Understanding Personally Identifiable Information (PII)

In today's interconnected world, the concept of data privacy has become paramount. At the heart of this discussion lies Personally Identifiable Information, or PII. Simply put, PII refers to any piece of data that can be used to pinpoint a specific individual, either on its own or when combined with other available information. As our lives become increasingly digital, understanding what constitutes PII and how to protect it is no longer just a concern for IT professionals or government bodies; it's a fundamental aspect of personal security for everyone.

What Exactly is Personally Identifiable Information (PII)?

Personally identifiable information (PII) is essentially any data that can uniquely identify an individual. This makes it a prime target for identity theft and various cyberattacks. PII can be broadly categorised into two main types: direct identifiers and indirect or quasi-identifiers.

Direct identifiers are pieces of information that, by themselves, can directly distinguish an individual. Think of your passport number or a unique biometric record like a fingerprint. These are almost foolproof in identifying a single person.

Indirect or quasi-identifiers, on the other hand, are pieces of data that, while not identifying an individual on their own, can be combined with other pieces of information to reveal someone's identity. Examples include your date of birth, race, gender, or even your ZIP code. When aggregated, these seemingly innocuous details can paint a clear picture of who you are.

Key Takeaways on PII

• Personally identifiable information (PII) is any data that can uniquely identify an individual, making it a prime target for identity theft and cyberattacks.
• Sensitive PII includes data such as Social Security numbers and biometric records, while nonsensitive PII might include basic information like an individual's name or ZIP code.
• The proliferation of big data has increased the risk of data breaches, prompting regulatory bodies worldwide to implement laws safeguarding PII.
• Techniques like anonymization and encryption are crucial for companies to protect their clients' PII when sharing data with other entities.
• High-profile data breaches, such as the Facebook-Cambridge Analytica scandal, highlight the significant legal and reputational consequences for companies failing to protect PII.

Types of Personally Identifiable Information

The scope of PII is extensive and ever-growing. Here's a comprehensive, though not exhaustive, list of what is generally considered PII:

The Role of PII in the Digital Age

The digital revolution has fundamentally reshaped how businesses operate, governments legislate, and individuals interact. The advent of mobile devices, the internet, e-commerce, and social media has led to an unprecedented explosion in the supply of all kinds of data. This phenomenon, often termed 'big data,' is constantly being collected, analysed, and processed by businesses, and frequently shared with other companies. The insights derived from big data enable companies to better understand and interact with their customers, leading to more personalised services and targeted marketing.

However, this wealth of information also presents significant risks. The emergence of big data has unfortunately been accompanied by an increase in data breaches and cyberattacks, as malicious actors recognise the immense value of this information. Consequently, concerns over how companies handle the sensitive information of their consumers have escalated. Regulatory bodies are actively developing new laws to protect consumer data, while individuals are increasingly seeking more private and anonymous ways to navigate the digital landscape.

Differentiating Sensitive and Nonsensitive PII

It's crucial to understand that not all PII carries the same level of risk. PII can be categorised as either sensitive or nonsensitive, with sensitive PII requiring a higher degree of protection.

Sensitive PII

Sensitive personal information includes data that, if compromised, could lead to significant harm, discrimination, or identity theft. This typically includes:

• Full name
• Social Security number (SSN) or equivalent national identifier
• Driver's license number
• Mailing address
• Credit card information
• Passport information
• Financial information (e.g., bank account numbers)
• Medical records and health information
• Biometric data

Companies often employ methods like encryption to anonymise sensitive PII before sharing it, rendering it non-personally identifiable. For instance, insurance companies might mask sensitive PII, only sharing data relevant for marketing purposes.

Nonsensitive PII

Nonsensitive or indirect PII is generally more accessible from public sources like phone books, corporate directories, and some online databases. Examples include:

• ZIP code
• Race
• Gender
• Date of birth
• Place of birth
• Religion

While this information alone may not directly identify an individual, it is 'linkable'. This means that when nonsensitive data is combined with other personal information, it can contribute to revealing an individual's identity. This process, known as de-anonymization, is possible when multiple quasi-identifiers are pieced together to identify someone.

How to Safeguard Personally Identifiable Information

Protecting PII is a significant concern for individuals, companies, and governments alike. Various data protection laws have been enacted globally to establish guidelines for organisations that collect, store, and share personal information. These regulations often prohibit the collection of sensitive data unless absolutely necessary and mandate the deletion of unnecessary data, while also restricting sharing with untrustworthy sources.

Cybercriminals are constantly seeking ways to breach data systems to access PII, which they then sell on underground digital marketplaces. A stark example occurred in 2015 when the Internal Revenue Service (IRS) in the United States suffered a data breach that resulted in the theft of over 100,000 taxpayers’ PII. Perpetrators used quasi-information stolen from multiple sources to gain access to an IRS website application by answering personal verification questions that should have been exclusively known by the taxpayers.

Fast Fact: Safeguarding PII is not always solely the responsibility of a service provider. In some cases, individuals also play a crucial role in protecting their own information.

