Personally identifiable information (PII) is any data that could be used to identify a specific individual. Examples include driver’s license numbers, social security numbers, addresses, full names etc.
PII doesn’t only include obvious links to a person’s identity, such as a driver’s license. Data fragments which, when combined with other data sets, reveal an individual’s identity could also be classified as PII. Even data that could be used in de-anonymization techniques could be considered PII.
By understanding the conditions that warrant a PII classification, your organization will understand how to use information security to store, process, and manage PII data correctly.
You can’t protect PII if you don’t know how to identify it. In this article, we cover a broad definition of PII and outline a framework to help you easily distinguish PII in your IT ecosystem.
What’s the Difference Between Sensitive PII and Non-Sensitive PII?
Sensitive PII includes any data set that includes your full name, address, or financial information. Non-sensitive PII is any generic data accessible from public resources (such as social media profiles) that cannot be used to identify a specific individual. such as zip code or date of birth.
Non-sensitive data sits in a grey area. While it’s generic enough to apply to a broad segment of the population, it could be used alongside other data sets to reveal an individual’s identity - like multiple puzzle pieces contributing to a developing image.
Because non-sensitive data could still contribute to a broader effort of identifying an individual, protecting this data with the same degree of security as sensitive PII will only further distance you from potential data privacy law violations.
Examples of Sensitive PII
Sensitive PII includes, but is not limited to, the following unique identifiers:
- Name - Full name, maiden name, mother's maiden name, or alias.
- Address information - Street address, work address or email address.
- Personal identification number: Social security number (SSN), passport number, driver's license number, taxpayer identification number, financial account numbers, bank account number or credit card number.
- IP addresses - Some jurisdictions even classify IP addresses as PII.
- Medical Records.
- Financial information.
- Healthcare information.
Examples of Non-Sensitive PII
Non-sensitive PII is any information that could potentially link to an individual. Examples include:
- Place of birth
- Date of birth
- Religious beliefs
- Zip code
- Mobile numbers
- Telephone number on a public register.
How to Categorize Personally Identifiable Information (PII)
Like any form of data, not all PII is equal. PII should be evaluated by determining its PII confidentiality impact level.
PII confidentiality impact levels range from low, moderate, or high to indicate the potential harm that could result to an individual or organization if the data is compromised.
Each organization needs to decide on what factors it will use to determine impact levels and then create and operationalize the appropriate policies, procedures and controls. That said, there are six general factors:
- Identifiability: How easy can the PII be used to identify a specific individual?
- Quantity of PII: How many people would be exposed in a data breach?
- Data field sensitivity: How sensitive is each individual PII data element?
- Context of use: How is the PII being collected, stored, used, processed, disclosed or disseminated?
- Obligations to protect confidentiality: Does your organization have any legal or regulatory obligations to protect PII? Obligations include laws, regulations or other mandates like the Privacy Act, General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and OMB guidance
- Access to and location of PII: Who can access the PII and where can they access it from?
This classification framework will also inform the definition of your overall risk appetite.
Learn how to calculate your risk appetite.
PII can be further broken down into two classification tiers - PII and Sensitive PII.
Who is Responsible for Safeguarding Personally Identifiable Information (PII)?
In most jurisdictions, PII must be protected with additional security requirements, and many industries have data privacy laws or compliance requirements.
From a legal perspective, the responsibility for protecting PII may range from no responsibility to being the sole responsibility of an organization. Generally, the responsibility is shared with the organization holding the PII and the individual owner of the data.
That said, while you might not be legally responsible. Most consumers believe that it is your responsibility to protect their personal data. This means you could suffer from reputational damage even if your organization is not legally responsible. In light of this, it's commonly accepted best practice to protect PII.
The ever increasing occurrence of data breaches involving personally identifiable information (PII) has contributed to billions of dollars of shareholder loss, millions of dollars of regulatory fines and an increased risk of identity theft for the individual's whose sensitive data was exposed. Data breaches are hazardous to individuals and organizations:
- Individual harms: Identity theft, embarrassment or blackmail.
- Organizational harms: Loss of public trust, legal liability, reduced enterprise value, closure of business or remediation costs.
To protect the confidentiality of PII, organizations need to use cyber security risk assessments, third-party risk management, vendor risk management and information risk management. If we guard our public information and sensitive information with equal zeal, we'll expose less public information and more sensitive data. Organizations need to have a risk-based approach to protecting the confidentiality, integrity and accessibility (CIA triad) of its and its customer's PII.
Learn more about regulatory risk in cybersecurity.
Tips for Securing and Protecting PII
The likelihood of harm caused by a data breach involving PII is reduced when organizations minimize the use, collection, and retention of Personally Identifiable Information.
