The Ultimate Manual For Personally Identifiable Information (PII)
You can benefit a lot from being as informed as possible about personally identifiable information (PII), especially because of how it relates to data privacy. It’s common for this data to be used for illegal purposes like identity theft and fraud, so protecting it may literally save your life.
So what can you, as an innocent web browser, do to protect yourself? Or if you’re a website owner, how do you protect your users and your company from falling prey to privacy breaches? Read on as we explore PII in more detail and the steps you can take to protect it from bad agents.
What Is Personally Identifiable Information (PII) Anyway?
While Personally Identifiable Information (PII) has several formal definitions, from a general perspective it’s information that organizations can use to identify, contact, or locate a single person—or to identify an individual in context.
In other words, it’s any data that can be used to identify individuals either directly or indirectly.
PII includes direct identifiers (passport information, Social Security number, driver’s license, etc.) that can identify a person uniquely, as well as quasi-identifiers (race, zip code, etc.) that can be combined with other quasi-identifiers (date of birth, gender, etc.) to recognize an individual. We’ll discuss these in more detail later.
The National Institute of Standards and Technology (NIST) explains PII as:
“…any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identify such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any information that is linked or linkable to an individual with additional information, such as protected health information, educational, financial and employment information.”
It’s an organization’s responsibility to ensure compliance with the applicable data protection laws. One of the first steps towards compliance is knowing which data is considered PII (or personal data) and whether it requires additional safeguards.
But as there’s no single source of the PII definition, you should instead use individual assessment to correctly determine what PII is (and what it isn’t).
Just pay attention to the laws, procedures, regulations, and/or standards governing your specific industry or field, and you’ll have a clearer picture.
How Personally Identifiable Information (PII) Works
Technological advancements have forever changed data processing and data handling. Businesses operate differently; governments legislate differently; individuals relate differently. Let’s also not forget digital tools like cell phones, ecommerce, social media, and of course, the internet have caused an explosion in the supply of all kinds of data that are known as big data.
Big data is a wealth of information that is being collected, analyzed, and processed by businesses and shared by other companies to gain key insights into how to improve customer interaction. However, its emergence has also resulted in a corresponding increase in the number of data breaches and cyberattacks by bad actors who realize the value of this information.
The direct result? Regulatory bodies are seeking new laws to protect consumer data while users are trying to figure out anonymous ways to stay digital.
Sensitive Personally Identifiable Information vs. Non-Sensitive Personally Identifiable Information
You can classify PII into two categories: sensitive and non-sensitive.
Sensitive personal information includes legal stats, like full name, driver’s license, Social Security number, meeting address, potential information, passport information, credit card information, medical records, and so on.
Companies that share data about their clients use various anonymization techniques to encrypt and obfuscate the PII, converting it into a non-personally identifiable form. For instance, an organization that shares its clients’ information with a marketing company will anonymize the sensitive PII in the data, leaving out only that information that’s relevant to the marketing company’s goal.
On the other hand, non-sensitive or indirect PII can be accessed from public sources like the internet, phone books, and corporate directories. Some common examples include zip code, gender, race, date of birth, place of birth, and religion.
You may have noticed how the examples include quasi-identifiers—something that can generally be safely released to the public. But this doesn’t mean sensitive information cannot be potentially dangerous.
You see, although non-sensitive information isn’t delicate, it is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual.
Moreover, the de-anonymization and re-identification techniques are more likely to be successful when multiple sets of quasi-identifiers are combined together to distinguish one person from another. For example, experts found that 87% of the US population can be uniquely identified by a combination of gender, ZIP code, and date of birth.
So even if the US legislation doesn’t consider quasi-identifiers as PII, the European legislation may.
Example of a Personally Identifiable Information (PII) Breach
Remember how Facebook fell victim to a major data breach back in 2018? Approximately 50 million Facebook user profiles were collected without Facebook‘s consent by an outside company called Cambridge Analytica.
The outsider company got the data from the social media platform directly through a researcher who worked at the University of Cambridge, who built a personality quiz in the form of a Facebook app that was designed to take the information from those who volunteered to give access to their data for the quiz.
However, not only did the app collect the quiz taker’s data, but it also collected the data of the friends and family members of the quiz takers.