Common Methods of PII Theft

Identity thieves employ various tactics to obtain PII. Historically, this included rummaging through trash for discarded mail, which could yield a person's name, address, employment information, banking details, or Social Security numbers.

In the modern era, the internet has become a primary vector for identity theft. Phishing and social engineering attacks are common, where deceptive websites or emails trick individuals into revealing sensitive information such as their name, bank account numbers, passwords, or Social Security numbers. Similar tactics can also be employed through deceptive phone calls or SMS messages.

Effective Strategies for PII Protection

While it's impossible to be completely immune to PII theft, individuals can significantly reduce their risk by minimising opportunities for attackers. Experian suggests several effective strategies:

• Secure your mail: Use a locked mailbox or a P.O. Box to make it harder for thieves to steal your mail. Remove personal identification from junk mail and other documents before discarding them.
• Carry only what's necessary: Avoid carrying your Social Security card or other documents containing sensitive PII in your wallet unnecessarily.
• Strong online security: Use a different, complex password for each online account. This prevents a breach in one account from compromising others.
• Encrypt data: Always encrypt important data stored on your devices.
• Device security: Use passwords or other security measures for your phone and other devices.
• Secure device disposal: When selling or donating a computer, reformat its hard drive to erase all personal data.

Global Perspectives on PII Regulations

The definition and scope of what constitutes PII can vary significantly depending on geographical location. Different regions have adopted various approaches to data privacy:

United States

In the US, the definition of "personally identifiable" was clarified to encompass anything that "can be used to distinguish or trace an individual’s identity," such as name, SSN, and biometrics, either alone or in conjunction with other identifiers like date or place of birth.

Europe

The European Union's General Data Protection Regulation (GDPR), effective from May 2018, expands the definition to include quasi-identifiers. GDPR sets a comprehensive legal framework for collecting and processing personal information of individuals residing within the EU.

Australia

Australia's Privacy Act 1988 regulates the collection, storage, use, and disclosure of personal information by both government and private entities. Amendments also cover the use of healthcare identifiers and the obligations of entities experiencing data breaches.

Canada

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the use of personal information for commercial purposes. It defines personal information as data that can identify you as an individual, either on its own or when combined with other data.

Personally Identifiable Information vs. Personal Data

While often used interchangeably, 'PII' and 'personal data' are not always synonymous. Personal data encompasses a broader range of contexts. For instance, your IP address, device ID numbers, browser cookies, online aliases, or even genetic data can be classified as personal data. Certain attributes like religion, ethnicity, sexual orientation, or medical history might be considered personal data but not necessarily PII if they cannot directly identify an individual.

Major Incidents of PII Breaches

Numerous high-profile data breaches have exposed customer PII, often resulting in substantial fines for the organisations involved. As of October 2023, Didi Global, a Chinese ride-hailing company, received a record fine of 8.026 billion yuan ($1.1 billion) from China’s Cyberspace Administration for breaching national cybersecurity laws. Other notable organisations that have faced significant penalties for inadequate PII protection include Equifax, Amazon, and Meta.

Facebook-Cambridge Analytica Data Scandal

One of the most infamous cases involved Meta (then Facebook). In the 2010s, the profiles of approximately 30 million Facebook users were collected without their consent by Cambridge Analytica. This data was obtained through a researcher from the University of Cambridge who developed a Facebook app disguised as a personality quiz. The app was designed to collect data from those who volunteered, but due to a loophole in Facebook's system, it also accessed data from the friends and family members of the quiz takers. This resulted in the exposure of over 50 million Facebook users' data. Despite Facebook’s prohibition on selling data, Cambridge Analytica proceeded to sell it for political consulting purposes. The fallout was immense, with Facebook incurring billions in legal expenses and facing significant fines, which impacted its operating margin and earnings per share. The scandal also severely damaged its reputation, leading many users to abandon the platform.

Frequently Asked Questions about PII

What Qualifies As PII?

The U.S. government defines PII as "Information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc."

What Is Not PII?

Non-personal data, such as the company you work for, shared data, or anonymised data that cannot be linked back to an individual, is generally not classified as PII.

What Is a PII Violation?

PII violations are illegal activities that often involve fraud, such as identity theft. They can also stem from unauthorised access, use, or disclosure of PII. Furthermore, failing to report a PII breach can also constitute a violation.

What Must You Do When Emailing PII?

Because email is not inherently secure, it's best to avoid emailing PII whenever possible. If it is absolutely necessary, ensure you use encryption or secure verification techniques to protect the data.

What Laws Protect PII?

Various federal and state consumer protection laws protect PII and impose sanctions for its unauthorised use. Examples include the Federal Trade Commission Act and the Privacy Act of 1974 in the United States.

The Bottom Line

Personally identifiable information (PII) is any data that can be used to identify an individual, ranging from their name and address to more sensitive details like passport information and Social Security numbers. This data is a frequent target for identity thieves, particularly in the online realm. Therefore, it is imperative for companies and government agencies to maintain robust security measures for their databases to safeguard this vital information. For individuals, understanding what PII is and how to protect it is a critical step in maintaining personal privacy and security in our increasingly data-driven world.