What is PII?
Personally Identifiable Information (PII) includes personal data that can be used to identify a person, either alone or combined with other information. These data points can include information like:
- home address
- email address
- phone number
- credit card number
- passport number
It can also include less directly identifiable information, like IP address or precise geolocation.
PII is not a specific legal term, though it is fairly commonly used by both government and commercial entities. Data privacy laws commonly reference personal information or personal data, which typically refers to PII.
There are some types of personal information that are not considered PII, like aggregate or demographic information, some information collected by browser cookies, or general geographic information that can’t pinpoint a person’s location. The key aspect of these types of information is that they can’t identify a person.
What is sensitive PII?
Sensitive PII is information that can directly be used to identify an individual. Typically, it’s a specific identifier, like first and last name, or it’s only directly tied to one individual, like a passport number or credit card number.
Sensitive PII requires special consideration and handling under many laws because of the risk of harm to people if it’s compromised or misused. Many data privacy laws specifically define sensitive PII and requirements to protect and handle it.
What is PII in cyber security?
In cyber security, PII refers to any information that can be used to identify, locate, or contact an individual, typically in a digital format and accessed online. This could be for commercial or nefarious purposes, with or without consent. PII in this context can include both sensitive and non-sensitive information that, when combined, can pose a risk to an individual’s privacy or security if it falls into the wrong hands.
How to protect PII?
Organizations should know what PII they collect, store, and share, as well as how and with whom. This should be part of data audits, which should be done regularly to ensure information is up to date and that policies and systems are securely maintained.
PII should be categorized accurately and regularly reviewed. This enables people in organizations to know which data is sensitive, for example. It also enables access control, as individuals can be assigned authorization to access only the categories of data required for their job functions. For example, marketing staff may not have any reason to access customers’ financial details, and support staff may only need to access email address and account history.
Organizations should keep only the amount and types of PII they actively need and are using. If the data processing for which the data was collected has been completed, the PII should be returned or securely destroyed. Data isn’t at risk in the event of a breach if a company no longer has it. Under some laws, personal data must be kept for a certain amount of time, like financial transaction records.
Organizations need strong, clear policies to determine:
- what PII they need
- how they collect it
- how PII is stored, accessed, and shared
- if consent is needed to collect PII and how it is obtained
- who can access what PII and how
- what are the acceptable uses of PII
- how is unauthorized access or use of PII dealt with
- how is PII disposed of when no longer needed
- how often are audits and security reviews done and with what parameters
- who is responsible for PII security and use
Policies and procedures should cover both employee onboarding and offboarding as well as their authorizations while working for the organization. It is important to securely shut down access for accounts that are no longer needed, e.g. if an employee leaves the organization.
It is also a good idea to ensure a point of contact with the authority to act decisively about PII protection and issues. Who is responsible, who can investigate potential issues, who can remedy a breach, etc.
What is the best protection method for sharing PII?
The best protection methods for storing, enabling access to, and sharing PII involve several initiatives for security and best practices. It is important to ensure the availability and integrity of PII being shared, as well as its confidentiality. Protecting personal data should include both technical and human-centric functions.
Often called role-based access control (RBAC), this limits access to PII to only those individuals who need it, and only as much of the data as they need to perform those functions. Access to sensitive PII should be particularly limited to authorized staff only.
Multi-factor authentication (MFA)
Also called two-factor authentication (2FA), this requires multiple forms of identification in order to login to systems where PII is stored. It adds an additional layer of security, like requiring a username, password, and unique generated code, or biometric data like a fingerprint or retinal scan.
Strong encryption algorithms should protect PII during storage and sharing. Only with the appropriate keys can someone, authorized or otherwise, access the unscrambled data.
HTTPS, VPNs, SFTP, and other secure protocols help keep data secure when sharing it over networks. This includes emails, web forms, and other modes.
When using email, encryption should always be used, and users should take basic steps like confirming the email address and identity of the recipient. It’s a good idea to confirm receipt, like with delivery and read receipts. Additionally, it is valuable to mark the contents appropriately, like that it’s confidential, should not be shared or forwarded, or that it has attachments that are also confidential.
