about them is being collected and who will see the information.
- New Zealand: The Privacy Act controls how organizations collect, use, disclose, store and give access to personal information. Their definition of PII is information about identifiable, living people.
- United Kingdom: The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). It dictates that PII must be used fairly, lawfully and transparently; for specified, explicit purpose; in a way that is adequate, relevant and limited to only what is necessary; accurate and where necessary, kept up to date; kept no longer than necessary and handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.
- Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) ensures that organizations must obtain an individual's consent to collect, use or disclose PII.
Examples of PII include, but are not limited to:
- Name: Full name, maiden name, mother's maiden name or alias.
- Personal identification number: Social security number (SSN), passport number, driver's license number, taxpayer identification number, financial account numbers, bank account number or credit card number.
- Address information: Street address, work address or email address.
- Personal characteristics: Photographic image (especially face or other identifying characteristics), fingerprints, handwriting, retina scan, voice signature, facial geometry or other biometric data.
- Linked or linkable information: Information that is linked or linkable to one of the above categories like date of birth, place of birth, race, religion, ip address, telephone number, social media, political views, weight, activities, geographical indicators, employment information, medical information, education information, financial information or any other unique identifiers.
- Configuration management: One of the most common ways PII is exposed is through a data leak caused by poor configuration of a cloud storage platform like Amazon's S3, check your S3 security permissions or someone else will.
- Data loss prevention: Systems track sensitive data transfers in and out of your organization and identify patterns that may suggest a data breach.
- Data masking: Data is stored and transmitted with only details required for the transaction and nothing more.
- Automated vendor questionnaires: Automatically assessing your third-party vendors' security.
- Data leak detection: Continuously monitor the web for data leaks.
- Credential exposure detection: Continuously monitor the web for leaked credentials.
- Ethical walls: Implement screening mechanisms to limit access to PII that is not relevant to an individual's work.
- Privilege control and monitoring: Monitor privilege changes and excessive, inappropriate or unused privileges.
- PII access monitoring: Monitor access to files and databases containing PII.
- Audit trial archiving: Ensure audit trails are archived securely to ensure data integrity is not compromised.
- User tracking: Track user activity in information systems that contain PII.
- Vendor access monitoring: Monitor contractors and third party vendors access to PII and disable their access if it is not required to complete their job.
- Cyber security ratings: Measure your organization's cyber security rating to understand cybersecurity risk and overall security posture is trending.
- Third and fourth-party cyber security ratings: Monitor your vendors and their vendors cyber security ratings to understand how their overall security posture is trending and their exposure to potential cyber attacks.
- Typosquatting protection: Your customer's PII could be exposed by typosquatting cyber criminals who aim to steal your traffic via typos.
UpGuard helps companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA protect their personally identifiable information (PII) and prevent data leaks and breaches.
UpGuard BreachSight's typesquatting module can reduce the cyber risks related to typosquatting, along with preventing breaches, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure.
UpGuard's cyber risk research has been featured in the New York Times, Bloomberg, Gizmodo, Forbes and the Washington Post.