Facebook had a loophole in their system due to which over 50 million Facebook users had their data exposed to Cambridge Analytica without their consent. Even though Facebook banned the sale of their data, Cambridge Analytica turned around and sold the data to political consulting companies.
Now, many other companies will continue looking for ways to harvest data, especially PII. But they should be met with more stringent regulations so that another debacle like Facebook‘s data breach isn’t repeated.
How to Safeguard Your Personally Identifiable Information (PII)
Let’s take a look at how you can secure PII against any loss or compromise by preventing a few preventive and corrective measures.
Step 1: Identify Your PII and Find Where You Store It
The first step is to know whether your company stores or uses PII.
Government agencies can store PII like Social Security numbers, passport details, addresses, and license numbers. On the other hand, vendors can have bank details and login information.
After identifying all the PII data your company has, you have to figure out where you store it. This can include file servers, cloud services, portals, employee laptops, and more. Consider the following:
- Data in Use: The data your employees use to do the job, and that’s typically stored in a non-persistent digital state like RAM.
- Data at Rest: The data stored or archived in locations like hard drives, databases, laptops, web servers, and SharePoint.
- Data in Motion: The data which is transitioning from one location to another, such as data moving from a local storage device to a cloud server, or between two employees via email.
You should consider all three data states to develop your PII protection plan. This will help you decide where the PII lives, how it’s used, and the different systems you need to protect.
Step 2: Classify All Your PII Data Based on the Sensitivity
Next, you have to create a data classification policy to sort your PII data in terms of sensitivity. Since it’s a crucial part of PII protection, you need to do this right.
Consider the following factors to classify your PI data:
- How unique is your data? If even a single record can identify an individual by itself, that data is highly sensitive.
- Can you identify a unique individual by combining two or more pieces of data?
- How many people can access your PII data and how frequently is your data transmitted over networks?
- Is your data subject to any one of the following regulations: PCI DSS, GDPR, HIPAA, HITECH ACT (US), and the Criminal Justice and Immigration ACT (UK)?
After weighing the above factors, you can classify your PII data based on sensitivity. At the very minimum, you should have three levels of data classification:
- Restricted. This includes highly sensitive PII that could cause significant damage if it gets in the wrong hands.
- Private. While not as sensitive as restricted data, private data can still cause a moderate level of damage to the company or individual if it gets compromised.
- Public. Non-sensitive and low-risk data with little to no access restrictions.
Data classification can guide your incident response team during a security breach by informing them about the level of information that was compromised. Be sure to delete any old or unnecessary PII to make it inaccessible to cybercriminals.
Step 3: Devise an Acceptable Usage Policy (AUP)
Not many people do this, but having an AUP can be very helpful to safeguard your sensitive assets.
It should cover things like who can access PII and establish clear ground rules regarding an acceptable way to use PII. Your AUP can also serve as a starting place to build technology-based controls to enforce proper PII access and usage.
Step 4: Encrypt Your PII and Remove Permission Errors
You should always encrypt your PII at rest and in transit to enforce proper PII protection.
We recommend using strong encryption and key management before you share PII over an untrusted network or upload it to the cloud. But, to do this, you’ll need the right set of technical controls. You can also automate the encryption process based on data classification to save time.
Tracking your access control rights should be next on your list.
You should implement and enforce the principle of least privilege when granting access to sensitive data. This will ensure that only those individuals have access to the PII data that need it to do their jobs.
Step 5: Remove Internal Threats in the Form of Departing Employees
Threats to your company’s data can be internal and external.
Disgruntled departing employees are the most common internal threats. It’s why you should work on creating a standardized procedure for departing employees:
- Delete all user accounts and access to the various enterprise systems to completely remove any access to your system.
- Send a legal reminder about the legal responsibilities around PII and other sensitive data.
- Share a copy of a signed confidentiality agreement that covers PII and sensitive data.
Step 6: Educate Employees on the Importance of Protecting PII
Educating employees on the importance of protecting PII is a straightforward and crucial step for PII protection.
As your company’s AUP is a vital part of your employee education program, you should ensure every employee has a copy and signs a statement acknowledging that they agree to follow the policies laid out in the document.
Another excellent tactic is to have an employee education policy on PII protection to instill a sense of ownership in employees, making them think they do indeed have an important role to play in PII protection.
You should also make it easier for employees to report suspicious activity or behavior to management.