Everything You Need to Know About PII - Personal Identifiable Information
In the digital age we currently live in, topics such as Personal Data Collection are becoming increasingly important. Its no longer the case that large corporations use your personal information just to sell you a product. Today, Personal Information has become a security issue. Cybercriminals have found that selling Personally Identifiable Information (PII) is a very profitable market, and as a direct consequence, governments around the world have created increasingly stringent regulations for the handling of personal information.In this article, Im going to explore everything related to Personal Identifiable Information, from its definition to some of the regulations that currently seek to protect the privacy of individuals.What is PII?Everything related to privacy has always been controversial, so it should come as no surprise that the very definition of the term PII is not universally accepted in all jurisdictions.For example, according to the United States Department of Defense (DoD), PII is defined as the Information used to distinguish or trace an individuals identity ... Moreover, the DoD goes further by stating that PII includes any information that is linked or linkable to a specified individual, alone, or when combined with other personal or identifying information. On the other hand, laws such as the General Data Protection Regulation (GDPR) of the European Union use the term Personal Data instead of PII to describe any piece of information that relates to an identifiable personIn simple terms, it can be said that Personally Identifiable Information (PII) is any type of data that can be used alone or combined with other relevant information to identify a specific individual.What is Considered PII?Since there is no unanimous opinion about what PII is, there are different opinions about what can be considered as Personal Identifiable Information.A classic example has to do with the IP address of a user. In the European Union, the General Data Protection Regulation (GDPR) adopted in 2018 clearly establishes that the IP address of a subscriber can be classified as personal data. However, in many countries and even in some US states, the IP address may not necessarily be considered part of the PII. Simply put, what is considered PII depends on who you ask, or rather, where you do business.Despite the discrepancies between the laws of different countries and regulatory entities, in general, the following is considered sensitive PII:Full nameSocial Security Number (SSN)Drivers license / National Identity CardPhysical mailing addressPhone numbersCriminal or employment historyPassport informationCredit Card informationFinancial informationMedical recordsAs mentioned above, the EU GDPR is much more inclusive with respect to what is considered sensitive Personal Data and includes a huge number of additional elements such as:Email addressAny online identifier (including but not limited to IP address, Login IDs, Social Media Posts, customer loyalty histories, cookie identifiers, etc)Geolocation dataBiometric data (including but not limited to fingerprints, voiceprints, photographs, video footage, etc)Any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individualAnother recent PII legislation, the California Consumer Privacy Act (CCPA), goes even further than the GDPR by including additional data such as:AliasesOnline Account NamesRecords of personal propertyPurchased products and servicesPurchases or consuming tendenciesBrowsing historySearch historyInformation regarding users interaction with websitesAudio, electronic, visual, thermal, olfactory, or similar informationEducation information that is not publicly availableInferred consumer profile including consumers preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudesOther types of information that could be used to indirectly identify an individual are also mentioned in most current legislations. Examples of this type of information are:ZipcodeRaceGenderDate of birthPlace of birthReligionWhy is PII Important?Keeping users personal information safe is a matter of utmost importance. Not only can this information put the person involved at risk, but also the entire organization where that person works at. Just stop for a moment to think what cybercriminals can do with this type of information if it is made available to them:Identity theft to carry out criminal actsBribes or other types of extortion both to the individual and to the company in which she/he worksCreation of false identity documentsTheft of funds deposited in banks or other financial institutionsAccess to classified information through the use of biometrics dataWhat is described above only reflects some of the disastrous consequences for those who are the victim of information theft. It is for this reason that PII regulations take the security of private information so seriously. Protecting Personally Identifiable Information (PII) is an obligation of every company that collects this type of data. As a result, huge fines are stipulated for those who fail to comply with these guidelines.Taking as an example EUs GDPR, especially severe violations of the regulation can lead to fines up to 20 million euros or up to 4% of the companys total global turnover of the preceding fiscal year.Regulator Compliance and PIIThe increasing number of regulations surrounding the use and protection of personal information is a trend thats here to stay. Ive already mentioned two of the most relevant regulations, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). However, there are many others, such as the Singapore Personal Data Protection Act (PDPA), Brazils General Personal Data Protection Law (LGPD), the Health Insurance Portability and Accountability Act (HIPAA), as well as other data protection acts enacted by Australia, Canada, the United Kingdom, New Zealand, and Switzerland just to mention a few.What is clear from seeing how these regulations grow both in number and scope, is that achieving regulatory compliance should be a huge priority to any online business. The question is, how can this goal be achieved?For your reference, below Ive included a PII compliance checklist to give you an idea of the actions necessary to avoid fees for failure to meet these obligations.Identify any data within your organization that could be considered PII, and ensure it is stored in a safe mannerIf your company offers products or services globally, consider limiting web access to users from jurisdictions where your company does not comply with relevant regulations.Minimize the collection and retention of Personal Data, since this reduces the risk of violating any of the current or future lawsAnonymise PII data whether possibleDefine clear policies and procedures concerning how to handle PII. Once these policies are in use, keep them updatedEncrypt databases and/or any other environment where PII is storedKeep your staff aware of the importance of keeping sensitive information secureUse access control policies to limit who can access this type of informationImprove and keep data transmission mechanisms updatedPerform PII audits on a regular basisMake it easy for users to review, modify, or request the deletion of the data collected about themFor further reference, as well as PII compliance requirements, a valid option is visiting GDPRs checklist for data controllers or NISTs Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)How to Identify PIIArguably, once the general concept of PII is clear, identifying this type of information is relatively easy, as it only takes common sense to recognize an individuals personal information. However, common sense can be somewhat misleading, especially when different regulations have different views of what should be considered private information. In this sense, it is highly recommended to use specialized PII scanning discovery tools when auditing your companys data, as they can greatly facilitate this delicate task. These tools not only automate a good part of the process but also help to comply with the different regulations, both by identifying possible vulnerabilities and offering suggestions regarding the classification of said information.Tools for Identifying PIIAs mentioned in the previous section, PII Scanning Discovery Tools are very valuable pieces of software that help detect problems in handling sensitive information. Among its main benefits are:Comprehensive PII Data Discovery. Automatically scans cloud storage, workstations, local files shares, mobile devices, and more, in order to locate PII data such as personal, finance, health, and other sensitive information.Risk assessment. Identify potential risks in all digital assets that are not properly protected or reside outside a secure environment.Facilitates data management. Filter different types of PII data, organize it according to organization rules/needs, and export it for further analysis.Remediate PII issues. Most of these tools offer the possibility of analyzing the flow of data both passively and in real-time in order to put in quarantine all the sensitive information that does not comply with the appropriate security standards.ConclusionPersonal Information has morphed into a glaring security concern that requires vigilance from companies that rely on that data to service their clients. Having awareness of the PII laws and regulations that apply to your company are crucial. There are many tools available to identify sensitive information but whats usually lacking is the knowledge and desire from companies to protect this valuable information. With personal information becoming more valuable and cyber attacks increasing in the wake of the Pandemic, now more than ever organizations need to have solid strategies in place to deal with this growing threat.