Article
What is personally identifiable information (PII)?
Personally identifiable information (PII) is information that, when used alone or with other information, can be used to identify an individual. This data can enable the identification of an individual either directly or indirectly with quasi-identifiers and can be found digitally or on paper.
Characteristics of personally identifiable information are that it:
- Can be used in conjunction with other data elements to identify an individual
- Can be used to contact an individual in person or online
- Directly identifies an individual
Examples of PII include:
- Full name
- Address
- Phone number
- Date and place of birth
- Social Security Number
- Bank account number
- Biometric records (e.g., fingerprints)
- Credit or debit card numbers
- Driver’s license number
- Email addresses
- Mother’s maiden name
- Passport information
It is worth noting what is not considered to be personally identifiable information. Non-personally identifiable information (non-PII) cannot be used on its own to find or identify a person.
Examples of non-PII include shared data (e.g., business phone numbers, workplace, and job titles) and anonymized data (e.g., information collected and presented as part of a survey or demographic reports).
What are direct vs indirect identifiers?
Sensitive PII vs non-sensitive PII
There are overlaps between direct identifiers and sensitive personally identifiable information and indirect identifiers and sensitive personally identifiable information. It is important to note that direct identifiers are always considered sensitive, while the sensitivity of indirect identifiers can be context-specific.
Sensitive PII
Sensitive personally identifiable information is data that directly identifies an individual and could cause significant harm if leaked or stolen. This is information that is not publicly available and, according to multiple laws, should be protected from unauthorized access.
In addition to legal restrictions, sensitive personally identifiable information is often protected by contractual and ethical requirements. The origin of the term is credited to the 2020 California Privacy Rights Act (CPRA).
Non-sensitive PII
Non-sensitive personally identifiable information can be easily gathered from public records, websites, and other open sources and would not cause significant harm to a person if leaked or stolen.
While some privacy laws exclude non-sensitive personally identifiable information from data protection requirements, many organizations choose to secure it, because it can become sensitive personally identifiable information when aggregated with other data.
PII and data privacy laws
Federal personally identifiable information privacy laws
There is no single federal law governing personally identifiable information in the United States. Following are several laws that make up the patchwork of federal personally identifiable information legislation.
- Children’s Online Privacy Protection Act (COPPA)
Regulates how personal information from children under the age of 13 is collected, handled, and used - Fair Credit Reporting Act
Directs how credit agencies store, protect data, and share consumers’ credit data - Family Educational Rights and Privacy Act (FERPA)
Protects educational information and related records - Federal Trade Commission (FTC) Act
Dictates that organizations must be abundantly clear about what information they will be collecting, particularly when that information may be shared with a third party - Gramm-Leach-Bliley Act (GLBA)
Governs how financial institutions store and regulate access to customers’ data - Health Insurance Portability and Accountability Act (HIPAA)
Protects an individual’s medical records with standards for privacy, confidentiality, and consent for sharing - US Privacy Act
Establishes rules for collecting, maintaining, using, and disseminating personally identifiable information by all federal agencies
State personally identifiable information privacy laws
Individual states in the United States have laws that impose requirements on how PII must be handled. These include:
- California Consumer Privacy Act
- Colorado’s Privacy Act
- Connecticut Personal Data Privacy and Online Monitoring Act
- Delaware Personal Data Privacy Act
- Indiana Consumer Data Protection Act
- Iowa Consumer Data Protection Act
- Maryland Online Consumer Protection Act
- Massachusetts Data Privacy Law
- Montana’s Consumer Data Privacy Act
- New York Privacy Act
- Oregon Consumer Privacy Act
- Tennessee Information Protection Act
- Texas Data Privacy and Security Act
- Utah Consumer Privacy Act
- Virginia Consumer Data Protection Act
International personally identifiable information privacy laws
Among the international laws protecting the privacy of personally identifiable information are:
- Australia’s 1988 Privacy Act
- Brazil’s General Data Protection Law (LGPD)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- China’s Personal Information Protection Law (PIPL)
- The European Union’s General Data Protection Regulation (GDPR)
- India’s Digital Personal Data Protection Bill
Protecting personally identifiable information
Personally identifiable information must be secured from malicious and accidental unauthorized access. Malicious actors seek out PII for a number of purposes, including committing identity theft to perpetrate additional crimes such as blackmail, and selling it on the dark web, where buyers use it to facilitate scams such as spear phishing for business email compromise attacks.
Details about commonly cited best practices for protecting personally identifiable information follow.
Collection and retention minimization policies
The more personally identifiable information an organization has, the greater the risk. Organizations tend to retain information that is not necessary to support their operations. Policies should be put in place to define criteria for collecting and storing PII.
This should include directives for what data should be collected and retained, including what safeguards are required to protect it. In addition, policies should dictate when and how data should be securely destroyed to minimize PII footprints that put organizations at risk.
Discovery and classification
Organizations need to keep track of all personally identifiable information (i.e., on all devices, including servers, workstations, laptops, and removable storage) as well as classify it according to sensitivity. Then, safeguards need to be implemented that are appropriate for the type of data being collected, stored, and transmitted by internal sources (e.g., employees) and any third parties (e.g., partners or vendors).
