Personally Identifiable Information (PII): What You Need to Know

Key Takeaways:

• PII encompasses data that can identify an individual, including names, identification numbers, and personal characteristics.
• It is divided into sensitive PII, which poses high risks if misused, and non-sensitive PII, which is less risky but can be harmful when combined with other data.
• PII is collected through direct submissions, online activities, surveillance, public records, devices, third-party sources, and hacking.
• It’s used for various purposes including identity verification, marketing, business operations, healthcare, law enforcement, and research.
• Misuse of PII can lead to identity theft and fraud, necessitating protective measures like strong passwords and legal safeguards like HIPAA and GDPR.

In today’s increasingly digital world, our online activities leave a trail of personal information that is collected, processed, and shared by organizations, companies, and even malicious individuals. This data, known as Personally Identifiable Information (PII), has become a valuable commodity, often used for marketing, identity verification, and even criminal activities. Therefore, it is crucial to understand what constitutes PII and take appropriate measures to protect it.

What Is Personally Identifiable Information (PII)?

Personally Identifiable Information, commonly known as PII, comprises any data that can be used to identify or trace an individual’s identity. This could be a single piece of information or a combination of different data elements that, when linked together, can reveal a person’s identity. The term PII is broad, encompassing various data types. To determine whether something constitutes PII, it undergoes an assessment to evaluate its potential to disclose an individual’s identity.

Examples of PII

The National Institute of Standards and Technology (NIST) defines PII to include a range of data, such as:

• Names: Including full name, maiden name, mother’s maiden name, or alias.
• Personal Identification Numbers: Social security, passport, driver’s license, taxpayer, patient identification, and financial account numbers.
• Addresses: Both street and email addresses.
• Asset Information: IP and MAC addresses.
• Telephone Numbers: Mobile, business, and personal.
• Personal Characteristics: Photos, fingerprints, handwriting, retina scans, voice signatures, and facial geometry.
• Property Information: Vehicle registration and title numbers.
• Additional Information: Birth dates, race, religion, weight, activities, employment, medical, educational, and financial data.

Some information alone may not qualify as PII, including:

• First name or last name
• Gender
• Race
• Age range
• Job position 

However, these pieces of information can become PII when combined or linked with other data. For instance, a first name, when associated with a last name and address, can easily identify a specific individual.

Categories of PII

PII can be classified into two distinct categories: sensitive PII and non-sensitive PII. The distinction lies in their varying levels of sensitivity and the potential risks associated with their exposure or misuse.

Sensitive PII: This category carries a high degree of risk if compromised. Examples include social security numbers, financial account information, biometric data, medical records, and PII of minors. These types of data can lead to financial fraud, identity theft, and other severe consequences.

Non-sensitive PII: This category typically encompasses information that is readily available to the public, such as contact information, name, educational background, and demographic details. While the potential harm associated with non-sensitive PII is lower, it’s crucial to protect it from misuse to safeguard individuals’ privacy.

How PII Is Collected

While collecting PII is necessary for many business and personal transactions, it also poses a significant privacy and security risk. Here’s a breakdown of common PII collection methods:

1. Directly from individuals: Individuals can provide their PII through various means, such as online forms, face-to-face interactions, phone calls, social media account opening, and paper forms. 
2. Through online activities: People leave trails of PII, known as a digital footprint, as they interact on social media, visit websites, and make online purchases. Examples of information collected this way include IP address, browsing history, login credentials, email address, phone numbers, and payment and shipping information.
3. From surveillance cameras: cameras placed in public places or business locations collect PII, such as images, location information, and timestamps.
4. From public records: Governments publicly collect PII to extend social and legal benefits, such as improving social services and fulfilling legal obligations. Furthermore, court records, voter registration lists, and property records contain PII, such as name, address, birthdate, criminal records, marriage certificates, property ownership records, and employment history.
5. From devices and sensors: Devices and sensors such as smartphones, wearable technology, and Internet of Things (IoT) devices collect PII from their users, including activity, location, and biometric information.
6. From third-party sources: Data brokers, also known as information brokers, are the major sources involved in gathering, transforming, packaging, and selling personal data. 
7. From unethical Hackers: Hackers use spyware, viruses, backdoors, social engineering, or other methods to steal and collect PII data from individuals, companies, governments, and other organizations.

What Is PII used for?

Personally identifiable information is widespread and has become integral to modern life. PII is used for a variety of purposes, including:

1. Identity verification: financial institutions and other organizations use PII to verify their customer’s identities during Know Your Customer (KYC) processes, as part of their anti-money laundering (AML) regulatory requirements, to prevent terrorism financing and other financial crimes. 
2. Personalized marketing: Businesses use personal identifiable information to personalize their offerings to each user and to target their marketing efforts to the right audiences.
3. Business operations: Many organizations use PII to manage operations and provide services to their customers.
4. Healthcare: Healthcare providers collect and use PII to manage patient records, provide treatment, and bill insurance companies.
5. Employment: Employers use PII to verify job applicants’ identities and conduct background checks. Companies use PII to manage employee records, payroll, and benefits.
6. To register and access government services: governments use personal identifiable information to provide citizens with services like passports, driver’s licenses, and social security cards. PII is used to verify a person’s identity and eligibility for services and to administer social benefits.
7. Law enforcement: Fingerprints, DNA, and surveillance data are examples of PII used in criminal investigations to identify and track suspects.
8. Education: PII helps manage students’ academic records in school settings.
9. Research: Researchers may collect PII as part of a study or survey. 

