Many online services these days require users to share personally identifiable information such as name, address, credit card information and other such details. Protecting this personal information is of crucial importance since such information in the hands of malicious actors can have huge financial repercussions for users as well as the organizations that deal with personal information.
What is PII?
Personally Identifiable Information (PII) is information that organizations can either use alone or in conjunction with other information to identify or locate an individual. PII may consist of direct identifiers like passport information that can instantly pinpoint an individual’s identity or quasi-identifiers like race or similar information that could be used with other quasi-identifiers like birth date to figure out a person’s identity.
What qualifies as PII?
Any information that can uniquely identify an individual can be termed as PII. Though the definition of PII may vary from one jurisdiction to another, here is a list of information that is widely considered as PII :
- Full name
- Phone number
- Email address
- Passport number
- Driver’s license number
- Vehicle plate number
- Date of birth
- Genetic information
- Digital identity
- Credit card or debit card number
- Social security number
It is important to note that non-PII can become PII if additional information is made publicly available. Such information when combined with other information can be used to trace an individual’s identity.
Understanding sensitive and non-sensitive PII
PII can be classified as sensitive and non-sensitive PII. Understanding the type of information you are dealing in would help determine the appropriate security measures to be implemented. Non-sensitive PII means information that is safe to be transmitted without the use of encryption. Non-sensitive PII includes information that is easily available on websites, directories or public records. Examples include date of birth, race, religion, or any such information which cannot be used to identify an individual without the support of other relevant information.
Sensitive PII is information that can be transmitted only after employing adequate measures to safeguard the data from unauthorized access. Sensitive information, if fallen in wrong hands, can cause serious damage to the individual whose information is compromised. Data therefore must be encrypted at rest and in transit so attempts to breach can be thwarted. Examples of sensitive data include medical information governed by HIPAA, financial information, driver’s license, social security numbers, biometric data among others.
Records of employee personnel, tax information, unique identification numbers for employees, password information, digital account information are also classified as sensitive PII.
Personally Identifiable Information in Privacy Law
The concept of PII is prevalent in several countries. Let’s explore how the definition of PII varies depending on the various laws governing the use of personal information in respective countries.
1. PII in the United States
According to the National Institute of Standards and Technology’s (NIST) Guide to Protect the Confidentiality of Personally Identifiable Information, PII includes any information such as biometric records, the name of an individual or social security number that helps recognize an individual’s identity.
2. PII in European Union
The European Union has issued a Directive 95/46/EC on PII which states that PII is any information that is used to recognize an individual by means of an ID number or with the help of other factors such as physical, mental, cultural, physiological, economic or social identity.
3. PII in Australia
The Privacy Act 1988 prevalent in Australia states the definition of PII. According to this Act, PII is any information or opinion about an individual, genuine or not, whose identity is apparent or easily comprehensible. Compared to other countries, this definition explains PII from a much broader perspective.
4. PII in New Zealand
According to New Zealand’s Privacy Act, personal information is any information such as name, contact details, health records, financial information and purchase records linked to a living, identifiable human being.
5. PII in Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act of Canada states that personal information is any data that could be either used alone or in combination with other data to recognize an individual.
PII Compliance Checklist
It is absolutely vital to safeguard Personally Identifiable Information as it’s easily an attractive target for malicious actors. Organizations that handle PII need to stay compliant with relevant security standards and data privacy regulations. Here is a list of important steps that organizations can take to ensure compliance:
1. Identify the data and places it’s stored
The first step is to identify all the PII that your organization collects and stores. Once you have identified the data, the next step is to determine all the places it is stored. The data could be stored in numerous locations such as file servers, portals, cloud, employee laptops among others. It is important to have a clear idea of all storage locations. Besides location, the state of data too needs to be considered. There are three states of data namely data in use, data at rest and data in motion. Appropriate PII protection measures need to be implemented for data in all phases.
2. Classify PII
Data must be classified based on the extent of damage it can cause in the event of a breach. Data classification makes compliance easier. The three levels of data classification are as listed below:
- Restricted: This is highly sensitive data that need to be protected with tight security measures. The repercussions of such data falling into wrong hands could be disastrous. Access to this data should be granted only when the user needs to work with the data. The data should remain inaccessible for the rest of the time.
- Private: Data classified as private data isn’t as sensitive as restricted data. However, the damage in the event of a breach could still be significant. Access is provided to only those employees who need to interact with the data on a regular basis.
