PII Data: Implications for your Business Goals

All organizations collect various types of data (information), including personally identifiable Information (PII). PII data can be sensitive or non-sensitive, and more often than not, is called by employee mistakes as well as a target in a data breach. In some situations, these data breaches get exposed on the Dark Web.

As a consumer, you’ve likely received some type of alert that information like your email address or telephone number has been exposed in a data breach. This is often just the tip of the iceberg regarding the consequences of PII data getting into the wrong hands.

If regulators can track down the source of the breach there are often penalties and financial consequences for businesses. Additionally, when PII data is exposed, consumers lose trust in the organization that didn’t properly protect that information from both internal mishandling or external bad actors.

What is Personally Identifiable Information (PII) Data?

As technology progresses, some argue that the definition of Personally Identifiable Information (PII) must progress as well.

PII data is any information about an individual that can be used to identify that individual, including information that can be combined with other personal or non-information to identify the individual.

The National Institute of Standards and Technology (NIST) defines PII as “information that can be used to distinguish or trace an individual’s identity – such as name, social security number, biometric data records – either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (e.g. data and place of birthday, mother’s maiden name, etc.).”

PII data includes religion, geographical indicators, employment information, personal health information, and behavioral characteristics such as activities and schools attended. In some situations, IP addresses, passport or license numbers, and financial account numbers, combined with other data points further enrich an individual’s “online” profile.personal data

As more data types are introduced, more questions about how to define PII data arise. Are usernames or social media handles PII? Is information collected by cars and IoT devices treated as PII?

The answers to these questions have important business implications to consider. Misusing or mishandling PII data can be costly both financially and particularly when consumer trust is lost.

Personally Identifiable Information vs. Personal Data

While Personally Identifiable Information and Personal Data may seem similar, they’re not the same thing. The GDPR doesn’t use the term Personally Identifiable Information and instead uses the term Personal Data.

As defined in the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

The European Commission provides personal data examples such as:

• Name and surname
• Home address
• Email address
• Identification card numbers
• Location data
• Health data (prescriptions, mental health)
• Financial data (bank accounts, credit cards)
• Passports
• IP address
• A cookie ID
• The advertising identifier of your phone
• Data held by a hospital or doctor
• While both PII and Personal Data include common data attributes(names, email, home, passports, and license/identification card numbers), personal data explicitly covers a few categories PII data leaves out(cookie ID, the advertising identifier of your phone (device ID), location data).

At a higher level, PII is used to distinguish an individual, and personal data includes any information related to the individual, whether it identifies them specifically or not.

What Qualifies as PII?

Specifically, this data is considered to be PII:

• Name, maiden name, mother’s maiden name, alias
• Passport #, Social Security #, Drivers License #, Taxpayer Identification #
• Address (personal or business)
• Email address
• Telephone numbers
• Vehicle registration number, vehicle title number, or Vehicle Identification Number
• Financial Account Numbers, Credit Card Numbers
• Personal Health Information (PHI), Patient Identification Number
• Biometric Records – Personal characteristics, including a photographic image of faces or other distinguishing characteristics, x-rays, fingerprints, or other biometric image or template data (retina scan, voice signature, facial geometry)

Other information can also become PII when combined with publicly available information used to specifically “identify” an individual. This data is considered linked or linkable to one of the examples above.

For example, non-PII that can become PII under certain conditions:

• Internet Protocol (IP) address or Media Access Control (MAC) address
• Web cookies, trackers
• Date of Birth
• Place of Birth
• Religion
• Weight
• Activities
• Geographical Indicators
• Employment or Educational Information, such as where someone works, worked in the past, or where they attended school
• Financial Information

Sensitive PII is information that, when disclosed, would jeopardize one’s individual rights and thus result in some harm to the individual. This includes financial information (like credit card numbers), health information, criminal records, and the like. Depending on the jurisdiction, some PII may have greater sensitivity.

Under GDPR these data are classified as special category data (race, ethnicity, political opinions, religion, etc.) and warrant the highest level of security, integrity, and explicit consent to be “processed.”

It’s important to note that while all sensitive PII IS PII, NOT all PII is considered sensitive. But no matter the type, safeguarding PII data is vital to maintaining privacy and trust.

PII in the Context of Cybersecurity

Cybercriminals use simple phishing, vishing, and smishing scams to gain access to one’s PII. Furthermore, Cybercriminals know that PII data gets them one step closer to their ultimate goal of one’s SPI (which has significant value in the Dark Web).

Despite increased cybersecurity technology, cybercrime continues to mount as more data is shared due to the benefits of the Internet of Things. Moreover, the exponential growth and ubiquitous access to AI have increased cybercrime’s sophistication. This in turn has increased the risk of internal or external data breaches. Therefore, taking measures to secure one’s PII from the outset is critical to breaking this vicious cycle.

The Impact of PII Data on Identity Theft

Identity theft occurs when criminals use PII data to impersonate individuals, again for financial gain. By accessing PII data, a criminal could open up new credit card accounts, apply for loans, or even file fraudulent tax returns in your name.

One infamous example of such a case is the Equifax data breach in 2017, where the personal information of 147 million people was exposed, leading to widespread identity theft. More recently, there have been several notable breaches :

In 2023, the genetics testing company 23andMe was hacked causing the exposure of genetic information and PII of 6.9 million people.
Earlier in 2023, Progress Software’s MOVEitTransfer enterprise file transfer tool was exploited causing a ripple effect of over 2,000 organizations reportedly being attacked and data thefts affecting 62 million people and counting.

Top Considerations for Protecting PII

Protecting PII data is more than just a best practice—it’s a necessity. Here are eight proactive steps you can take to emphasize PII protection:

1. Establish a Data Privacy and Security Program: Build a Program that fosters collaboration between privacy compliance and infosec teams and ensures support from senior leadership.
2. Data Minimization: Only collect PII you need to complete the intended purpose and when the purpose is over permanently purge from the environment (including backup systems).
3. Know Your Data and Risks: Understand what PII data you collect, where it’s stored, who has access, and how it’s used and shared.
4. Limit Access: Only give access to PII data to those who need it to perform their job function.
5. Keep Hardware Current: Keep all your devices, including smartphones, computers, and tablets, up to date with the latest software and security patches.
6. Train Your Team: Ensure everyone in your organization understands their role in protecting PII data and provide specific job training for those “processing” PII.
7. Stay Compliant and Vigilant: Follow relevant privacy laws and regulations, and keep your policies and procedures up-to-date; Conduct ongoing system penetration testing to ensure data security
8. Prepare for Data Incidents: Have a plan for dealing with data incidents and breaches, including notification procedures; Consider performing breach simulation exercises annually to remain vigilant and ready to act in extreme circumstances.

Get Support to Protect Your Business PII Data

Protecting PII data is not just about compliance—it’s about safeguarding trust, privacy, and your reputation. As privacy professionals, it’s our responsibility to ensure that PII data is treated with the respect it deserves. TrustArc is a partner in this journey, offering expert guidance and cutting-edge solutions in PII data protection.