What Is PII (Personally Identifiable Information)?
Personally identifiable information (PII) refers to information employed by a company or organization to identify someone, make contact with them, or find them. While this PII meaning applies to any circumstance, the term “PII” is often used within a legal context, particularly when it refers to information security concerns.
There are two basic kinds of PII: non-sensitive and sensitive. Non-sensitive PII can be freely sent to other parties without being secured, with no harm resulting to the individual. Sensitive PII, on the other hand, has to be sent and kept in a secure form because if it were disclosed, considerable harm could befall the individual.
Protecting PII is crucial in any business relationship, specifically because not doing so could involve an abuse of trust. Also, when an individual’s information is shared with the wrong parties, harm can be done to their reputation, finances, and personal life. In addition, an organization that is lax in the way it protects PII can quickly lose the trust of current and potential clients, which could significantly impact their bottom line.
Many countries and territories have measures in place to protect the personal information of their citizens. While the designation of “personal information” varies slightly from one area to the next, many of the guiding principles are the same.
According to the National Institute of Standards and Technology (NIST), personally identifiable information includes someone’s name, biometric information, such as physical data and descriptions, and Social Security number (SSN). These can all be used to track the identity of an individual.
Personal information in Australia is defined under the Privacy Act 1988. It refers to information about someone, including subjective opinions, when it is clear who the individual is. Even if it is not “crystal clear” who is being referred to, the classification still applies if their identity can be reasonably ascertained.
The European Union
Personal information in countries under the European Union (EU) is defined as information that identifies a person, including physical, mental, physiological, economic, cultural, or social identifying factors. Personal information also includes an ID number, whether issued by a state entity or a private one.
Personal information in New Zealand includes any information relating to someone who is alive and identifiable. This encompasses their contact information, name, financial situation, and their history of purchases.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) stipulates that personal data includes anything that can identify an individual, including personal information online, whether on its own or in conjunction with other data.
What Qualifies as PII?
There are a number of things that qualify as PII, and according to the NIST, they include an individual’s:
- Full name
- Home address
- ID number
- Vehicle plate or registration number
- Passport number
- Driver’s license
- Credit card number
- Date of birth
- Digital identity
- Place of birth
- Phone number
- Genetic information
- Screen name
- Login information
There are multiple laws outlining how to maintain PII compliance. Some countries have more than one because protecting personal information varies depending on the industries or types of individuals involved.
GDPR focuses on many of the potential problems, such as data breaches, by aiming to regulate the cybersecurity and legal fabric of the data within the EU—protecting it from being exploited or misused—while at the same time showing respect for the individuals who own the data. Therefore, the fines levied against people who are out of compliance with PII requirements are stiff. They can climb to as high as €20 million or 4% of a company’s global revenue—whichever amount is higher.
The Gramm-Leach-Bliley Act (GLBA) is also known by the name "Financial Modernization Act." It is designed to regulate how financial institutions share or protect customers’ private information. PII compliance to satisfy GLBA tends to involve financial institutions communicating with their clients and customers regarding how they use their sensitive data. It also directs financial institutions to inform customers that they have the right to opt out of sharing their data.
GLBA makes it mandatory to equip each employee of a financial institution with the knowledge and tools to remain in compliance. In addition, anyone with access to sensitive data is tracked within the financial institution’s system.
The Payment Card Industry Data Security Standard (PCI DSS) manages and identifies the information security policies necessary for organizations that handle credit card information. It is sometimes referred to as “PCI,” and it makes sure companies that work with credit card data keep a certain level of cybersecurity in place.
This may include an information security policy such as a firewall, antivirus software, data encryption service, restricted access to credit card data, logging, scanning for vulnerability, and regular updates.
HIPAA stands for the Health Insurance Portability and Accountability Act, and it is designed to protect the sensitive data of patients. The PII definition used within the context of HIPAA is protected health information (PHI). This includes PII information regarding not just who a patient is but also the kinds of treatment they get and the health conditions they have.
To protect patients’ personal data, HIPAA dictates regulations that limit physical access to personal information, control how it is transferred, as well as how people use workstations where personal data can be accessed. In addition, HIPAA requires regular audits of data protection procedures like data encryption.
The NDB refers to Australia’s Notifiable Data Breaches Scheme, which is a law introduced by the Office of the Australian Information Commissioner. This law necessitates the notification of any individual affected by a data breach within a specific period of time after the breach was discovered. The law also requires individuals and companies to notify government officials.
PII Threat Categories
Once an organization has figured out the kinds of PII it is responsible for, they should also classify the different types of data. This will make it easier to assess the threats posed by the mishandling of each kind of data. The categories may include:
- Identification: This includes data that can be used to identify an individual.
- Data combination: In some cases, a combination of multiple types of data is used to identify someone.
- Accessible data: When and how often data is accessed, as well as who has access, can help clarify how to best manage it.
- PII data compliance: In many instances, local compliance requirements, such as PCI DSS, HIPAA, or EU GDPR, should guide how personal data is managed.
What Do Hackers Do with PII?
When hackers steal credit card information, they can use it to make purchases while pretending to be the cardholder. However, greater dangers result when hackers piece together combinations of personal data. Many institutions require several data points to verify someone’s identity. In some cases, a hacker may get some data, such as an email address, and then use it to obtain more PII, eventually having enough to gain access to more secure accounts such as an individual’s bank.
