Personally Identifiable Information, or PII, has become an important term in the quickly evolving landscape of data privacy.
Where data privacy is concerned with who should have access to someone’s personal data, PII attempts to answer the question of what that personal data should be.
The National Institute of Standards and Technology (NIST) defines PII as:
A simpler definition could be that PII is any information that can, by itself or in conjunction with other data, be used to identify an individual.
In this article, we’ll look at various types of PII, how they’re linked, the risks they pose, and how you can help protect your employees’ PII from unwanted exposure. Why Companies Should Care When Employees Have Their Identities Stolen offers many reasons why your HR department might want to be at the forefront of protecting your employees’ data privacy. This article will help you discover what that data is and how to protect it.
What data is considered PII?
PII comes in several different flavors. There is regular PII and linkable PII, there are distinctions made between sensitive PII and non-sensitive PII, and finally there is non-PII. So if you’re confused by what PII really covers, you’re not alone.
First, let’s consider the data which makes up the core of PII. These are all those points of information that lead directly to a specific individual and, in most cases, only that individual.
Examples of core PII data include:
- Full name
- Social security number
- Passport number
- Driver’s license number
- Tax ID
- VIN number
- Patient identification numbers
- Financial and credit card account numbers
- Street address
- Email address
- Telephone number
- Photographic images
- Handwriting samples
- Retina maps
- Voice signatures
- IP address
- Login credentials
As you can see, some of these identifiers – social security, driver’s license, and fingerprints – are unique to you. Others – full name, street address – could be shared by other people, but are strong enough identifiers to be labeled PII. And some – VIN number, telephone number, credit card number – are temporary in that they could change over time as your ownership of them changes, but they are still tied to a specific person’s identity on a one-to-one basis.
As for login credentials, a username and password together is a form of PII. Alone, a username may or may not be. For example, a meaningless username such as RobotDuck123 is not going to identify a person outright. But a username that displays their full name and a birthday or year of graduation, such as JohnSmith96, is a stronger form of PII than either of those two things alone would be.
Sensitive PII is a term used to separate out PII that is closely tied to or can give access to an individual’s most sensitive data. This includes personal records from areas such as medical and healthcare, financial, insurance, taxes, employment, military service, education, and so on. Information such as social security number, retina maps, and login credentials are considered sensitive because they can grant access to (or at least make it easier to access) these sensitive accounts.
Emails are considered sensitive for multiple reasons. First, they represent a person’s online identity in the same way a full name does. Second, they often double as usernames for a variety of accounts. Third, most email inboxes contain so much in the way of sensitive personal and account-related data. And fourth, since email is tied to many password reset and security features, gaining access to someone’s email could translate into gaining access to other, more sensitive accounts.
What is linkable PII and how is it different
Linkable PII are forms of personal data that are not directly traceable back to a specific person. While they might apply to that person or describe them, they are common to so many other people that, by themselves, they would not make good identifiers.
However, when combined with other forms of PII, they can help provide an even tighter identification. This is why many applications request a variety of linkable PII information, to help organizations validate a person’s identity when needed. It is also one of the goals of big data to collect as many of these quasi-identifiers as possible, along with other points of personal data, in order to create the deep profiles needed to predict behaviors.
Some linkable forms of PII include:
- First or last name alone
- Zip code
- Other geographical references (such as Eastern U.S.)
- General age or age group
- Date of birth
- Place of birth
- Business telephone or address
- Marital status
This list of linkable PII is only a sample. There are many more points of data not listed here that could also be linked to someone’s identity. Anything that can help define or describe a specific person is a potential linkable PII candidate.
While some rules and regulations may target only sensitive PII data, the linkable PII distinctions are important because they make it possible to pinpoint identities by combining multiple data sources together.
When is personal data not considered PII?
Many companies use anonymization techniques to satisfy privacy laws, ethical considerations, and big data needs at the same time. What anonymization does is strip out identifiable parts or connections to the data, leaving the PII as standalone values. In this way, companies can share data that would normally be considered linkable PII with third parties such as partners and market researchers.
Unfortunately, the existence of de-anonymization techniques makes sharing anonymized PII data a murkier prospect. Companies will have to determine for themselves which anonymization techniques are secure enough to keep their PII data safe.
Aggregating PII data is another common way to anonymize it. By sharing totals rather than individual values, none of the data can be traced back to a single specific person. Unfortunately, while this method can definitely be useful, it may be less attractive to marketers because the resulting data applies to groups rather than individuals.
