In the digital age we currently live in, topics such as Personal Data Collection are becoming increasingly important. It’s no longer the case that large corporations use your personal information just to sell you a product. Today, Personal Information has become a security issue. Cybercriminals have found that selling Personally Identifiable Information (PII) is a very profitable market, and as a direct consequence, governments around the world have created increasingly stringent regulations for the handling of personal information.
In this article, I’m going to explore everything related to Personal Identifiable Information, from its definition to some of the regulations that currently seek to protect the privacy of individuals.
What is PII?
Everything related to privacy has always been controversial, so it should come as no surprise that the very definition of the term "PII" is not universally accepted in all jurisdictions.
For example, according to the United States Department of Defense (DoD), PII is defined as the "Information used to distinguish or trace an individual's identity ..." Moreover, the DoD goes further by stating that "PII includes any information that is linked or linkable to a specified individual, alone, or when combined with other personal or identifying information. "
On the other hand, laws such as the General Data Protection Regulation (GDPR) of the European Union use the term "Personal Data" instead of PII to describe "any piece of information that relates to an identifiable person"
In simple terms, it can be said that Personally Identifiable Information (PII) is any type of data that can be used alone or combined with other relevant information to identify a specific individual.
What is Considered PII?
Since there is no unanimous opinion about what PII is, there are different opinions about what can be considered as Personal Identifiable Information.
A classic example has to do with the IP address of a user. In the European Union, the General Data Protection Regulation (GDPR) adopted in 2018 clearly establishes that the IP address of a subscriber can be classified as "personal data". However, in many countries and even in some US states, the IP address may not necessarily be considered part of the PII. Simply put, what is considered PII depends on who you ask, or rather, where you do business.
Despite the discrepancies between the laws of different countries and regulatory entities, in general, the following is considered sensitive PII:
Social Security Number (SSN)
Driver’s license / National Identity Card
Physical mailing address
Criminal or employment history
Credit Card information
As mentioned above, the EU GDPR is much more inclusive with respect to what is considered sensitive Personal Data and includes a huge number of additional elements such as:
Any online identifier (including but not limited to IP address, Login IDs, Social Media Posts, customer loyalty histories, cookie identifiers, etc)
Biometric data (including but not limited to fingerprints, voiceprints, photographs, video footage, etc)
Any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual
Another recent PII legislation, the California Consumer Privacy Act (CCPA), goes even further than the GDPR by including additional data such as:
Online Account Names
Records of personal property
Purchased products and services
Purchases or consuming tendencies
Information regarding user’s interaction with websites
Audio, electronic, visual, thermal, olfactory, or similar information
Education information that is not publicly available
Inferred consumer profile including consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Other types of information that could be used to indirectly identify an individual are also mentioned in most current legislations. Examples of this type of information are:
Date of birth
Place of birth
Why is PII Important?
Keeping users' personal information safe is a matter of utmost importance. Not only can this information put the person involved at risk, but also the entire organization where that person works at. Just stop for a moment to think what cybercriminals can do with this type of information if it is made available to them:
Identity theft to carry out criminal acts
Bribes or other types of extortion both to the individual and to the company in which she/he works
Creation of false identity documents
Theft of funds deposited in banks or other financial institutions
Access to classified information through the use of biometrics data
What is described above only reflects some of the disastrous consequences for those who are the victim of information theft. It is for this reason that PII regulations take the security of private information so seriously. Protecting Personally Identifiable Information (PII) is an obligation of every company that collects this type of data. As a result, huge fines are stipulated for those who fail to comply with these guidelines.
Taking as an example EU’s GDPR, especially severe violations of the regulation can lead to fines up to 20 million euros or up to 4% of the company’s total global turnover of the preceding fiscal year.
Regulator Compliance and PII
The increasing number of regulations surrounding the use and protection of personal information is a trend that’s here to stay. I’ve already mentioned two of the most relevant regulations, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). However, there are many others, such as the Singapore Personal Data Protection Act (PDPA), Brazil's General Personal Data Protection Law (LGPD), the Health Insurance Portability and Accountability Act (HIPAA), as well as other data protection acts enacted by Australia, Canada, the United Kingdom, New Zealand, and Switzerland just to mention a few.
What is clear from seeing how these regulations grow both in number and scope, is that achieving regulatory compliance should be a huge priority to any online business. The question is, how can this goal be achieved?
For your reference, below I’ve included a PII compliance checklist to give you an idea of the actions necessary to avoid fees for failure to meet these obligations.
Identify any data within your organization that could be considered PII, and ensure it is stored in a safe manner
If your company offers products or services globally, consider limiting web access to users from jurisdictions where your company does not comply with relevant regulations.
Minimize the collection and retention of Personal Data, since this reduces the risk of violating any of the current or future laws
Anonymise PII data whether possible
Define clear policies and procedures concerning how to handle PII. Once these policies are in use, keep them updated
Encrypt databases and/or any other environment where PII is stored
Keep your staff aware of the importance of keeping sensitive information secure
Use access control policies to limit who can access this type of information
Improve and keep data transmission mechanisms updated
Perform PII audits on a regular basis
Make it easy for users to review, modify, or request the deletion of the data collected about them
For further reference, as well as PII compliance requirements, a valid option is visiting GDPR’s checklist for data controllers or NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
How to Identify PII
Arguably, once the general concept of PII is clear, identifying this type of information is relatively easy, as it only takes common sense to recognize an individual's personal information. However, "common sense" can be somewhat misleading, especially when different regulations have different views of what should be considered private information. In this sense, it is highly recommended to use specialized PII scanning & discovery tools when auditing your company's data, as they can greatly facilitate this delicate task. These tools not only automate a good part of the process but also help to comply with the different regulations, both by identifying possible vulnerabilities and offering suggestions regarding the classification of said information.
Tools for Identifying PII
As mentioned in the previous section, PII Scanning & Discovery Tools are very valuable pieces of software that help detect problems in handling sensitive information. Among its main benefits are:
Comprehensive PII Data Discovery. Automatically scans cloud storage, workstations, local files shares, mobile devices, and more, in order to locate PII data such as personal, finance, health, and other sensitive information.
Risk assessment. Identify potential risks in all digital assets that are not properly protected or reside outside a secure environment.
Facilitates data management. Filter different types of PII data, organize it according to organization rules/needs, and export it for further analysis.
Remediate PII issues. Most of these tools offer the possibility of analyzing the flow of data both passively and in real-time in order to put in "quarantine" all the sensitive information that does not comply with the appropriate security standards.
Personal Information has morphed into a glaring security concern that requires vigilance from companies that rely on that data to service their clients. Having awareness of the PII laws and regulations that apply to your company are crucial. There are many tools available to identify sensitive information but what's usually lacking is the knowledge and desire from companies to protect this valuable information. With personal information becoming more valuable and cyber attacks increasing in the wake of the Pandemic, now more than ever organizations need to have solid strategies in place to deal with this growing threat.