If you live in the U.S., then you’ve probably heard of the term “Personally Identifiable Information” or its acronym– PII– but what exactly does it mean?
With all the recent data breaches and cyber attacks, PII comes up in the news quite a bit. As there is no law on the books to officially define it, PII is typically defined by the source.
One key place we can look at is the U.S. Labor Department, and they define PII as any piece of “information that permits the identity of an individual to whom the information applies to be reasonably inferred, by either direct or indirect means.”
This can be things like your name, address, social security number, and phone number– but also much more as we’ll see. All of this information can be used to uniquely identify who you are.
This list is far from exhaustive, but it will give you an idea of what type of info is considered PII:
But again, this will vary depending upon the definition. For instance, not everyone considers MAC addresses or IP addresses as PII. Unlike personal data, which is strictly defined in the GDPR, PII really depends upon who you ask.
Not all information can identify you by itself, but can when combined with other pieces. This is called linkable information or sometimes called “pseudo identifiers” or “quasi-identifiers.”
For instance, your birthdate by itself won’t be enough for someone to track you down. How many people on the planet share the same birthday, right? However, if we have your birthdate, gender, and the city you were born in, then someone could reasonably identify you.
Latanya Sweeny and her Data Privacy Lab at Harvard University found that having at least three points of info was enough to identify roughly 80% of all the people in the United States.
Here are some examples of quasi-identifiers:
While in the United States, quasi-identifiers aren’t considered PII, they do fall under the EU’s definition of personal data.
By definition, non-PII information is anything that can NOT be used to uniquely identify you.
Here are a few examples of what could be non-PII:
The biggest difference between PII and Personal Data is that Personal Data has been defined through legislation. Under Article 4 of the General Data Protection Regulation (GDPR) in the Definitions section, personal data is strictly defined as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
On the other hand, PII’s definition is scattered through different regulations and procedures, and there can be overlap with other laws like HIPAA and CCPA. There are a couple of organizations that do point us in the right direction so companies and the government can know what needs to be protected, and why.We gave the Labor Department’s version in the introduction, but another good source is the National Institute of Standards and Technology (NIST). They define PII as:
Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date, and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
HIPAA Protected Health Information, or PHI, is any personal health information that can potentially identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment.
PHI can include:
In short, it’s all the medical records and conversations held between you and your healthcare provider. It’s regulated by law and there are steep penalties for violating it and not staying HIPAA compliant. And in most cases, PHI falls under PII because it can be used to uniquely identify a person.
We’ve covered PII and Personal Data, which are terms from the U.S. and E.U. respectively. Now, let’s go over a few other locations where “personal information” is defined in other contexts.
This term shows up in Canada, Australia, and New Zealand. And, again, unlike the U.S., these definitions are codified in law. Let’s take each country in turn.
In some cases like New Zealand, they explicitly state that terms like “PII” have no legal standing in their country. It’s important to be aware of what privacy laws are in the countries you wish to do business in.
According to a report by RSA, around 45% of U.S. citizens had their information stolen in data breaches over the past five years. And while it might be obvious why thieves want credit cards numbers, the rest of your info is just as valuable. The more detailed the profile, the higher price it fetches on the dark web.
Hackers, fraudsters, and other wrongdoers can use this information to make a fake persona and open up fake bank accounts and take out loans in your name. Especially during and after the pandemic, cybercrime as a whole has been on the rise.
Criminals can do a lot of damage with only a few pieces of your info. With your name, social security number, and address, they can open up fraudulent accounts in your name. And after stealing something like your PHI, they could potentially get medications and medical care in your name, or use that information to try to blackmail you.
In some instances, it could be years before the breach is discovered or noticed on a credit report. By then, it’s too late, and recovering is difficult– if not impossible.
The University of Maryland found that a hacker is attacking someone every 40 seconds or so. So if you’re collecting information from customers, it’s important to keep it secure and protected. And to that extent, you need to understand how the info you collect could adversely affect customers should the worst happen.
NIST created a 61-page guide on keeping PII safe and secure. Losing your customers’ data not only negatively affects them, but it will also hurt your companies reputation and bottom line. IBM found that a business will lose an average of $150 per record lost in a data breach.
Depending on what type of data you handle (i.e. PHI) or where you operate (i.e. the E.U.), then you could face legal action alongside the financial and reputation hit. For instance, if you handle medical information, then you will be subject to HIPAA compliance rules and regulations. The cost of non-compliance can be crippling.