As for personal data that is not considered PII, activities and objects that can easily change hands (such as smartphones) or be duplicated would normally fall into this category. Included here are:
- Device IDs
- Non-dedicated IP addresses
- Browser cookies
- Browsing and search histories
While these forms of data are not typically thought of as PII, the most recent update to Europe's General Domestic Privacy Regulation (GDPR) does include some of these data points in its own definition of personal data — the EU equivalent of PII.
As we’ll see next, how governments define and approach the questions of data privacy can make a huge impact, too.
What are the rules around using PII?
The most comprehensive rule addressing data privacy so far is Europe's GDPR.
The GDPR was passed in 2016 and took effect in May of 2018.
As noted above, the GDPR uses the term "personal data" instead of the PII designation used mainly in the U.S. Since most websites are global in nature and the two definitions are not the same, it’s important to know the differences. Companies doing business with the EU – or even collecting data from EU citizens are expected to be compliant with GDPR regulations. This includes the regulation’s view of IP addresses, device IDs, and some cookie information to be personal data.
Those who are not compliant with the GDPR may be facing stiff fines from EU’s member nations. The largest of these so far was a $228 million fine handed down to British Airways. Google was fined $57 million by French regulators. And it appears that fines like these are just the beginning, as many more GDPR cases are in the pipeline and could be resolved in the near future.
In the U.S., data privacy rules are evolving under a more piecemeal approach. In the absence of major federal regulations, courts and state legislatures have been making rules and setting precedents to handle the privacy issues they face.
The Pennsylvania Supreme Court set a landmark precedent in Dittman vs. UPMC. It ruled that companies have an obligation to protect the data privacy of their employees. When an external hack exposed the personal data of 62,000 employees at the University of Pittsburgh Medical Center, the judgment was that they did not adequately protect that data and were therefore responsible.
In California, legislators signed the California Consumer Privacy Act (CCPA), which will take effect in January 2020. As one of the strictest U.S. guidelines to date, this may become the litmus test for companies seeking to remain compliant with a variety of U.S. rules.
On the federal front, the FTC has been heavily involved with enforcing the existing privacy and consumer protection standards. This was seen recently in their record $5 billion settlement with Facebook. Other recent settlements include upwards of $575 million for Equifax’s 2017 breach and $200 million for Google’s violation of the Children’s Online Privacy Protection Act.
One of the most interesting developments is the open letter sent to Congress by the Business Roundtable, an association of CEOs from over 200 leading U.S. companies. In the letter, they urged the federal government to enact a more consistent data privacy legislation and also offered a framework to that effect.
How do thieves get access to PII?
Large-scale breaches may compromise the most sensitive PII records. Breaches involving millions of users have become an almost weekly routine. The first six months of 2019 alone has seen 3,800 reported breaches involving 4.1 billion records.
Hackers then attempt to sell these records on the dark web to criminal elements such as organized crime and identity thieves. Sometimes, the PII involved in a breach may be enough to hijack an account outright. This is true when login credentials are stolen, for example.
Other times, an identity thief may need to acquire more information than what they obtained from a breach. Some of these are:
- Dumpster diving can reveal a broad range of PII data, from addresses and phone numbers to ages and interests to account numbers and statements.
- Stealing mail can provide both sensitive and non-sensitive personal data by taking unopened mail straight from the mailbox.
- Purse or wallet snatching involves some of the most sensitive data people keep with themselves at all times. Briefcases and smartphones are other potential targets which a clever thief might get their hands on.
- Lottery and prize winning notifications are, unfortunately, often no more than scams designed to capture data for hackers and identity thieves.
- Skimming debit or credit card numbers is not as prevalent as it once was, with most such cards upgrading to built-in EMV chips, but these techniques are still used by some to capture PINs and other data.
- Phishing lures the victim into providing specific PII data through deceptive emails or texts. These messages often lead to fake websites where the targets are asked to submit passwords and other data.
- Pretexting is similar to phishing, where data thieves offer a reason — or pretext — for inquiring about personal information. They could pose as a survey, ask prequalification questions for an award or service, or pretend to be customer service following up from a current business relationship.
- Obtaining credit reports by posing as employers or rental agents can provide identity thieves with a wealth of personal data.
- Social media often provides plenty of linkable PII data, easily searched for and accessed by anyone who takes the time to look.
