In the digital age we currently live in, topics such as Personal Data Collection are becoming increasingly important. It’s no longer the case that large corporations use your personal information just to sell you a product.
Today, Personal Information has become a security issue. Cybercriminals have found that selling Personally Identifiable Information (PII) is a very profitable market, and as a direct consequence, governments around the world have created increasingly stringent regulations for the handling of personal information.
In this article, I’m going to explore everything related to Personal Identifiable Information, from its definition to some of the regulations that currently seek to protect the privacy of individuals.
What is PII?
Everything related to privacy has always been controversial, so it should come as no surprise that the very definition of the term "PII" is not universally accepted in all jurisdictions.
For example, according to the United States Department of Defense (DoD), PII is defined as the "Information used to distinguish or trace an individual's identity ..." Moreover, the DoD goes further by stating that "PII includes any information that is linked or linkable to a specified individual, alone, or when combined with other personal or identifying information. "
On the other hand, laws such as the General Data Protection Regulation (GDPR) of the European Union use the term "Personal Data" instead of PII to describe "any piece of information that relates to an identifiable person"
PII stands for Personally Identifiable Information. It is any type of data that can be used to tell who a person is. This data can be used by itself or with other details.
What is Considered PII?
Since there is no unanimous opinion about what PII is, there are different opinions about what can be considered as Personal Identifiable Information.
A classic example has to do with the IP address of a user. In the European Union, the General Data Protection Regulation (GDPR) adopted in 2018 clearly establishes that the IP address of a subscriber can be classified as "personal data".
In some places, an IP address may not be considered personal information. It depends on where you are doing business and who you ask.
Despite the discrepancies between the laws of different countries and regulatory entities, in general, the following is considered sensitive PII:
- Full name
- Social Security Number (SSN)
- Driver’s license / National Identity Card
- Physical mailing address
- Phone numbers
- Criminal or employment history
- Passport information
- Credit Card information
- Financial information
- Medical records
As mentioned above, the EU GDPR is much more inclusive with respect to what is considered sensitive Personal Data and includes a huge number of additional elements such as:
- Email address
Any online identifier (including but not limited to IP address, Login IDs, Social Media Posts, customer loyalty histories, cookie identifiers, etc)
- Geolocation data
- Biometric data (including but not limited to fingerprints, voiceprints, photographs, video footage, etc)
- Any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual
Another recent PII legislation, the California Consumer Privacy Act (CCPA), goes even further than the GDPR by including additional data such as:
- Aliases
- Online Account Names
- Records of personal property
- Purchased products and services
- Purchases or consuming tendencies
- Browsing history
- Search history
- Information regarding user’s interaction with websites
- Audio, electronic, visual, thermal, olfactory, or similar information
- Education information that is not publicly available
Inferred consumer profile including consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Other types of information that could be used to indirectly identify an individual are also mentioned in most current legislations. Examples of this type of information are:
- Zipcode
- Race
- Gender
- Date of birth
- Place of birth
- Religion
Why is PII Important?
Keeping users' personal information safe is a matter of utmost importance. Not only can this information put the person involved at risk, but also the entire organization where that person works at. Just stop for a moment to think what cybercriminals can do with this type of information if it is made available to them:
- Identity theft to carry out criminal acts
- Bribes or other types of extortion both to the individual and to the company in which she/he works
- Creation of false identity documents
- Theft of funds deposited in banks or other financial institutions
- Access to classified information through the use of biometrics data
What is described above only reflects some of the disastrous consequences for those who are the victim of information theft. It is for this reason that PII regulations take the security of private information so seriously. Protecting Personally Identifiable Information (PII) is an obligation of every company that collects this type of data. As a result, huge fines are stipulated for those who fail to comply with these guidelines.
The EU's GDPR law requires companies to protect personal data. If a company breaks this law, they may be fined up to 20 million euros or 4% of their total global earnings from the past year.
Regulator Compliance and PII
The increasing number of regulations surrounding the use and protection of personal information is a trend that’s here to stay. I’ve already mentioned two of the most relevant regulations, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
However, there are many others, such as the Singapore Personal Data Protection Act (PDPA), Brazil's General Personal Data Protection Law (LGPD), the Health Insurance Portability and Accountability Act (HIPAA), as well as other data protection acts enacted by Australia, Canada, the United Kingdom, New Zealand, and Switzerland just to mention a few.
More and more regulations are being made for online businesses. This means it is very important to follow all the rules. The question is, how can you make sure you follow all the rules?
For your reference, below I’ve included a PII compliance checklist to give you an idea of the actions necessary to avoid fees for failure to meet these obligations.
- Identify any data within your organization that could be considered PII, and ensure it is stored in a safe manner
- If your company offers products or services globally, consider limiting web access to users from jurisdictions where your company does not comply with relevant regulations.
- Minimize the collection and retention of Personal Data, since this reduces the risk of violating any of the current or future laws
- Anonymise PII data whether possible
- Define clear policies and procedures concerning how to handle PII. Once these policies are in use, keep them updated
- Encrypt databases and/or any other environment where PII is stored
- Keep your staff aware of the importance of keeping sensitive information secure
- Use access control policies to limit who can access this type of information
- Improve and keep data transmission mechanisms updated
- Perform PII audits on a regular basis
- Make it easy for users to review, modify, or request the deletion of the data collected about them
For further reference, as well as PII compliance requirements, a valid option is visiting GDPR’s checklist for data controllers or NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
How to Identify PII
Arguably, once the general concept of PII is clear, identifying this type of information is relatively easy, as it only takes common sense to recognize an individual's personal information. However, "common sense" can be somewhat misleading, especially when different regulations have different views of what should be considered private information.
In this sense, it is highly recommended to use specialized PII scanning & discovery tools when auditing your company's data, as they can greatly facilitate this delicate task. These tools not only automate a good part of the process but also help to comply with the different regulations, both by identifying possible vulnerabilities and offering suggestions regarding the classification of said information.
