Personally Identifiable Information (PII): What You Need to Know

As our lives become increasingly digital, we leave behind a trail of personal information that can be collected and used by organizations, companies, and even malicious individuals. Personal data has become an increasingly valuable commodity in today’s world. Personally identifiable information (PII) is collected, processed, and shared daily for marketing and identity theft purposes. Hence, PII must be well understood and protected to prevent the proliferation of data breaches and privacy violations.

What is PII?

Personally identifiable information (PII) refers to information that can distinguish or trace an individual’s identity alone or when combined with other information linked or linkable to a specific individual. PII is a broad term because different types of information can distinguish or trace an individual’s identity. However, to determine whether a piece of information is PII, an assessment is performed to determine whether it can be used to identify an individual.

Examples of PII

Examples of information considered under the National Institute of Standards and Technology (NIST) as PII include the following:

1. Name: full name, maiden name, mother’s maiden name, or alias, 
2. Personal identification number: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number,
3. Address information: street address or email address,
4. Asset information: Internet Protocol (IP) or Media Access Control (MAC) address,
5. Telephone numbers: mobile, business, and personal numbers,
6. Personal characteristics: Photographs, x-rays, fingerprints, handwriting, retina scan, voice signature, and facial geometry,
7. Information identifying personally owned property: Vehicle registration number, title number, or other related information, 
8. Information linked or linkable to an individual, such as date/place of birth, race, religion, weight, activities, geographical indicators, employment, medical, education, and financial information.

Some information on their own does not qualify as PII, including:

1. First name or last name
2. Gender
3. Race
4. Age range
5. Job position 
6. Date of birth
7. Religion
8. Weight

These examples of information are vague and can relate to many people.When combined or linked with other information, these data can identify a particular person and become PII. Anonymous information, which cannot be traced back to a specific individual, is not considered PII.

Categories of PII

PII is broadly categorized into two types: sensitive PII and non-sensitive PII. These two categories differ in the level of sensitivity and the potential risks associated with their exposure or misuse. 

Sensitive PII is high risk and can result in severe consequences for an individual if exposed or misused. Examples include social security numbers (SSNs), financial account information, biometric data, medical information, and the PII of minors.

Non-sensitive PII consists of publicly available information with a lower risk of being misused or causing harm to an individual. Examples include contact information, name, educational information, and demographic information. 

How PII Is Collected

While collecting PII is necessary for many business and personal transactions, it also poses a significant privacy and security risk. PII collection happens in many ways, including:

1. Directly from individuals: Individuals can provide their PII through various means, such as online forms, face-to-face interactions, phone calls, social media account opening, and paper forms. 
2. Through online activities: People leave trails of PII as they interact on social media, visit websites, and make online purchases. Examples of information collected this way include IP address, browsing history, login credentials, email address, phone numbers, and payment and shipping information.
3. From surveillance cameras: cameras placed in public places or business locations collect PII, such as images, location information, and timestamps.
4. From public records: Governments publicly collect PII to extend social and legal benefits, such as improving social services and fulfilling legal obligations. Furthermore, court records, voter registration lists, and property records contain PII, such as name, address, birthdate, criminal records, marriage certificates, property ownership records, and employment history.
5. From devices and sensors: Devices and sensors such as smartphones, wearable technology, and Internet of Things (IoT) devices collect PII from their users, including activity, location, and biometric information.
6. From third-party sources: Data brokers, also known as information brokers, are the major sources involved in gathering, transforming, packaging, and selling personal data. 
7. From unethical Hackers: Hackers use spyware, viruses, backdoors, social engineering, or other methods to steal and collect PII data from individuals, companies, governments, and other organizations.

What is PII used for?

Personally identifiable information is widespread and has become integral to modern life. PII is useful for a variety of purposes, including:

1. Identity verification: financial institutions and other organizations use PII to verify their customer’s identities during Know Your Customer (KYC) processes, as part of their anti-money laundering (AML) regulatory requirements, to prevent terrorism financing and other financial crimes. 
2. Personalized marketing: Businesses use personal identifiable information to personalize their offerings to each user and to target their marketing efforts to the right audiences.
3. Business operations: Many organizations use PII to manage operations and provide services to their customers.
4. Healthcare: Healthcare providers collect and use PII to manage patient records, provide treatment, and bill insurance companies.
5. Employment: Employers use PII to verify job applicants’ identities and conduct background checks. Companies use PII to manage employee records, payroll, and benefits.
6. To register and access government services: governments use personal identifiable information to provide citizens with services like passports, driver’s licenses, and social security cards. PII is used to verify a person’s identity and eligibility for services and to administer social benefits.
7. Law enforcement: Fingerprints, DNA, and surveillance data are examples of PII used in criminal investigations to identify and track suspects.
8. Education: PII helps manage students’ academic records in school settings.
9. Research: Researchers may collect PII as part of a study or survey. 

