A Definition of Personally Identifiable Information
The United States Department of Labor defines personally identifiable information as: “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred be either direct or indirect means. Further, PII is defined as information: (i) that directly defines an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.”
Simply put, personally identifiable information (PII) is any data that has the potential to identify a specific person. Any information that could be used to distinguish one person from another qualifies as personally identifiable information, as does any information that could be used to void the anonymity of data.
Types of Personally Identifiable Information
Not all data that qualifies as personally identifiable information is sensitive, however. Sensitive PII generally includes medical information, personally identifiable financial information, and other unique identifiers. Social security numbers, passports, and driver’s license numbers are all examples of sensitive PII. Another factor that distinguishes sensitive and non-sensitive PII is that sensitive PII consists of information that could put an individual at risk if improperly shared or disclosed. When being stored or processed electronically, sensitive PII should be encrypted both at rest and in transit.
On the other hand, non-sensitive PII is information that may be gathered from public records, such as phone books and websites. Because of its more public nature, non-sensitive personally identifiable information may be transmitted or stored in plain text without harming the individual.
Personally Identifiable Information Security Challenges
As popular software and websites increasingly rely on users’ personal information, PII is put at risk of exposure by cyberattacks and data breaches. Data breaches in which PII is exposed often result in that information falling into the hands of cybercriminals or being distributed on the black market. Once exposed, attackers can use sensitive personally identifiable information to facilitate identity theft, fraud, and social engineering attacks – particularly phishing and spear phishing.
The most creative cybercriminals will collect PII and other data (such as health information or financial records) from multiple incidents in order to profile potential targets over time, attacking only once they have enough information to be successful. For a prime example of this we can look to May of this year, when the IRS reported that cybercriminals had used one of the IRS’s online services to obtain tax return information for more than 100,000 households in the US. The cybercriminals used PII that had been stolen in previous incidents to gain unauthorized access to the tax-agency accounts. Around 15,000 fraudulent refunds were issued as a result.
The Need to Protect Personally Identifiable Information
Obviously, it is important for individuals to protect their PII. But, it is equally important that companies apply strong protection to customers’ PII and educate their own employees about protecting PII and other types of sensitive data. A Raytheon study, as reported by Business News Daily, shows that employees commonly put companies’ sensitive data at risk, including financial and healthcare records, intellectual property, private company information, and PII.
The study offers several statistics that highlight organized risks to PII as well as the need for PII protection:
Nearly 50% of the professionals surveyed responded that it is likely that malicious insiders would use social engineering or other strategies to get someone’s access rights
59% of those surveyed said the greatest threat to general business information is failure to implement controls for sensitive data access
88% of the professionals surveyed claim to recognize enhanced security as a top priority, yet less than 50% of them have a budget dedicated to investing in data loss prevention technologies for reducing insider threats
A key consideration mentioned in these statistics is the need to protect PII from not only external attacks but also threats that may come from insiders, such as employees, contractors, subcontractors, and other business partners. Whether being targeted by hackers and cyber criminals or put at risk by insiders (well-intentioned or otherwise), there’s no doubting that sensitive PII requires protection. However, with the right combination of process and technology solutions – such as DLP and encryption – PII security is achievable for businesses today.