- Public: This is non-sensitive data with the least amount of restrictions for access.
3. Create a PII policy
You can create your own PII policy to regulate data processing in your organization. The GDPR (laws regulating use of EU citizens’ personal data) outlines six data processing principles which can serve as a guide for companies looking to achieve compliance. Even if the GDPR rules don’t apply to your particular jurisdiction, the security best practices can be followed to develop a PII protection plan. Here are the six principles mentioned in GDPR for processing PII:
- PII processing should be always lawful, fair and transparent
- It should be done only for necessary business purposes
- Limit the use of personal information wherever possible
- Data processing should be accurate and timely
- It should be completed within a stipulated time
- Integrity and confidentiality need to be maintained
The PII policy should outline the acceptable ways in which PII can be used within the organization. The main objective of creating a policy is to have a framework that regulates the use of PII within the organization.
4. Implement data security tools
After identifying and classifying the data, it’s time to apply security controls that prevent access to unauthorized users. Common data protection measures include endpoint management, encryption, two factor authentication, and secure storage.
Endpoint management: Endpoint management includes monitoring device firmware and hardware activity as well as installing antivirus protection for on-device security.
Encryption: Encrypting data at rest and in motion is a critical part of PII compliance. Encryption makes sure data is incomprehensible for unauthorized users. Encryption keys should be protected as well so hackers don’t decode the data.
Two factor or multifactor authentication: Two factor authentication or multi-factor authentication requires users to present multiple pieces of evidence that confirm their identity before they can gain access to a piece of information.
Secure storage: Organizations can ensure secure storage with the help of an encrypted hard drive or a cloud storage system with Data Loss Protection (DLP) software. DLP ensures protection of sensitive data with obfuscation and de-identification methods and minimizes the overall risk.
5. Practice IAM
Identity and access management (IAM) refers to clearly defining access rules within the organization. Each user should be granted access depending on their roles and responsibilities. Permission errors are likely to occur during mergers and acquisitions and role-based access controls are vital to avoid any accidental leak of information.
6. Monitor and take corrective actions
An organization must have an incident response plan ready in case of a breach. Regular monitoring of PII is mandatory. Unfortunately, most organizations don’t realize their data has been compromised until it’s too late. A recovery plan to address and limit the damage caused by the breach is absolutely critical. Failure to act upon a breach on time will cause the situation to blow out of proportion.
Data breaches can occur due to various reasons and it is upto the organizations to deploy security measures so no person with malicious intent can misuse the data. A study by Experian revealed that 42% of consumers consider it as the company’s responsibility to safeguard their data. Around 64% of consumers said they wouldn’t want to associate with a company following a breach. This stat sheds light on the importance of PII compliance for organizations.
Non-compliance could lead to loss of business and consumer trust and attract penalties. A Gartner study suggests that more than 60% of the world’s population will be protected by personal data protection legislation in some way or the other by 2023. With vast amounts of data being collected and transmitted, organizations are under tremendous pressure to ensure that the security isn’t compromised at any point. PII compliance is an effective way to mitigate the risks associated with a data breach. Organizations can avoid falling prey to cyber attacks by adopting a proactive approach to security.
Appsealing is a frontrunner in providing robust security solutions for Android, iOS and Hybrid apps. Add scalable security to your apps with zero coding and protect your data from theft and manipulation. With no impact on app performance, our security solutions are designed for runtime protection and excellent compatibility with third-party tools. Get in touch with us today for comprehensive security with threat analytics on attack vectors.
1. What data cannot be termed as PII?
Any information that cannot be used on its own to link to an individual’s identity is non-PII. Data such as name or details of the organization you are working for, shared data or anonymized data won’t come under the category of PII.
2. What is a PII violation?
A PII violation is illegal and unauthorized use of PII. Identity theft is one of the most common cases of PII violation. While unauthorized access and disclosure of PII is violation, never reporting an attempt to breach is also viewed as violation.
3. How to transfer PII via email?
Email isn’t a secure mode of communication to transmit PII. Hence it’s recommended that users avoid using emails to send PII. If there is no option other than using emails, make sure to implement encryption and other verification methods to tighten security.
4. What are the laws governing PII?
There are numerous federal and state consumer protection laws in place such as the Federal Trade Commission Act and the Privacy Act of 1974 to protect personally identifiable information and penalize unauthorized access.