Hackers can use email phishing to get someone’s password or SSN. For this reason, organizations like the Department of Labor (DOL) disclose that while they may collect data through an email request, they will always outline how the data will be used. Phishing scammers may try to emulate the look and feel of a legitimate service provider to lull their targets into a false sense of security.
When a threat actor has the information they need, they can pretend to be the individual and then commit cyber crimes in their name or sell their information via the dark web. Cyber criminals have also been known to masquerade as the individual and then penetrate their circle of friends on social media, gathering more information they then use to impersonate the target.
Who Is Responsible for Safeguarding PII?
Responsibility for PII varies depending on the information and the jurisdiction. Sometimes, it is the responsibility of the organization that receives it, and in some cases, the responsibility is shared between the individual and the company that takes their data.
Challenges of Managing PII
Properly handling PII can mean the difference between being legally compliant or in violation of the law. However, managing PII comes with several significant obstacles.
Too Much Information
Often, a company has so much PII data, it is hard to keep track of it all. For this reason, it is advisable to only collect the bare minimum necessary for smooth operation.
Covering the Whole Threat Landscape
PII can be accessed both digitally and physically. This results in a diverse, ever-changing, and expanding attack surface.
Unsecured Internet-of-Things (IoT) Devices
As more and more companies implement a bring-your-own-device (BYOD) policy, it is getting harder to make sure all devices are secure.
Employees—even those with the best intentions—often make mistakes. They may incorrectly delete data, leaving it exposed to a hacker, or fall for a phishing scam. It is also common for employees to use weak passwords to make it easier to remember their login information. The key is to educate them regarding the steps they should take to safeguard their PII and those of their fellow workers and customers.
How To Manage PII
There are several things you and members of your organization can do to manage PII. Some of the most helpful steps are listed below. It is important to take all of these measures into account, not just a few.
Some companies use double opt-in, which requires users to confirm subscriptions via email, to limit the exposure of sensitive data. Regardless of the method you choose, a little upfront investment of time and energy to bolster your infrastructure and adjust policies and practices is well worth it. Your efforts can prevent you and your organization from a potentially disastrous hack.
Only Collect/Store What You Need
The safest thing to do is to store only as much PII as you need. Once you choose what to store, ascertain your legal obligations. Then choose which has to be kept on a short-term or long-term basis. If the data can be deleted in the short term, set up procedures for doing so.
Monitor and Train Employees
Provide adequate training to employees about PII data and their related responsibilities. Also, keep track of who accesses personal data and when.
Create a BYOD Security Policy
When employees are allowed to bring their own devices, make sure they meet security requirements before accessing the network. Educate each employee about the measures, and make sure they conform.
Use Monitoring Systems
You need to monitor who has access to PII and when, particularly because some jurisdictions require you to alert them when PII has been compromised. This can be accomplished in several ways, including alerts that are automatically logged by the system whenever someone accesses PII.
Maximize Data Security
Limit the amount of data that gets transferred to reduce the chances of hackers stealing it. Use firewalls to shield your network. Consistently perform timely security updates, and fix vulnerabilities as soon as they are discovered.
Data masking involves making sure data is transmitted or stored with only the bare minimum of data exposed. A common example is when only the last four digits of a credit card are shown during an online purchase.
Implementing ethical walls involves only letting those who “need to know” access sensitive data. You can also make sure each member of your organization can only view data that does not present a conflict of interest.
Privileged User Monitoring
Privileged user monitoring is when you monitor all privileged access to databases and files. Anytime something suspicious happens, the activity is blocked and an alert is created.
Sensitive Data Access Auditing
When engaging in sensitive data access auditing, an organization keeps track of every time people access sensitive information. If anything out of the ordinary happens, access can be blocked and an alert can be initiated.
Secure Audit Trail Archiving
Secure audit trail archiving makes sure that activity conducted in connection with PII is both audited and retained for one to seven years. This helps a company comply with legal regulations and policies, as well as produce a forensic trail that can assist with an investigation.
User Rights Management
User rights management involves identifying unusual or inappropriate user behavior and then limiting access accordingly. This could include removing user accounts that have been dormant for a set period of time.
User tracking traces user activity to detect when users may expose sensitive data, either accidentally or with malicious intent. Activity is tracked anytime they are using the organization’s network or working on behalf of the company.
How Fortinet Can Help
Fortinet has several resources that can help you protect your personal information, as well as that of employees, customers, and other stakeholders. The Fortinet next-generation firewalls (NGFWs) can serve as your primary defense against hackers looking to obtain and exploit PII. To fully safeguard user data, you have to protect your network from multiple angles, and the Fortinet NGFWs can cover several attack surfaces at once, including devices, applications, and users. The NGFWs also segment network traffic, making it less likely that an attacker will even have the chance to access PII.
Fortinet also provides endpoint security with FortiClient. PII is sometimes stored—at least on a temporary basis—on endpoints. With FortiClient, you get full visibility into the security measures in place on every endpoint that connects to your network. You also get protection against advanced threats, as well as automatic vulnerability assessments so you can see which endpoints need to have their protection enhanced. Further, if there is a breach, with FortiClient, you can produce a report of the incident, which helps you remain in compliance with regulations.
Also, with Fortinet FortiMail, you get advanced email security, which forms a barrier between attackers and what is often their favorite entry point. Email is the number one way hackers try to introduce malware that can be used to steal PII. FortiMail filters out malware and spam. It not only targets signature threats, which are stored in a database, but also uses other methods of detection like analyzing behavioral patterns. It is of utmost importance that you familiarize yourself with the latest information regarding PII and then use all the tools necessary to make sure it is secure.