Your organization must minimize its requests for PII to only what is absolutely necessary. It should also regularly review what personal information it holds and whether the personal data is still relevant and necessary.
- Review current holdings of PII and ensure it is accurate, relevant, timely, and complete.
- Reduce PII holdings to the minimum needed to operate.
- Regularly review PII holdings.
- Establish a plan to remove any unnecessary collection and use of PII.
- Redact PII in documents, images, audio, or video files using tools such as VIDIZMO.
Security policies limiting access to sensitive data, such as the Principle of Least Privilege, will also decrease the potential of its compromise.
Learn more about the Principle of Least Privilege.
Do You Need to Protect All Data Equally?
Not all data should be protected in the same way. Organizations must apply appropriate safeguards to protect the confidentiality of PII based on how it categorizes PII in its confidentiality impact levels.
Some PII does not even need to be protected. Imagine your organization operates a public phone directory that allows plumbers to share their phone number. In this case, the PII (phone number) does not need to be protected because your organization has permission to release it publicly.
However, if a cloud solution has not been given permission to share information, all submitted data would be classified as PII that needs to be protected, even if some of it is currently displayed in public directories.
For sensitive PII you do need to protect, you should use operational, privacy-specific and cybersecurity controls such as:
- Policies and procedures: Develop comprehensive policies and procedures to protect the confidentiality of PII.
- Training: Reduce the possibility of unauthorized access, usage or disclosure of PII by requiring all employees to receive appropriate training before being granted access to information technology that contains PII.
What Privacy Laws Relate to Personally Identifiable Information (PII)?
PII exists in legislation in most countries and territories:
- United States: The National Institute of Standards and Technology (NIST) Guide to Protecting Confidentiality of Personally Identifiable Information defines PII as any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identify such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and any information that is linked or linkable to an individual with additional information, such as protected health information, educational, financial and employment information.
- European Union: Directive 95/46/EC defines personal data as information that can identify a person, such as an ID number or factors specific to physical, physiological, mental, economic, cultural or social identity.
- Australia: The Privacy Act 1988 stipulates a number of privacy rights known as the Information Privacy Principles (IPPs). These principles dictate how the Australian Government and businesses can collect PII. It also mandates that Australians have the right to know why information about them is being collected and who will see the information.
- New Zealand: The Privacy Act controls how organizations collect, use, disclose, store and give access to personal information. Their definition of PII is information about identifiable, living people.
- United Kingdom: The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). It dictates that PII must be used fairly, lawfully and transparently; for specified, explicit purpose; in a way that is adequate, relevant and limited to only what is necessary; accurate and where necessary, kept up to date; kept no longer than necessary and handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.
- Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) ensures that organizations must obtain an individual's consent to collect, use or disclose PII.
What are Common Personally Identifiable Information (PII) Security Controls?
- Configuration management: One of the most common ways PII is exposed is through a data leak caused by poor configuration of a cloud storage platform like Amazon's S3, check your S3 security permissions or someone else will.
- Data loss prevention: Systems track sensitive data transfers in and out of your organization and identify patterns that may suggest a data breach.
- Data masking: Data is stored and transmitted with only details required for the transaction and nothing more.
- Automated vendor questionnaires: Automatically assessing your third-party vendors' security.
- Data leak detection: Continuously monitor the web for data leaks.
- Credential exposure detection: Continuously monitor the web for leaked credentials.
- Ethical walls: Implement screening mechanisms to limit access to PII that is not relevant to an individual's work.
- Privilege control and monitoring: Monitor privilege changes and excessive, inappropriate or unused privileges.
- PII access monitoring: Monitor access to files and databases containing PII.
- Audit trial archiving: Ensure audit trails are archived securely to ensure data integrity is not compromised.
- User tracking: Track user activity in information systems that contain PII.
- Vendor access monitoring: Monitor contractors and third party vendors access to PII and disable their access if it's not required to complete their job.
- Cyber security ratings: Measure your organization's cyber security rating to understand cybersecurity risk and overall security posture is trending.
- Third and fourth-party cyber security ratings: Monitor your vendor’s and their vendors cyber security ratings to understand how their overall security posture is trending and their exposure to potential cyber-attacks.
- Typosquatting protection: Your customer's PII could be exposed by typosquatting cyber criminals who aim to steal your traffic via typos.
Use UpGuard to Protect Personally Identifiable Information (PII)
UpGuard monitors the entire attack surface for security risks putting your PII at risk of compromise.
The UpGuard platform scans both the internal and external attack surface for data leaks, facilitating data breaches, software misconfiguration, and other cyber threats based on the characteristics of over 70 critical attack vectors.
UpGuard helps you identify, address, and continuously monitor emerging security vulnerabilities, keeping PII belonging to you and your vendors safe.
Get a preliminary evaluation of your data breach risks. Click here to request your free instant security score now!