What is PII? Important Distinctions in Information Security

What Is PII?

PII is the acronym that keeps getting thrown around but never seems fully understood. It stands for "Personally Identifiable Information." Knowing what it stands for is just as important as knowing why it is becoming increasingly important to the integrity of your cybersecurity strategy. But what does this terminology really mean?

What Does Personally Identifiable Information Mean?

The U.S. General Services Administration considers PII information that can be specifically connected to an individual. This can be anything from names and addresses to more critical information like credit card numbers and Social Security information. Financial accounts, educational documents, medical records, employment papers and many public resources contain identifiable information. The U.S. General Services Administration (GSA) doesn't consider PII to fall within a specific category of information but believes at-risk data should be evaluated situationally to determine if it could successfully identify or trace a person.

Cybercriminals can use personally identifiable information to harm individuals. Increasing amounts of PII are collected and analyzed daily through social media, websites, e-commerce stores and other online platforms. Businesses and organizations within various industries use and share this information to understand how they can relate, market and sell to their customers. Hackers and cyberthreats lurk in the shadows, waiting to take advantage of security vulnerabilities to steal, use and sell this valuable data in underground marketplaces.

Types of PII

PII can be a direct identifier pointing exclusively to a specific individual, such as a passport. Since this kind of information is unique to an individual, things like DNA, fingerprints and other biometric records are also considered directly identifiable PII. Others are known as indirect or quasi-identifiers, requiring a combination of various details used in tandem for successful identification. Examples of these quasi-identifiers include race, ZIP code, and birth date.

Data can also be categorized into two distinct categories: sensitive and insensitive. These classifications denote the degree to which a person can be identified, and understanding these distinctions is crucial to successfully protecting this data. Without proper protection procedures and security measures, your customers' data will be defenseless against hackers and used to harm them or your company.

Sensitive PII

Personal information deemed sensitive requires more security to ensure it stays private. If a breach happened and the information was made public, the identified person could be exploited. With the right information, hackers can access bank accounts, steal identities and ruin lives.

Determining what sensitive PII is can be tricky because when non-sensitive information is combined with other information, criminals can use it just like sensitive information. Identifiers like passwords and criminal and medical histories are considered sensitive only when used with other quasi-identifiers. But, information that is always classified as "Sensitive" can be things like:

• Social Security number
• Full name
• Passport information
• Driver's license number
• Credit card information
• Financial documents
• ID numbers

Non-Sensitive PII

Non-sensitive PII is any information found within public records like phonebooks, directories and other in-person and online resources. While this information doesn't directly identify a person, cybercriminals can use non-sensitive PII like zip codes and street addresses in de-anonymization attempts to uncover someone's identity. Examples of these kinds of information include:

• Phone number
• Date of birth
• Street address
• Gender
• ZIP code
• Birth location
• Race
• Religion

Protecting Personally Identifiable Information

So, what can be done to protect this sensitive data? Ensure your security network complies with regulations set forth by governing bodies like the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST). Doing so will ensure your clients' information is safe and help your organization avoid lawsuits, penalties or fines.

How you store PII in a database is crucial to ward off hackers and keep information secure. Your data should always be protected by full disk encryption, converting it into an unreadable encoded format. You should also restrict physical drives containing information to your office and avoid transferring unencrypted data over the internet.

When your operations are not actively using data or the data has reached the end of its useful life, your organization should follow the proper steps to dispose of it. The top three actions you can take to protect PII include:

1. Back up your data to the cloud.
2. Install and regularly update high-quality security software.
3. Train employees on proper data handling.

Secure Your Sensitive Data With Compass IT Compliance

Compass IT Compliance is a premier information technology firm helping organizations safeguard sensitive data. Our professionals offer virtual and physical IT security services to outsmart cybercriminals and prevent data breaches. For more information on keeping PII secure or a specific question about your environment, please don't hesitate to contact us to speak with a specialist today!