Protecting Personally Identifiable Information (PII)
Personally identifiable information (PII) is any data that could potentially identify a specific individual or be used to deanonymize previously anonymous data. PII may be used alone or in tandem with other relevant data to identify an individual. An example would be combining a direct identifier (e.g., passport information) with quasi-identifiers (e.g., race and date of birth) to identify an individual.
In the United States, no single law or regulation defines PII. Instead, PII protection falls under numerous federal and state laws and sector-specific regulations that define and classify different pieces of information under the PII umbrella. In the European Union, PII is referred to as personal data and is clearly defined by the General Data Protection Regulation (GDPR) and accepted as law across the European Union (EU).
The most common definition in the United States is provided by the National Institute of Standards and Technology (NIST). “PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Let’s jump in and learn:
Who Is Responsible for Safeguarding PII?
The responsibility for protecting PII is shared, which makes it complicated. Organizations and individual data owners bear some responsibility for safeguarding PII. The challenge for organizations is that public perception is that the organizations are solely responsible for protecting individuals’ data.
Despite individuals having responsibility for their PII, more than three-quarters of U.S. consumers report that they would stop engaging online with a brand that had experienced a data breach. Regardless of the responsibilities for individuals, under most privacy legislation, the final legal responsibility for protecting PII falls explicitly on the organization that controls the PII—even though multiple organizations could hold the same data.
For an organization that holds PII, real issues arise when there is a data breach. In this case, even if other organizations hold the same information, the one that was attacked is held liable.
Some privacy legislation mandates that companies designate specific individuals to be responsible for the handling of PII. For instance, the Health Insurance Portability and Accountability Act (HIPAA) requires that companies nominate a specific privacy officer for developing and implementing privacy policies. And, GDPR defines several roles that are responsible for ensuring compliance:
- Data subject—the individual whose data is collected
- Data controller—the organization that collects the data
- Data processor—an organization that processes data on behalf of the data controller
- Data protection officer or DPO—an individual at controller or processor organizations who is responsible for overseeing GDPR compliance
Consequences of Lost PII
The consequences for organizations that have lost PII due to data breaches are severe. Challenges related to lost PII include:
- Compensation to victims for their damages and financial obligations from resulting lawsuits
- Financial losses, which can be significant
- Identity theft
- Impact on the organization’s reputation
- Increased regulatory burden for notification of individuals whose data has been compromised
- Regulatory penalties
- Repercussions related to contractual obligations (e.g., business contracts, planned sale of a company)
How Organizations Can Protect PII
- Answer the following questions:
- Who sends PII to your company?
- How does your business receive PII?
- How is PII used, and by whom?
- What kind of PII do you collect at each entry point?
- Where do you keep the PII you collect?
- How is PII stored?
- Who has access to that PII?
- Classify all data
- Restricted (highly sensitive PII)
- Private (sensitive PII)
- Public (non-sensitive PII)
- Connect with secure wireless networks, rather than using public Wi-Fi
- Create standardized procedures for departing employees, including:
- Revoke all access to systems and applications
- Remind them of legal responsibilities around PII
- Share a copy of the confidentiality agreement they signed when they started
- Destroy or remove old media with sensitive data
- Determine what PII compliance requirements must be followed, such as:
- Fair Credit Reporting Act (FCRA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Health Insurance Portability and Accountability Act (HIPAA)
- The Children’s Online Privacy Protection Act (COPPA)
- The Family Educational Rights and Privacy Act (FERPA)
- The Privacy Act of 1974
- Develop employee training around PII
- Eliminate permission errors
- Encourage sound data backup procedures
- Encrypt PII—for data in transit and at rest
- Establish an incident response and recovery plan
- Establish an easy way for employees to report suspicious behavior anonymously
- Enable and maintain a data privacy program
- Install software, application, and mobile updates, as soon as possible
- Keep only the PII absolutely needed and only for as long as it is needed
- Make an inventory of all company-owned and Bring Your Own Device (BYOD) computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment to find out where PII is stored
- Train team members to protect their own PII
- Set up an acceptable usage policy for PII
- Update security policies and PII safeguards
- Use virtual private networks (VPNs)
Personally Identifiable Information and Big Data
All big data sources and the use of big data should be protected just like any other sensitive PII. This is because even seemingly non-sensitive information can become sensitive PII when processed and correlated with other data sources. In addition, the inherent nature of big data (i.e., characterized by volume, velocity, and variety) makes it unwieldy and risky from a privacy perspective.
The value associated with big data also makes it a target for sophisticated cybercriminals who seek caches of PII. They use it to mine for sensitive PII as well as to fuel engines that are focused on deanonymizing sensitive PII.
Sensitive vs. Non-Sensitive Personally Identifiable Information
All PII is not the same. There are two types of PII—sensitive PII and non-sensitive PII.
Non-sensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. This information can be easily gathered from public records, phone books, corporate directories, and websites. Non-sensitive PII is information that, by itself, could not be used to discern an individual’s identity. Examples of non-sensitive PII include:
- Age range (e.g., 30-40 years old)
- Aggregated statistics on the use of a product or service
- Country
- City
- Gender
- Job position or career information
- Just first or last name, not the full name
- Partially or fully masked IP addresses
- Place of birth
- Race
- Religion
- Zip Code
Sensitive PII is information that, when disclosed, could result in harm to the individual. Examples of sensitive PII include:
- Cookies*
- Credit card information
- Date and place of birth
- Device IDs*
- Driver’s license number
- Email address
- Financial information
- Full name
- Internet Protocol (IP) address*
- Login details
- Mailing address
- Media access control (MAC)*
- Medical records
- Owned properties (e.g., vehicle identification number or VIN)
- Passport information
- Processor or device serial number*
- Social Security Number (SSN)
- Telephone number
*NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.” That means cookies and device IDs fall under the definition of PII.
The reason that this differentiation is important for any organization that collects sensitive PII is that it is subject to a number of regulations enforced under multiple standards (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), Financial Industry Regulatory Authority (FINRA), Sarbanes-Oxley (SOX), and numerous international laws, the most stringent being GDPR.
One of the tricky things about PII is that it can be just publicly available information when compiled alone, but become PII when paired with other data. For instance, an employee’s name and email address stored in a corporate directory are not sensitive PII, but if that information is connected with the employee’s private phone number and address, it would be considered sensitive PII.
Always Prioritize Protection of PII
Protecting PII is essential for so many reasons—personal privacy, data privacy, data protection, information privacy, and information security, to name a few. Taking the steps necessary to protect PII not only prevents security issues, but instills a sense of trust in customers, partners, and employees.
A key takeaway about PII protection is that it cannot be done in silos. A holistic, top-down approach is required to defend this invaluable data from threats of all stripes in an effective manner.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 11th March, 2022