- Unsecured internet activity provides a means for hackers to scoop up a variety of personal data from unprotected electronic devices.
How linking PII sources can lead to identity theft
Just because a piece of PII data falls into the wrong hands does not mean identity theft is inevitable. Unless the PII includes login credentials, an identity thief will still need to expend some effort to compromise an account.
That's where linkable PII can pose a danger. Even if identity thieves only get their hands on certain pieces of data from a breach, they can often match it with data collected from other lists or sources. As long as there is something in common to connect them — a last name, zip code, last four digits of a social security number, etc. — they can start piecing an identity together like a puzzle.
They might also use information that can be readily found on social media to fill in the gaps. Or they might create a fake website and send phishing emails to try to capture missing passwords or other data.
In 2015, the IRS was targeted in a breach that compromised 100,000 individual records. The identity thieves pulled it off by piecing together PII data from different sources, including data stolen in previous breaches, to correctly answer security questions set by users. Approximately 15,000 fraudulent tax refunds were issued as a result of this scheme.
The relationship between PII and digital footprints
Your employees each have a digital footprint, representing a record of all their online activities. It includes online accounts and transactions, browsing histories, search histories and more. Every site they visit becomes, at least temporarily, part of their digital footprint. This is because their browsers pass an IP address to each visited site. Most browsers also share the domain last visited before arriving there and the domain jumped to when leaving.
Anyone can clear their browser history, of course. But they can’t clear the data collected by those websites. Mostly, those companies use that information for things like demographic studies and marketing research, if they use it at all.
When an employee gives them more information — whether that’s just an email or a full account profile — now their IP address is connected with their PII. And now that company might use their PII for other things, such as selling them goods and services.
This is how a digital footprint grows. The more sites an employee provides information to, the larger that employee’s footprint gets. And since most of the data requested by these sites is either PII or linkable PII, the exposure of their PII grows with it. Even that IP address we started out with, while it’s not considered PII in the U.S. (at least not yet), it is considered personal data and protected by Europe’s GDPR. The same goes for cookies. While considered non-PII in the U.S., the GDPR recognizes certain data that can be collected inside cookies as personal in nature.
Regardless of whether you’re following U.S. policies, the GDPR, or both, a digital footprint will usually include a mix of both PII and non-PII data. In this way, you could view PII as a subset of a digital footprint. Some parts of that footprint may contain more PII and others less. This is important to note when trying to reduce the exposure of your employees’ PII..
Reducing their digital footprints in areas where little to no PII is present is still a good idea, but may not be as helpful to their data privacy as you might otherwise assume. By the same token, reducing their digital footprints in areas where multiple sources of PII are present might help them reduce their exposure to the risks of identity theft considerably.
Because there are so many ways to obtain PII data, there are also many ways to protect it.
Helping to reduce the digital footprints of your employees is one way to decrease the chances of their PII being caught up in a breach. Some of the ways to protect and reduce a digital footprint are:
- Being wary of what is shared on social networks, applications, and submission forms
- Avoiding unsafe websites
- Being cautious on public networks
- Deleting what isn’t needed
Removing unnecessary PII from their accounts means less personal data for identity thieves to work with if a breach does occur. Many people fill out optional fields without thinking twice about it. But if the information isn’t required, why share it?
Another way to protect their PII is to be encourage care in how they handle their sensitive data. Things like social security numbers and medical, financial, and tax ids should be encrypted before sending and stored only on protected networks. Devices that store sensitive data, such as smartphones and computers, should be secured via password or other means of protection.
They could also remove some of the data collection options available to identity thieves by destroying physical traces of PII. Shredding documents, removing mailing labels from boxes, and wiping and destroying old hard drives before disposing of them are examples of this.
As for online accounts, supplying each one with a strong, unique password offers a lot more protection than sharing one password using family names and birthdates.
Simply being aware of PII, data privacy rights, and the laws governing a company’s use of personal data can help your employees make better decisions in the long run.
One of those better decisions is to take advantage of an identity theft protection service. A service such as PrivacyArmor not only can help your employees secure and monitor their PII wherever it’s at, but it also helps them remediate and recover their identities… and even reimburses their financial losses.
If you need some advice on how to frame a discussion with your C-suite about the importance of PII and identity theft protection, we’ve provided some answers that might help you with that.
As an HR professional, you are in a perfect position to help employees keep their identities safe by understanding and protecting their PII. Show them how to control where they put their PII, and how to protect the PII they share.