Personal Identifiable Information (PII) is a set of data that could be used to distinguish a specific individual. It’s considered sensitive data, and it’s the information used in identity theft. PII could be as simple as a user’s name, address, and birthdate or as sensitive as full name, address, social security number, and financial data. In a data breach, PII is a target for attackers due to its high value when sold on darknet markets.
What is Considered PII?
No one rule determines what is considered PII versus what is not. PII is a set of data, but any one piece of information could be considered PII. For instance, a full name is not enough for an attacker to use, but a social security number identifies a single individual. A first and last name narrows down an individual’s identity, but without an address and more specific information, the individual could still stay anonymous. For PII to be effective, it must provide enough information that could specifically identify an individual among millions of other people.
Although there is no one definition for PII, the following list could be considered PII if enough data was breached in a compromise. One or all the following information could be used in a data breach:
- First name
- Last name
- Billing address
- Home address
- Social security number
- Passport information (or an image of it)
- Driver’s license number (or an image of it)
- Credit card data (number, CVV, expiration date)
- Date of birth
- Telephone number
- Authentication credentials (username and password)
The above information can be used to identify a person, but additional data can be even more useful to an attacker. The following information, by itself, is not useful to attackers, but it can be used in conjunction with the above information to steal a targeted user’s identity:
- Just first or last name, not the full name
- Country and/or city
- Age range (e.g., 30-40 years old)
- Job position or career information
The above items are not an exhaustive list. Any information that can be used to identify an individual could be considered PII. It’s this information that corporations continue to protect from attackers.
Sensitive versus Non-Sensitive PII
It’s important to distinguish between sensitive and non-sensitive PII because sensitive information is regulated by compliance standards and must be protected by several cybersecurity standards laid out by regulatory bodies. Overly sensitive data such as social security numbers and financial data requires extensive security to protect it from attacks.
Just like definitions for PII, what defines sensitive data has no set rules or standards. A good practice is to determine if the information is publicly available versus what could not be found in a phone book or public database. Phone numbers can be private, but public phone numbers and names are not considered private data. An employee name and email address found in a corporate directory are not sensitive data, but the employee’s private phone number and address would be considered sensitive.
Regulatory standards define the way sensitive data must be stored and transferred. Sensitive data must be encrypted when stored and when transferred across the network. Data stored on a drive or in a database is referred to as “data at rest.” Data transferred across a corporate network or over the network is referred to as “data in motion.” Both versions are vulnerable to attackers and must have the best cybersecurity defences applied to them.
In addition to PII, protected healthcare information (PHI) and financial data are also regulated by standards and must be secured by the following guidelines: Health Insurance Portability and Accountability Act (HIPAA) oversees healthcare data and defines the cybersecurity standards for doctors, hospitals, dentists, insurance companies, and more. Several regulatory bodies oversee financial data, including PCI-DSS, Financial Industry Regulatory Authority (FINRA), Sarbanes-Oxley (SOX), and more. Violating these standards can result in millions of dollars in fines, so ensuring that sensitive data regulated by one of these compliance standards is crucial.
What is PII Under General Data Protection Regulation (GDPR)?
The European Union General Data Protection Regulation (GDPR) defines the way corporations must work with PII. It provides guidelines on what would be considered PII and what must be done to store, secure, and delete it. The GDPR checklist offers a way for organisations to identify if they are on the right track with its management of PII.
GDPR draws a line between companies with 250 employees and those with fewer ones. The checklist instructs organisations in the way they encrypt data at rest and data in motion. Encryption is the primary strategy to anonymise data when it’s disclosed. Even if an attacker can compromise an internal network, encryption would render the data unusable by the attacker.
Several other cybersecurity standards oversee EU resident data. Organisations must not only ensure that data is a priority when engineering defences, but they must provide an easy way for customers to find out how their data is used and request to delete it. Customers should also have the ability to prevent the organisation from using and collecting their data.
If an organisation must follow GDPR, it’s essential to review the law’s requirements, because they are unique from other regulatory standards. For instance, GDPR states that cookies could be considered PII. The law differentiates between PII and “personal identifiers.” A personal identifier added to personal information would provide an attacker with the data needed to identify an individual from basic personal information. For instance, an attacker could not do much with the name “John Doe,” but combining it with geolocation data, the attacker could narrow down their search to the correct John Doe.
Best Cybersecurity Practices for Working with PII
Regulatory governance compliance standards are the best guidelines for securing sensitive data. These standards are an excellent place to start when designing cybersecurity policies and governing the way data is used, but they don’t provide a full set of strategies for all corporate systems. Other cybersecurity strategies can be considered based on an organisation's unique list of requirements.
For instance, HIPAA and PCI-DSS might require organisations to use SSL/TLS (HTTPS) when transferring sensitive data. The organisation would then be required to encrypt any sensitive data in the database. However, you still need to define a set of strategies for internal access, backups, archives, and who within the organisation can view PII. If users access PII remotely, they should be required to use VPN and multifactor authentication (MFA).
Phishing and social engineering attacks are common for credential theft. Employees should be educated on the dangers of phishing and social engineering, and they should be taught to recognise an attack and report it. Overall education on regulatory guidelines that oversee data and the people who access it should be a part of employee education. Several other cybersecurity solutions can be used to stop phishing, such as email filters, DMARC, SPF, and DNS-based content blockers.
Cybersecurity strategies must be reviewed regularly, at least annually, but some organisations choose to do it more often. Lessons learned in one phase in incident response, and this phase helps to find issues with strategies, but only after a data breach has already happened. Regularly reviewing current cybersecurity strategies and the infrastructure deployed will help IT staff better realise weaknesses in current defences.
PHI, PII, Personal Finance Information (PFI), and electronic PHI (ePHI) are forms of digital data that must be physically and virtually protected. The first step is to identify all ways the organisation collects data, identify the regulatory standards that oversee the way data is handled, and then apply strategies that follow all guidelines.