Understanding and Safeguarding Personally Identifiable Information (PII)

The uniqueness of each person is evident in their unique biological, psychological, social and official details including fingerprints, iris pattern, retinal scan, DNA, personality type and beliefs, accents, and identifiers such as email addresses, social security number and national identity numbers. Some of these details are referred to as Personally Identifiable Information (PII).

Personally Identifiable Information refers to any data that can be used to effectively identify or contact an individual, either directly or indirectly. PII can identify an individual when used alone or with other relevant details. These details form a unique personal profile that makes every person inimitable and also simplify how information are collected and used in business transactions especially for the delivery of custom services. According to Frankenfield (2023), PII may be direct identifiers such as a passport information which can distinctively identify a person, or quasi-identifiers such as race which can be combined with other quasi-identifiers like date of birth to identify an individual. PII is a central concept in data privacy, cybersecurity, and regulatory compliance frameworks like the GDPR, HIPAA, NDPR.

The advancement and deployment of information technology platforms in everyday personal and organizational dealings, from managing a smart home to signing up for services and companies using customers’ personal data to understand market trends and customer preference, have necessitated the increased generation, collection, and use of big data including personally identifiable information.

Types of Personally Identifiable Information (PII)

PII are categorized based on how sensitive they are, where they are stored, and how accessible they are. Personally identifiable information can be either sensitive or non-sensitive, and direct or indirect.

Sensitive PII: Some pieces of information are more sensitive than others such that there can be a significant damage and repercussions if they are lost, stolen, leaked or mishandled. They include data that directly identifies a person without being combined with other quasi-identifiers. Sensitive PII include a person’s full name, biometric data, medical records, financial information such as credit card details, social security number, driver’s license, and passport information. This category of information is not accessible to the public and is usually obtained directly with the consent of the owners. In legal contexts, a warrant is usually required before certain type of personal information can be accessed without the direct consent of the owners especially when such access involves law enforcement or government agencies.

Non-sensitive PII: These are indirect personal information that are accessible from public sources like the Internet, social media platforms, directories, and phone books. Non-sensitive personal information include: gender, date and place of birth, religion, academic information, social media handle, ZIP code, IP address, and email address. This type of data are quasi-identifiers and they cannot be exclusively used to verify a person’s identity, they have to be used with other personal linkable information.

Meanwhile, the sensitivity or non-sensitivity of personal identifiable information depends largely on context. For instance, while an email address may not necessarily be a sensitive information, it becomes sensitive when a username is accessed by a cybercriminal who can link it with other information to hack into a person’s bank account app. In 2015, the data system of the Internal Revenue Service (IRS) was breached and cyber actors used quasi-information stolen from multiple sources to access the IRS website application by answering personal verification questions that should have been the exclusively known to the taxpayers only. The PII of more than 100,000 taxpayers were stolen (IRS, 2015).

Safeguarding Personally Identifiable Information (PII)

Hackers deploy social engineering attacks like phishing techniques to steal people’s PII. Cybercriminals carry out attacks like this by manipulating and tricking victims into revealing their sensitive information which they then use to gain access into their system. Attacker can also steal PII by gaining access into misconfigured servers and unsecured devices through physical access, cracking unsafe passwords and man-in-the-middle attacks (Gillis & Bernstein 2024).

In present realities, PII also referred to as “big data” are important components of life, medical services, legal dealings, customer relations, and business decisions. Companies collect, analyze, and share data with other companies for enhanced performance. Although data shared by companies are usually anonymized through encryption and obfuscation, there have been concerns about how companies handle PII and their exposure to data breaches and cyberattacks. Consequently, regulating and safeguarding personally identifiable information (PII) has become a priority issue for individuals, corporations, and governments.

Data Privacy Law and PII

Continents, countries and industries have data protection laws to guide how the personal information of clients are collected, stored, and managed. The European Union’s General Data Protection Regulation (GDPR) governs how organizations, within or outside the EU collect, process, store, and transfer the personal data of EU residents. In the United States of America, states like California have their own data privacy regulations – the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) – which grant consumers certain rights over how organizations collect, store and use their PII. The Health Insurance Portability and Accountability Act (HIPAA) also guides how healthcare organizations in the US collect and manage patients’ medical records and other PII. Similarly, in the financial sector, there is the Payment Card Industry Data Security Standard (PCI DSS), a set of global security standards which guides how companies securely handle the sensitive information of cardholders. 

According to the EU laws, certain personal information should only be shared with sources that can guarantee its protection, also some PII should not be collected except in extreme instances and they should be deleted once they have been used for the purpose for which they were collected. The European Union’s General Data Protection Regulation (GDPR) requires that organizations must protect sensitive and non-sensitive PII relating to an identified or identifiable natural person, as well as data that might not even be regarded as sensitive in other cases. However, different laws set standards for what type of data must be protected.
For instance, although the US lacks a single, comprehensive federal data privacy law, government agencies are expected to comply with the Privacy Act of 1974, which governs how federal agencies collect, use, and share personally identifiable information. While more than 79% of countries have implemented data privacy laws, compliance with these regulations can be a challenge because of differing regulations. Furthermore, the rise of remote workforces and cloud computing may make compliance with data privacy laws applicable at different stages and in different locations difficult. For instance, data may be collected in one place, retained in another, and processed in a different location (IBM, 2022). However, severe consequences exist for non-compliance with relevant established data privacy regulations, from class action lawsuits, to financial penalties, the revocation of licenses, reputational damage, loss of clients, investor confidence, and business. Recall that in 2021, the Luxembourg data protection authority, CNPD, slammed Amazon, the online retailer with a 746 million-euro ($888 million) penalty for processing personal data in violation of the GDPR (Bloomberg, 2021).

Safeguarding PII

Protecting PII is crucial to achieving personal privacy, data privacy, and security. Hackers can breach data systems to steal PII for malicious reasons such as to commit identity theft, financial frauds, for blackmails, influence political outcomes, gain leverage over competitors, or to sell on the dark web; a full set of stolen PII, referred to as “fullz”, can fetch a high price. They can gain unauthorized access to PII physically by digging through a person’s trash or by spying on them as they use a computer. Malicious actors can also trick unsuspecting victims into handing over their sensitive information or access them as part of a larger data breach. Cybercriminals may also monitor unsuspecting people’s social media accounts, where many people ignorantly share their PII. Over time, an attacker can gather enough information to impersonate a victim or break into their accounts.
Consequently, organizations should create data privacy frameworks based on their sector, the data they collect, and the data privacy regulations that guide their operations. The frameworks should identify and categorize all the data in the organization’s systems. Companies should also regulate the collection and use of PII, dispose of any data that are no longer needed, and implement data security controls such as: encryption, applying an identity and access management solution like the principle of least privilege through zero trust architecture and role-based access controls (RBAC) to limit the amount of PII cybercriminals can access in the event of a system breach. Another efficient way organizations can safeguard PII is to train employees on how to identify malicious activities, properly handle and dispose of PII, both theirs and those of clients. Corporations should also secure wireless networks rather than use public wi-fi, and update software and applications
Furthermore, companies should invest in data loss prevention tools for easy monitoring of data movement and detection of leaks and unauthorized access whether such data is in use, in motion, or at rest. The need to have a strategic incident response plan for prompt recovery from cybersecurity incidents and compliance with regulatory requirements cannot be overemphasized.
While organizations and government enforce laws for the protection of personal data, it truly requires a joint responsibility of the individual to protect their personal information. No one wants to be a victim of identity theft.

Here are certain ways that individuals can protect personal identifiable information:

• Secure your online accounts with separate long and complex passwords.
• Prevent unauthorized access by adding an extra layer of security to your accounts by implementing a multi-factor authentication solution.
• Encrypt your personal identifiable data especially if you have to share them via email.
• Reformat the hard drives of old computers and devices that you want to sell or dispose of.
• Clear your junk mail of personal information
• Limit what you share on social media and websites. Always verify source before entering sensitive data online.
• Make online purchases only on HTTPS sites.
• Be careful about uploading sensitive documents to the cloud.
• Do not click on suspicious links or attachments in emails or texts.
• Avoid giving apps unnecessary access to contacts, location, or stored data. Review app permissions before downloading.
• Lock your devices when not in use.

References

Bloomberg (2021). Amazon Gets Record $888 Million EU Fines over Data Violation https://www.bloomberg.com/news/articles/2021-07-30/amazon-given-record-888-million-eu-fine-for-data-privacy-breach

Frankenfield, J. (2023). Personally Identifiable Information (PII): Definition, Types, and Examples
https://www.investopedia.com/terms/p/personally-identifiable-information-pii.asp

Gillis, A. S. & Bernstein, C. (2024). Personally Identifiable Information (PII) https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII

IBM (2022). What is Personally Identifiable Information (PII)? https://www.ibm.com/think/topics/pii

IRS (2015). IRS Statement on the “Get Transcript” Application https://www.irs.gov/newsroom/irs-statement-on-the-get-transcript-application

Margau, A. (2024). 2024 Essential Guide: What is Personally Identifiable Information (PII)? https://clym.io/blog/2024-essential-guide-what-is-personally-identifiable-information