Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymizing previously anonymous data can be considered PII.
PII may be used alone or in tandem with other relevant data to identify an individual and may incorporate direct identifiers, such as passport information, that can identify a person uniquely or quasi-identifiers, such as race, that can be combined with other quasi-identifiers, like date of birth, to successfully recognize an individual.
Protecting PII is essential for personal privacy, data privacy, data protection, information privacy and information security. With just a few bits of an individual's personal information, thieves can create false accounts in the person's name, incur debt, create a falsified passport or sell a person's identity to a criminal. As individuals' personal data is recorded, tracked and used daily -- such as in biometric scans with fingerprints and facial recognition systems used to unlock their devices -- it is increasingly essential to protect individuals' identity and any pieces of identifying information unique to them.
Examples of PII
According to the U.S. General Services Administration (GSA): "The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available -- in any medium and from any source -- that, when combined with other available information, could be used to identify an individual."
Although the legal definition of PII may vary from jurisdiction to jurisdiction and state to state, the term typically refers to information that can be used to distinguish or trace an individual's identity, either by itself or in combination with other personal or identifying information that is linked or linkable to an individual. Any information that can uniquely identify people as individuals, separate from all others, PII may include name, address, email, telephone number, date of birth, passport number, fingerprint, driver's license number, credit/debit card number and Social Security number.
The Department of Energy (DOE), for example, defines PII as follows: "Any information collected or maintained by the department about an individual -- including but not limited to education, financial transactions, medical history and criminal or employment history -- and information that can be used to distinguish or trace an individual's identity, such as his/her name, Social Security number, date and place of birth, mother's maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual. Any personal information you collect may be PII. Even email addresses may be PII if they include a person's full name."
This information includes more examples of what can be considered PPI and can be more sensitive depending on the degree of harm, embarrassment or inconvenience it will cause an individual or organization "if that information is lost, compromised or disclosed," according to the DOE.
Sensitive vs. nonsensitive PII
PII can be labeled sensitive or nonsensitive. Nonsensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. Nonsensitive PII can be easily gathered from public records, phone books, corporate directories and websites. This might include information such as zip code, race, gender, date of birth and religion -- information that, by itself, could not be used to discern an individual's identity.
Sensitive PII is information that, when disclosed, could result in harm to the individual when a data breach occurs. This type of sensitive data often has legal, contractual or ethical requirements for restricted disclosure. Sensitive PII should therefore be encrypted in transit and when data is at rest. Such information includes biometric information, medical information covered by Health Insurance Portability and Accountability Act (HIPAA) laws, personally identifiable financial information (PIFI) and unique identifiers, such as passport or Social Security numbers. Employee personnel records; tax information, including Social Security numbers and Employer Identification Numbers (EINs); password information; credit card numbers; bank accounts; electronic and digital account information, such as email addresses and internet account numbers; and school identification numbers and records are also on the list of sensitive PII.
How is PII used in identity theft?
A number of retailers, health-related organizations, financial institutions -- including banks and credit reporting agencies -- and even federal agencies, such as the Office of Personnel Management (OPM) and the Department of Homeland Security (DHS), have experienced data breaches that put individuals' PII at risk, leaving them potentially vulnerable to identity theft.
The kind of information identity thieves are after will change depending on what cybercriminals are trying to gain -- as they will need different types and amounts of information. By hacking and accessing computers and other digital files, they can open bank accounts or file fraudulent claims with the right stolen information. In some cases, criminals can open accounts with just an email address; others require a name, address, date of birth, Social Security number and more information. Some accounts can even be opened over the phone or on the internet.
Additionally, physical files -- such as bills, receipts, a physical copy of your birth certificate, a Social Security card or lease information -- can be stolen if an individual's home is broken into. Burglars can sell PII for a significant profit. Criminals may use victims' information without their realizing it; while thieves may not use victims' credit cards, they may open new, separate accounts using their victims' information.
PII security best practices
As the amount of structured and unstructured data available keeps mushrooming, the number of data breaches and cyberattacks by actors who realize the value of PII continues to climb. As a result, concerns have been raised over how public and private organizations handle sensitive information.
Government agencies and other organizations must have strict policies about collecting PII through the web, customer surveys or user research. Regulatory bodies are hammering out new laws to protect consumer data, while users are looking for more anonymous ways to stay digital. The European Union's (EU) General Data Protection Regulation (GDPR) is one of a growing number of regulations and privacy laws that affect how organizations conduct business. GDPR, which applies to any organization that collects PII from citizens in the EU, has become a de facto standard worldwide. GDPR holds these organizations fully accountable for protecting PII data, no matter where they might be headquartered.
As organizations continuously collect, store and distribute PII and other sensitive data, employees, administrators and third-party contractors need to understand the repercussions of mishandled data and be held accountable. Predictive analytics and artificial intelligence (AI) are in use at organizations to sift through large data sets so that any data stored is compliant with all PII rules.
Additionally, organizations establishing procedures for access control can prevent inadvertent disclosure of PII. Other best practices include using strong encryption, secure passwords, and two-factor (2FA) and multifactor authentication (MFA). Other recommendations for protecting PII are encouraging employees to practice good data backup procedures; safely destroy or remove old media with sensitive data; install software, application and mobile updates; use secure wireless networks, rather than public Wi-Fi; and use virtual private networks (VPNs).
To protect PII, individuals should limit what they share on social media, shred important documents before discarding them, be aware to whom they give their Social Security numbers and keep their Social Security cards in a safe place. Individuals should also make sure to buy or browse financials on secure HTTP Secure (HTTPS) sites; watch out for shoulder surfing, tailgating or dumpster diving; be careful about uploading sensitive documents to the cloud; and lock devices when not in use.
PII vs. PHI
Similar to PII, protected health information (PHI) includes information used in a medical context that can identify patients, such as name, address, birthday, credit card number, driver's license and medical records.
Whether companies handle PII or PHI, they should employ records management programs to gain better control of their data by moving it to more intense document management systems and repositories or by disposing of content that's no longer required.
In the United States, PHI is subject to strict confidentiality and disclosure requirements that don't apply to most other industries. While protecting PHI is always legally required, protecting PII is mandated only in some instances. Under HIPAA and revisions to HIPAA made in 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities -- such as healthcare providers, insurers and their business associates -- are limited in the types of PHI they can collect from individuals, share with other organizations or use in marketing. In addition, organizations must provide PHI to patients if requested -- preferably in an electronic PHI (ePHI) format.
PHI is useful to patients and health professionals; it is also valuable to clinical and scientific researchers when anonymized. However, for hackers, PHI offers a wealth of personal consumer information that, when stolen, can be sold elsewhere or even held hostage through ransomware until the victimized healthcare organization sends a payoff.