What is PII?
Personally identifiable information, or PII, is a common term in information security and privacy law denoting any information that can be used to identify an individual – alone or in context with other information. PII can be used by hackers and malicious parties to steal or exploit an individual’s identity, and with the high frequency of data breaches in the news, people are asking what they can do to protect their PII.
PII is not a new term; in fact, it’s used in official government memoranda at least as early as 2007. But identifying and protecting PII has recently become a much more common topic as the Internet has woven itself deeper and deeper into our daily lives, making data security infinitely more complex. PII is notoriously difficult to define, since some information is identifying only in context with other pieces of information. The Office of Management and Budget states that determining PII requires case-by-case assessment with the understanding that “non-PII can become PII whenever additional information is made publicly available.” Despite this ambiguity, PII is generally considered to include any pieces of information that can be tied back to an individual, such as the following:
- Full name
- Social Security Number
- Passport number
- Home address
- Driver’s license number
- Phone number
- Credit card number
- Email address
- Biometric records (like a fingerprint)
- Date and place of birth
- Mother’s maiden name
How can PII be stolen?
Hackers and thieves can obtain access to PII in a frightening number of ways. There are more “old school” methods, such as rummaging through your trash, seeing open files on your computer, or stealing your wallet, cell phone, laptop, flash drive, etc. And then there are the more technological methods that we’ve seen lead to larger-scale data breaches, like putting malware on point-of-sale systems or hacking into employee accounts to steal customer information. However they get the information, hackers really only need a password, credit card, or Social Security Number to steal your identity, and even with just an email address, they can send malware or phishing emails to try to obtain additional information they need.
Once hackers or thieves have your PII, they can then exploit that sensitive information by using it to make purchases using your account information, guess answers to your account security questions, or conduct illegal activity under your name. They can also sell your information on any of the black markets that specifically cater to the buying and selling of PII. These underground markets are where cybercriminals go to trade data and where spammers and botnet operators go to buy data they can leverage to make more money.
How can you protect your PII?
The National Institute of Standards and Technology describes the theft of PII as “hazardous to both individuals and organizations,” leading to identity theft, blackmail, or embarrassment for an individual, as well as loss of trust, legal repercussions, or financial liability for organizations. The past year has seen unprecedented numbers of data breaches resulting in the widespread leakage of PII – Target, Home Depot, JPMorgan Chase, Anthem, and Uber, to name just a small sampling. These breaches resulted in stolen identities, customer dissatisfaction, card replacement costs, lost business, and countless other negative consequences. So what can you do as an individual and as an organization to protect PII and avoid the repercussions of a data breach?
The Federal Trade Commission’s consumer guide provides suggestions for how individuals can better protect their PII:
- Lock up financial documents and records, and don’t leave information up on your computer or out in the open
- Don’t put sensitive information in voicemail messages, emails, text messages, etc.
- Use strong passwords and change them frequently, or use a password encryption application
- Before giving out PII, ask the person/organization requesting it why they need it and what they will do to protect it
- Use encryption software to safeguard online transactions
- Minimize what you share on social media and limit who can view it
- Be careful what you send over public Wi-Fi
- Use and maintain anti-virus software and a firewall
Organizations can choose from many different security procedures that best fit their needs, but erring on the side of being more secure is usually the best practice. The FTC offers a number of security policies for businesses, including:
- Review all current PII being stored for relevance; if you don’t need it or haven’t used it, discard it safely to decrease liability
- Do not collect PII from employees or customers unless it is absolutely necessary for business functions, especially when it comes to collecting Social Security Numbers
- For the PII that is necessary to collect, make sure access is limited to only the necessary employees, and keep a record of who has access at what time
- Secure documents, CDs, flash drives, backups, etc. with PII in locked file cabinets or secured network drives
- Require employees to clear desks of any company documents and log off of computers before leaving
- Encrypt information sent to third parties via public networks, email transmissions containing PII, and sensitive information stored on networks or disc drives
- Maintain up-to-date anti-virus software on all network computers and servers
- Educate employees on all policies and schedule regular reviews to enforce policy adherence
For more information on protecting PII: