Cybersecurity 101:

Personally Identifiable Information (PII)

Personally identifiable information (PII) is any sensitive information or data intended to identify an individual. Sometimes a single piece of PII can identify a specific person, while at other times, other relevant PII details are required to result in a precise match to an individual.

Bad actors take advantage of the increasing need to present this personal information. Hackers can take a file with thousands of PII individuals and use their personal data to cause chaos in their lives. They can often distinguish or trace a specific individual’s identity with one or more direct identifiers.

When used appropriately and according to the United States General Services Administration (GSA) Privacy Act and the Rules of Behavior for Handling Personally Identifiable Information (PII), this vital information serves as shorthand identifiers for healthcare facilities, state motor vehicles agencies, and insurance companies.

What Qualifies as Personally Identifiable Information?

Personally identifiable information (PII) is anything that might contain direct identifiers, which can precisely pinpoint someone’s identity, such as data necessary for a driver’s license or a passport. Information on such identification cards, books, or other documentation might include their home address and social security or driver’s license number.

Quasi-identifiers, such as information regarding racial heritage, can be combined and used with other quasi-identifiers, including date of birth (DOB), to identify an individual successfully.

Here are the primary types of PII businesses use to identify individuals:

  • Full name
  • Mailing address
  • Telephone number
  • Email address
  • Medical records
  • Financial information, such as credit card numbers, bank accounts, or credit report information
  • Passport information, such as places and dates of travel
  • Internet account numbers and passwords
  • Biometric information

Non-sensitive and indirect PII includes the previously noted quasi-identifying information, which is often a matter of public record or so anonymously collected that it is not easily tied to an individual on its own.

Here are some examples of non-sensitive PII:

  • Zipcode
  • Race
  • Gender
  • Date of birth
  • Place of birth
  • Religion

While each of these quasi-identifiers can serve as a tool in identifying an individual in conjunction with direct identifiers, they are of little value to bad actors on their own. Many non-sensitive PIIs are components of a driver’s license, passport, or billing record. Still, without a direct identifier, the best hackers often meet a dead end when attempting to use them for fraudulent purposes.

Who Officially Collects Personally Identifiable Information Available?

Nearly every business today collects, stores, transmits, and processes PII to some degree. However, some organizations hold more sensitive information than others, such as healthcare organizations and a department or bureau of motor vehicles.

With that, big data has become a major force in business today, offering companies insights into customers’ buying patterns, browsing behaviors, geographical location, and more. That means that data has become a component in modern business, and consumers are providing more PII all the time.

Some Unofficial Bad Actors Want Access To Personally Identifiable Information

The problem with sharing such vital information is that data breaches are continually on the rise. Cyberattackers recognize this information’s value, which serves as a shortcut to learning someone’s life story, including financial information.

If hackers cannot directly steal from a data breach victim, they can compromise their personal reputation by trying to use their social security number to open credit card accounts and much more.

Why is personally identifiable information valuable to hackers and fraudsters?

Cyberattackers never stop searching for ways to mine every possible ill-gotten benefit out of a data breach. PII is detail-rich and makes a quick and easy task of identifying and terrorizing individuals who needed to place their trust in a hospital, bank, or the IRS.

How Do Thieves Gain Access To Personally Identifiable Information?

Data theft and large-scale data breaches have become so commonplace that individuals barely pay attention unless it directly affects them.

There are risks closer to home that everyone needs to consider. The fact is the danger is lurking for everyone since we all share PII daily and, once it is in the hands of a third party, it feels like waiting for the other shoe to drop.

Here are a few ways that thieves get to know individuals through their PII, whether they like it or not:

  • Mailbox Theft. Many people leave mail sitting in the postal box for days at a time, thanks to online banking and bill payment. Each piece of mail is data-rich, including notification from the Bureau of Motor Vehicles, medical bills, and credit card statements.
  • Dumpster Diving. The trash bin or the dumpster is the next stop after the mailbox, so if a criminal didn’t want to risk going onto someone’s porch, the dumpster is a safer bet. They can find all the same information in discarded mail pieces without drawing quite as much attention.

Additional ways criminals gain access to PII include unsecured wireless access, lost and found incidents, phishing, and pretexting scams, social media, and social engineering maneuvers.

These are just a few alternative ways thieves gain access to an individual’s identity. Still, they are just as dangerous to individuals as data breaches launched to steal personal or identifying information.

How Does the GDPR Address PII?

The General Data Protection Regulation GDPR went into effect in May 2019 with the primary goal of protecting the European Union (EU) consumers’ privacy and safeguarding data. The GDPR required businesses across the EU and worldwide to comply with its extensive requirements to secure their data, employees, customers, and third-party vendors.

The information businesses must secure includes PII, and they are all under a legal obligation to keep it safe and secure.

The European Parliament designed the GDPR to protect EU consumers, first and foremost, essentially giving them free rein over their PII. Here are a few ways EU consumers can control their personal information when doing business:

  • Request that businesses delete PII
  • Request to have factual errors corrected
  • Request access to stored personal data
  • Request the export of personal data to review and use if they wish to do so

What Are the Best Ways Businesses Can Safeguard PII?

All businesses can take special steps to protect customer PII for everyone’s benefit. Here are a few of the best ways to keep this vital information safe from criminals, online and everywhere else:

  • Encrypt data when sharing or storing electronically
  • Implement strong password policies for smartphones, tablets, and laptops
  • Encourage employees to use different passwords for each website, application, and account
  • Create additional security protocols, such as website security questions
  • Take special care of retired computers and other devices, removing and destroying hard drives before disposing of or donating them. The last step to perform is restoring the device to its original settings to ensure it is clear before discarding.
  • Use a shredder to dispose of hard copies of documents properly. Thoroughly shred each document to ensure that no PII is discernible.
  • Remind employees and management not to leave PII-rich documents at the copier, or anyplace else they might stop while working on a file.

The more businesses do to remain vigilant about PII, the better chance they will keep it safe from data breaches and any other threats.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?