Data anonymization / pseudonymization
When possible, anonymize or pseudonymize data before it is shared. This removes or replaces identifiable aspects of the data, lowering risk to individuals in case of unauthorized access.
Secure storage is another place to use encryption, in this case for secure databases or other file systems used to store the PII. Access control also applies here, and firewalls and intrusion detection systems should be in place.
Audits of PII that the organization holds, how it’s stored, how it’s shared, and with whom, should be done regularly. This will surface changes that may not have been accounted for, and identify vulnerabilities in data handling and storage that can be addressed in a timely manner.
Data retention policies
Data that does not exist can’t be breached. Data retention policies determine what data is kept, and for how long. It dictates when and how data is to be returned or destroyed. Securely disposing of data that is no longer needed removes the security risk. These policies also help ensure that the data is accurate and up to date, which is a requirement of many data privacy laws.
Data sharing agreements
If data is shared with third parties, including partners, vendors, or others, it is important to have contractual agreements in place before data processing or sharing. These agreements clearly define data handling and security expectations and procedures for all parties.
It’s important to ensure that all employees with access to PII have training to understand the importance of data protection and best practices. Training should be conducted and repeated regularly to maintain awareness, and should include both technical information about how systems, sharing, and access work, as well as the risks and potential consequences of PII mishandling or unauthorized access.
Incident response plans
If the worst case scenario happens and there is a data breach, it’s important to have a comprehensive plan in place to respond as quickly as possible to notify those affected, as well as relevant authorities in many cases, and re-establish security. Unauthorized access, data breaches, security incidents, and data damage and destruction are all examples of issues that can happen and create liabilities for organizations.
Where should warning statements be placed in emails containing PII?
Many organizations use email extensively as a method of communication, knowledge management, and file sharing, both internally and with external parties. This can be a point of insecurity for PII protection. Sometimes information is shared via email that should not be. Sometimes emails are not encrypted. Sometimes third parties forward on emails with sensitive information, which they should not do.
One thing organizations can do is to include statements in all emails that are sent. The warnings should be clear and prominent. There could be a special warning in the subject line regarding confidentiality or notice that the message contains PII. Individuals can mention at the beginning of the message that PII is included in the email and it should be treated confidentially and not forwarded under any circumstances. The organization can create a boilerplate about confidentiality that is included in every email sent from their domain, e.g. in the email footer.
Individuals can also highlight where or what the PII in emails is so people are aware what, specifically, needs to be confidential, or can’t be shared, or is particularly sensitive. Though ideally, sensitive PII should never just be included in an email.
What personal information is protected by the Privacy Act?
While the United States has proposed data privacy legislation multiple times, a comprehensive federal law has not been passed in nearly half a century. In recent years, a number of state-level data privacy laws have been passed and have started going into effect.
The US did pass the federal Privacy Act of 1974, which is limited in scope. It covers information-related practices for the collection, storage, use, and sharing of individuals’ personal information maintained in systems of records by federal agencies.
A system of records contains multiple types of data and likely multiple records about an individual, which use an identifier to link them together, e.g. a name or unique number.
Agencies are required by the Privacy Act to provide public notice of their systems of records. This is done via publication in the Federal Register. Individuals must provide written consent to disclosure of a record about them from the system of records, unless the disclosure meets one of 12 statutory exceptions.
The Privacy Act includes record-keeping requirements for agencies, and provides individuals with the right to gain access to and have their records amended.
What do the modern US data privacy laws say about protecting PII?
Modern US data privacy laws started coming into effect in 2020 with the California Consumer Privacy Act (CCPA). Up to June 2023, 10 comprehensive data privacy laws have been passed at the state level. Two more states have laws considered more limited: the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Florida’s Digital Bill of Rights.
Unlike many other international data privacy laws, the American state-level laws use an opt out model for consent. Data subjects’ (individuals’) consent is not required before collecting their personal data. A caveat under some laws is that consent is required before collecting personal data categorized as sensitive.
Under some laws consent is also not required before using personal data collected, e.g. selling or sharing. Commonly, though, data subjects must be provided with the option to opt out of the collection, sharing, sale, and/or targeted advertising, profiling, or automated decision-making at any time.
