Personal Identifiable Information (PII)

Personal Identifiable Information (PII) is defined as: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual.

PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

Understanding Personally Identifiable Information

Advancing technology platforms have changed the way businesses operate, governments legislate, and individuals relate. With digital tools like cell phones, the Internet, e-commerce, and social media, there has been an explosion in the supply of all kinds of data.

Big data, as it is called, is being collected, analyzed, and processed by businesses and shared with other companies. The wealth of information provided by big data has enabled companies to gain insight into how to better interact with customers.
However, the emergence of big data has also increased the number of data breaches and cyberattacks by entities who realize the value of this information. As a result, concerns have been raised over how companies handle the sensitive information of their consumers. Regulatory bodies are seeking new laws to protect the data of consumers, while users are looking for more anonymous ways to stay digital.

Sensitive vs. Non-Sensitive Personally Identifiable Information

Sensitive PII

Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes legal statistics such as:

• Full name
• Social Security Number (SSN)
• Driver’s license
• Mailing address
• Credit card information
• Passport information
• Financial information
• Medical records

The above list is by no means exhaustive. Companies that share data about their clients normally use anonymization techniques to encrypt and obfuscate the PII, so it is received in a non-personally identifiable form. An insurance company that shares its clients’ information with a marketing company will mask the sensitive PII included in the data and leave only information related to the marketing company’s goal.

Non-Sensitive PII

Non-sensitive or indirect PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories. Examples of non-sensitive or indirect PII include:

• Zip code
• Race
• Gender
• Date of birth
• Place of birth
• Religion

The above list contains quasi-identifiers and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual’s identity.

However, non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual. De-anonymization and re-identification techniques tend to be successful when multiple sets of quasi-identifiers are pieced together and can be used to distinguish one person from another.

Safeguarding Personally Identifiable Information (PII)

Multiple data protection laws have been adopted by various countries to create guidelines for companies that gather, store, and share the personal information of clients. Some of the basic principles outlined by these laws state that some sensitive information should not be collected unless for extreme situations.

Also, regulatory guidelines stipulate that data should be deleted if no longer needed for its stated purpose, and personal information should not be shared with sources that cannot guarantee its protection.

Cybercriminals breach data systems to access PII, which is then sold to willing buyers in underground digital marketplaces. For example, in 2015, the IRS suffered a data breach leading to the theft of more than a hundred thousand taxpayers’ PII.

Using quasi-information stolen from multiple sources, the perpetrators were able to access an IRS website application by answering personal verification questions that should have been privy to the taxpayers only.

How PII Is Stolen

Many thieves find PII of unsuspecting victims by digging through their trash for unopened mail. This can provide them with a person’s name and address. In some cases, it can also reveal information about their employment, banking relationships, or even their social security numbers.
Nowadays, the Internet has become a major vector for identity theft. Phishing and social engineeringattacks use a deceptive-looking website or email to trick someone into revealing key information, such as their name, bank account numbers, passwords, or social security number. It is also possible to steal this information through deceptive phone calls or SMS messages.

Tips on Protecting PII

While it is not possible to fully protect yourself, you can make yourself a smaller target by reducing the opportunities to steal your PII. Experian, one of the top three credit agencies, lists several steps that you can take to reduce your surface area.
For example, a locked mailbox or PO box makes it harder for thieves to steal your mail and removing personal identification from junk mail and other documents makes it harder for identity thieves to associate a name with an address. Also, avoid carrying more PII than you need—there’s no reason to keep your social security card in your wallet.
Likewise, there are some steps you can take to prevent online identity theft. Data leaks are a major source of identity theft, so it is important to use a different, complex password for each online account. Always encrypt your important data, and use a password for each phone or device. It is also a good idea to reformat your hard drive whenever you sell or donate a computer.