Personally Identifiable Information (PII)

What is Personally Identifiable Information (PII)?

If you live in the U.S., then you’ve probably heard of the term “Personally Identifiable Information” or its acronym– PII– but what exactly does it mean? 

Breaking Down PII

With all the recent data breaches and cyber attacks, PII comes up in the news quite a bit. As there is no law on the books to officially define it, PII is typically defined by the source.

One key place we can look at is the U.S. Labor Department, and they define PII as any piece of “information that permits the identity of an individual to whom the information applies to be reasonably inferred, by either direct or indirect means.”

This can be things like your name, address, social security number, and phone number– but also much more as we’ll see. All of this information can be used to uniquely identify who you are. 

What Information Is Considered PII?

This list is far from exhaustive, but it will give you an idea of what type of info is considered PII:

• Your Full Name
• Phone Number
• Social Security Number
• Debit/Credit Card Number
• Login ID
• Social Media Posts
• IP Address
• Cookies ID
• MAC Address
• Email Address
• Home Address
• Passport Number
• Car Registration/Tags
• Driver’s License/ID Number
• Bank Account Number
• Biometrics (DNA, Fingerprints, Retina Scans, etc.)
• Geographic Location (GPS)
• Medical Records

But again, this will vary depending upon the definition. For instance, not everyone considers MAC addresses or IP addresses as PII. Unlike personal data, which is strictly defined in the GDPR, PII really depends upon who you ask. 

Is Linkable Information Considered PII?

Not all information can identify you by itself, but can when combined with other pieces. This is called linkable information or sometimes called “pseudo identifiers” or “quasi-identifiers.”  

For instance, your birthdate by itself won’t be enough for someone to track you down. How many people on the planet share the same birthday, right? However, if we have your birthdate, gender, and the city you were born in, then someone could reasonably identify you.

Latanya Sweeny and her Data Privacy Lab at Harvard University found that having at least three points of info was enough to identify roughly 80% of all the people in the United States. 

Here are some examples of quasi-identifiers:

• Gender
• Race
• Religion
• Birthday
• Zip Code
• City/State of birth
• School information

While in the United States, quasi-identifiers aren’t considered PII, they do fall under the EU’s definition of personal data.

What Information Is Not Considered PII?

By definition, non-PII information is anything that can NOT be used to uniquely identify you. 

Here are a few examples of what could be non-PII:

• Emails without personal info (i.e. support@company.com)
• Company Cars
• Anonymized Data

How Does PII Differ From Personal Data?

The biggest difference between PII and Personal Data is that Personal Data has been defined through legislation. Under Article 4 of the General Data Protection Regulation (GDPR) in the Definitions section, personal data is strictly defined as: 

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

On the other hand, PII’s definition is scattered through different regulations and procedures, and there can be overlap with other laws like HIPAA and CCPA. There are a couple of organizations that do point us in the right direction so companies and the government can know what needs to be protected, and why.We gave the Labor Department’s version in the introduction, but another good source is the National Institute of Standards and Technology (NIST). They define PII as:

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date, and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

How Does PII Differ From PHI?

HIPAA Protected Health Information, or PHI, is any personal health information that can potentially identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment. 

PHI can include:

• The past, present, or future physical health or condition of an individual
• Healthcare services rendered to an individual
• Past, present, or future payment for the healthcare services rendered to an individual, along with any of the 18 identifiers found here. 
  

In short, it’s all the medical records and conversations held between you and your healthcare provider. It’s regulated by law and there are steep penalties for violating it and not staying HIPAA compliant. And in most cases, PHI falls under PII because it can be used to uniquely identify a person.

Is ‘Personal Information’ The Same As PII?

We’ve covered PII and Personal Data, which are terms from the U.S. and E.U. respectively. Now, let’s go over a few other locations where “personal information” is defined in other contexts. 

This term shows up in Canada, Australia, and New Zealand. And, again, unlike the U.S., these definitions are codified in law. Let’s take each country in turn.

• Australia - personal information is “information or an opinion about an identified individual, or an individual who is reasonably identifiable: a) whether the information or opinion is true or not; b) whether the information or opinion is recorded in a material form or not” as defined in Privacy Act 1988.
• Canada - PIPEDA defines personal information as “any factual or subjective information, recorded or not, about an identifiable individual.” 
• New Zealand - The Privacy Act 2020 simply says personal information is “information about an identifiable individual.” It’s one of the broadest definitions in the world and covers things from hair and eye color to name and ID number.

In some cases like New Zealand, they explicitly state that terms like “PII” have no legal standing in their country. It’s important to be aware of what privacy laws are in the countries you wish to do business in. 

Why Is PII Valuable To Hackers And Criminals?

According to a report by RSA, around 45% of U.S. citizens had their information stolen in data breaches over the past five years. And while it might be obvious why thieves want credit cards numbers, the rest of your info is just as valuable. The more detailed the profile, the higher price it fetches on the dark web.

Hackers, fraudsters, and other wrongdoers can use this information to make a fake persona and open up fake bank accounts and take out loans in your name. Especially during and after the pandemic, cybercrime as a whole has been on the rise.  

Criminals can do a lot of damage with only a few pieces of your info. With your name, social security number, and address, they can open up fraudulent accounts in your name. And after stealing something like your PHI, they could potentially get medications and medical care in your name, or use that information to try to blackmail you.

In some instances, it could be years before the breach is discovered or noticed on a credit report. By then, it’s too late, and recovering is difficult– if not impossible.

PII Security And Compliance

The University of Maryland found that a hacker is attacking someone every 40 seconds or so.  So if you’re collecting information from customers, it’s important to keep it secure and protected. And to that extent, you need to understand how the info you collect could adversely affect customers should the worst happen. 

NIST created a 61-page guide on keeping PII safe and secure. Losing your customers’ data not only negatively affects them, but it will also hurt your companies reputation and bottom line. IBM found that a business will lose an average of $150 per record lost in a data breach. 

Depending on what type of data you handle (i.e. PHI) or where you operate (i.e. the E.U.), then you could face legal action alongside the financial and reputation hit. For instance, if you handle medical information, then you will be subject to HIPAA compliance rules and regulations. The cost of non-compliance can be crippling. 

Key Takeaways

• PII is Personally Identifiable Information and is a term that’s used mostly in the United States.
• There are no laws on the books that strictly define it, but we can look to entities like the DOL or NIST to figure out what is and isn’t PII.
• PII is NOT interchangeable with “Personal Data” or “Personal Information.” However, the types of information can overlap.
• PII is valuable to hackers and fraudsters because they use it to open up bank accounts, take out loans, and commit other types of fraud.