Children’s personal data is largely covered under the federal Children’s Online Privacy Act (COPPA), which is referenced by most US state-level laws with regards to the handling of children’s data. In a number of the state-level privacy laws, children’s data is classified as sensitive by default, so it requires the same handling as that type of PII. What age groups qualify as children can vary, though under age 13 is fairly standard.
Organizations that collect and use PII must have reasonable procedures and policies for protecting and sharing it, as well as contractual agreements with vendors, partners, or any other third parties used for processing. The data controller that initiates the collection and processing of PII is usually ultimately responsible for protecting personal data or any violations of relevant laws, even if the issue arises with a data processor contracted to them.
What is the issue with conventional PII protection solutions?
Commonly used PII protection solutions, like technology to prevent data leaks (DLP) can have several weaknesses. Such solutions tend to be designed to prevent intentional leaks of PII and corporate intellectual property. This is done using monitoring of incoming and outgoing traffic on networks, and works for email or removable storage, for example. But it can’t detect photos taken with an employee’s personal phone, removal of printed documents, or other action not on the network.
A solution designed for intentional leaks also isn’t optimized for unintentional leaks, like poor or outdated security, unpatched software, user error, or social engineering. These are common sources of unauthorized access or data breaches.
What can cybercriminals do with stolen PII?
Data breaches have become unfortunately common, with the stolen PII ranging from names, addresses and email to government ID numbers, financial information, and health records. The consequences for consumers range from mild inconvenience to life-upending criminal victimization.
Phishing / spear phishing
PII can be used to create convincing communications, like emails, text messages, or private messages on social platforms, to trick victims or victims’ contacts into providing even more personal information, like logins or credit card details.
Like phishing, PII can be used to create convincing communications, or to create familiarity, e.g. with a phone call, to trick victims and get them to agree to certain actions or provide even more—often more sensitive—personal information.
Stolen personal information can be used to impersonate the victim of theft, and thieves can open new credit cards in the victim’s name, apply for loans, or commit other fraud. Untangling these crimes can take years and ruin people’s credit rating.
Another version of this is to impersonate the victim in medical settings, fraudulently obtaining services, drugs, or insurance coverage. This can also lead to financial liabilities or errs in medical records of victims.
Cyberstalking or harassment
Criminals can use the information maliciously, making false claims about the victim, or acting in ways or saying things that look like the victim did it, negatively affecting their work, relationships, or reputation. They can sign the victim up for products or services the victim never asked for, and can get access to additional parts of the person’s life, violating privacy, affecting relationships, even costing the victim their job.
Extortion or ransom
Criminals may threaten to leak the stolen PII, like selling account information or credit card details online, or publishing sensitive stolen information that would be embarrassing or even dangerous for the victim. To stave this off, demands are made for the victim to pay ransom or make other concessions.
Stolen PII can be used to access the victim’s accounts, from social platforms and email accounts to banking and more, enabling them to steal more money or information, attempt phishing or fraud on the victim’s contacts, or generally wreak havoc on their lives.
With stolen PII criminals can access accounts, make unauthorized transactions, steal funds, apply for loans or credit cards, and make fraudulent purchases. They could also file fraudulent tax returns or claim refunds on the victim’s behalf, then steal the money.
Stolen identity and other PII can be used to apply for jobs with the victim’s identity, potentially putting the victim at legal risk if the criminal commits illegal activities under the assumed identity while working, e.g. theft, fraud, more data or identity theft, etc.
Conclusion and recommendations for PII protection
Consumers share their data everywhere these days, particularly online. Sometimes it is for specific purposes and they are careful and aware of it, like when it’s for financial or healthcare purposes. Other times they pay little attention to how much information about themselves they share, like on social platforms, and exactly how much that reveals or how it could be used.
Companies need to make a substantial effort to have robust, up to date policies and procedures for personal data protection and use, as they can have access to and store personal data for millions, even billions of people. The costs of failing to adequately protect PII can be far higher than the costs of securing it and ensuring knowledgeable professionals are handling the organization’s security operations.
Fortunately, modern data privacy laws provide a strong framework for organizations to understand their responsibilities and how to meet them. There are sophisticated tools to help automate and manage data protection online. Mostly it’s important for organizations to know which regulations apply to them and the PII under their management, and how to set up robust and sustainable data protection practices.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.