The Misuse of PII

The collection and use of PII are becoming increasingly prevalent in our technologically advancing society. However, PII in the hands of malicious actors and criminals can have varying consequences and can be used to:

• obtain prescription drugs
• claim benefits
• file false tax returns
• travel across international borders
• receive medical treatment, 
• seek employment, and
• aid in other criminal activities.

These exploitations can result in embarrassment, inconvenience, reputational damage, emotional harm, financial loss, unfairness, and, in rare cases, a risk to personal safety. Law enforcement agencies can arrest and charge innocent individuals, while professionals such as pharmacists and doctors can suffer irreparable harm to their reputations. Additionally, individuals may have their benefits suspended or terminated. Organizational damages may include a loss of public trust, legal liability, or remediation costs. Therefore, individuals and organizations collecting and using PII must take necessary measures to protect it from falling into the wrong hands.

PII Safeguards for Organization

To effectively protect PII, organizations should implement the following recommendations: 

1. Identify all personal information in their possession by checking their databases, shared networks, drives, backup tapes, and contractor sites for any they may have collected.
2. Limit the use, collection, and retention of PII to only what’s necessary to achieve business goals.
3. Organizations should categorize PII by its impact level: low, moderate, or high. This indicates potential harm to individuals and the organization if it’s accessed, used, or disclosed without authorization.
4. Apply appropriate safeguards based on the PII confidentiality impact level.
5. Develop an incident response plan to handle breaches involving personal information.
6. Encourage close coordination among relevant experts.
7. Create ongoing awareness, training, and education programs for staff.
8. Put strict policies and procedures in place for managing vendors and third-party service providers that handle personal information.
9. Comply with all applicable laws and regulations guiding personal information.

PII Safeguards for Individuals

To minimize the risk of data breaches, identity theft, fraud, and other cybercrimes that can result in significant losses for individuals, the following safeguards are in place:

1. Use unique and strong passwords on accounts and devices.
2. Enable Two-Factor Authentication (2FA) wherever possible.
3. Be Cautious of Phishing Scams.
4. Regularly review privacy settings on accounts and devices.
5. Use strong and updated security measures on devices like firewalls, antivirus software, and regular software updates. Avoid using public Wi-Fi networks for sensitive activities like online banking or accessing confidential information.
6. Be cautious about sharing personal identifiable information, both online and offline. Only provide it to trusted sources and for legitimate purposes. Avoid sharing sensitive information, such as social security numbers or financial details, unless necessary.
7. Dispose of physical documents or electronic devices that contain PII properly and securely. Shred paper documents containing sensitive information before discarding them, and wipe the data from electronic devices before disposing of them properly.
8. Be cautious about personal identifiable information provided online and the permissions granted to apps and websites. Be mindful of the data they collect and how they use it. Read privacy policies and terms of service before providing PII, and opt out of data collection or sharing whenever possible.
9. Stay updated about the latest threats, scams, and best practices for protecting PII. Follow reliable sources of information, such as reputable security websites or government agencies, to stay informed about potential risks and emerging threats.

Laws Protecting PII

Many organizations are subject to United States (US) laws, regulations, or other mandates governing the obligation to protect personal information, such as 

1. The Privacy Act of 1974
2. OMB memoranda
3. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

In addition, some Federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), have additional legal obligations to protect certain types of PII. Some organizations are also subject to specific legal requirements based on their role. Violations of these laws can result in civil or criminal penalties. Organizations must protect personal information using policies, standards, or management directives specifically designed for their needs. The California Consumer Privacy Act (CCPA) also caters to PII in California.

Conclusion 

Personally identifiable information is critical in today’s digital world, enabling governments and organizations to provide personalized services and products. However, the collection and use of PII also pose significant risks to individuals’ privacy and security. Organizations and individuals alike have a responsibility to handle PII responsibly and securely. By understanding the risks associated with personal information and taking steps to protect it, organizations and individuals can help minimize the potential for harm.

Identity.com

One of our pursuits as an identity-focused company is a user-centric internet, where users have control over their PII. More reason why Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols, which will provide better collection and protection of PII from users. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our docs for more info about how we can help you with identity verification and general KYC processes.