The Misuse of PII

The collection and use of Personally Identifiable Information (PII) are increasingly common in our digitally-driven society. However, when PII falls into the hands of malicious actors and criminals, it can lead to various consequences, including:

• misuse of data to obtain prescription drugs
• claim benefits
• file false tax returns
• travel across international borders
• receive medical treatment
• seek employment
• engage in other criminal activities

These exploitations can cause embarrassment, inconvenience, reputational damage, emotional harm, financial loss, unfairness, and in some cases, risk to personal safety. Innocent individuals might be wrongly arrested or charged by law enforcement, while professionals like pharmacists and doctors could suffer irreparable harm to their reputations. Furthermore, individuals may face suspension or termination of their benefits, while organizations might incur public trust loss, legal liabilities, or remediation costs.

Highlighting the scale of this issue, a 2023 report from the Identity Theft Resource Center revealed a record high in data breaches, with a 14% increase over the previous record, resulting in 733 compromises affecting more than 66 million victims. This alarming trend underscores the urgency for individuals and organizations to adopt robust measures to protect PII from falling into the wrong hands.

Best Practices for PII Management in Organizations

In today’s data-driven world, organizations must prioritize the protection of PII to safeguard individuals’ privacy and prevent potential data breaches. Here are some essential best practices for effective PII management:

1. Identify all personal information in their possession by checking their databases, shared networks, drives, backup tapes, and contractor sites for any they may have collected.
2. Limit the use, collection, and retention of PII to only what’s necessary to achieve business goals.
3. Organizations should categorize PII by its impact level: low, moderate, or high. This indicates potential harm to individuals and the organization if it’s accessed, used, or disclosed without authorization.
4. Apply appropriate safeguards based on the PII confidentiality impact level.
5. Develop an incident response plan to handle breaches involving personal information.
6. Encourage close coordination among relevant experts.
7. Create ongoing awareness, training, and education programs for staff.
8. Put strict policies and procedures in place for managing vendors and third-party service providers that handle personal information.
9. Comply with all applicable laws and regulations guiding personal information.

How Can Individuals Protect Their PII?

To minimize the risk of data breaches, identity theft, fraud, and other cybercrimes that can result in significant losses for individuals, the following safeguards are in place:

1. Use unique and strong passwords on accounts and devices.
2. Enable Two-Factor Authentication (2FA) wherever possible.
3. Be Cautious of Phishing Scams.
4. Regularly review privacy settings on accounts and devices.
5. Use strong and updated security measures on devices like firewalls, antivirus software, and regular software updates. Avoid using public Wi-Fi networks for sensitive activities like online banking or accessing confidential information.
6. Be cautious about sharing personal identifiable information, both online and offline. Only provide it to trusted sources and for legitimate purposes. Avoid sharing sensitive information, such as social security numbers or financial details, unless necessary.
7. Dispose of physical documents or electronic devices that contain PII properly and securely. Shred paper documents containing sensitive information before discarding them, and wipe the data from electronic devices before disposing of them properly.
8. Be cautious about personal identifiable information provided online and the permissions granted to apps and websites. Be mindful of the data they collect and how they use it. Read privacy policies and terms of service before providing PII, and opt out of data collection or sharing whenever possible.
9. Stay updated about the latest threats, scams, and best practices for protecting PII. Follow reliable sources of information, such as reputable security websites or government agencies, to stay informed about potential risks and emerging threats.

Laws Protecting PII

Many organizations are subject to United States (US) laws, regulations, or other mandates governing the obligation to protect personal information, such as:

1. The Privacy Act of 1974
2. OMB memoranda
3. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

In addition, some Federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), have additional legal obligations to protect certain types of PII. Some organizations are also subject to specific legal requirements based on their role. Violations of these laws can result in civil or criminal penalties. Organizations must protect personal information using policies, standards, or management directives specifically designed for their needs. The California Consumer Privacy Act (CCPA) also caters to PII in California.

Conclusion 

Personally identifiable information is critical in today’s digital world, enabling governments and organizations to provide personalized services and products. However, the collection and use of PII also pose significant risks to individuals’ privacy and security. Organizations and individuals alike have a responsibility to handle PII responsibly and securely. By understanding the risks associated with personal information and taking steps to protect it, organizations and individuals can help minimize the potential for harm.

Identity.com

One of our pursuits as an identity-focused company is a user-centric internet, where users have control over their PII. More reason why Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols, which will provide better collection and protection of PII from users. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our docs for more info about how we can help you with identity verification and general KYC processes.