Incident response plan for PII leaks and breaches
Organizations should have an incident response plan ready to execute in the event of a data leak or breach. This minimizes the impact on the incident and can facilitate a smoother, faster recovery. Key parts of an incident response plan include:
- Part one: Planning
The efficacy of a response to a data privacy compromise incident is preparation. This starts with creating a blueprint for the response that includes roles and responsibilities and the prioritization of actions.
Individuals or teams should be assigned to each of the roles and actions. These teams should consist of stakeholders and representatives from any area of the organization that could be impacted by a data privacy compromise (e.g., human resources, legal, communications, and IT). A leader of the overall effort should also be identified.
The plan should reviewed regularly to confirm that it continues to follow best practices and meet the organization’s requirements. - Part two: Testing
Incident response plans should be thoroughly tested. Simulation testing is an effective way to ensure that the elements of the plan work as expected. This way, any deficiencies can be identified and remediated before an incident occurs. - Part three: Detection and analysis
Early detection is also an important part of data privacy incident response. Systems should be in place to quickly identify an attempted attack or a breach to mitigate damage. This can include attack surface management, continuous network monitoring, intrusion detection, and security incident event management (SIEM) tools to identify network vulnerabilities and breaches proactively. - Part four: Containment, response, eradication, and recovery
As soon as an incident is detected, the team should have containment plans ready to execute. Many laws have rigid notification timelines. Organizations need to understand what their notification obligations are and have messages ready to send to anyone whose personally identifiable information has been compromised.
Once the situation has been stabilized, efforts should turn to eradication and recovery. For recovery, backups of critical data are crucial. - Part five: Post-incident assessments
In the wake of an incident, a full assessment needs to be completed that considers what worked, what could have worked better, and what failed. Then, learning should be incorporated into an updated incident response plan.
Physical security
While many privacy protection strategies focus on digital safety, it is important not to overlook physical security. All physical points of entry to spaces where personally identifiable information resides should be secured (e.g., locks on file cabinets and windows, as well as strict access controls for all doors).
Malicious actors regularly use physical security breaches as a means to access both physically and personally identifiable information (e.g., files) and digital information (e.g., laptops and external hard drives).
Privacy frameworks
Privacy frameworks detail processes and systems that can be used to protect PII. These can be created internally, but many organizations leverage privacy and security frameworks that are developed by government agencies, such as the United States National Institute of Standards and Technology (NIST) Privacy Framework, Fair Information Practice Principles (FIPPs), Organization for Economic Co-operation and Development (OECD) Privacy Guidelines, and the International Organization for Standardization (ISO) 27701. US and international laws and regulations also provide data and privacy protection frameworks.
Privacy protection tools and programs
There are many options for privacy protection solutions. Below are the most commonly used systems and programs to protect personally identifiable information.
- Access controls, including:
- Privacy policies and procedures that document the rules for the collection, use, retention, disclosure, and destruction of PII
- Training that includes instruction on:
- Encryption to secure personally identifiable information in transit (e.g., email) and at rest (e.g., in databases, applications, or other storage media)
- Data anonymization to remove the identifying characteristics of PII using techniques such as stripping identifiers from data, aggregating data, or strategically adding noise to the data
- Cybersecurity tools:
- Least-privilege that minimizes access so users are limited to the information needed to perform approved tasks and for only as long as necessary
- Multi-factor authentication (MFA)
- Role-based access controls (RBAC) that grant privileges based on positions and functions
- How to protect and handle PII
- Identifying social engineering attacks, such as phishing
- Anti-virus software
- Data loss prevention (DLP) tools
- Extended detection and response (XDR) tools
- Firewalls
- Identity and access management (IAM) systems
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
- Network security monitoring tools
- Password managers
- Penetration testing
- Security incident event management (SIEM) tools
- Virtual private networks (VPNs)
- Web vulnerability scanning tools
Risk assessment
On a regular basis, risk assessments should be performed to ensure that privacy protection systems continue to meet compliance requirements and reflect best practices. This is an opportunity to identify gaps or underperforming processes or programs that could put personally identifiable information at risk of compromise.
Understanding applicable compliance requirements
In addition to protecting PII to meet internal standards, it is important to identify all of the applicable laws and regulations. The number of privacy laws continues to expand, and their reach means that most organizations will be subject to privacy protection requirements for PII.
Avoid missteps with personally identifiable information
Exposing PII can cause significant harm to individuals, ranging from theft to reputational damage. The volume of sensitive data that is collected and stored continues to grow with no end in sight as smartphones, applications, websites, and social media find new reasons and ways to gather data. Regardless of how or why individuals share PII, it is incumbent on the organization that collects it to protect it.
Any organization that collects and stores personally identifiable information is subject to multiple laws across the United States and around the world governing its handling. Every one of these organizations must ensure that data protection practices are up to the task of keeping PII secure from unauthorized access.
Unleash the power of unified identity security.
Centralized control. Enterprise scale.