What is PII, and What Does PII Include?
Table of Contents
- By Bree Ann Russ
- Jul 13, 2022
Personally Identifiable Information (PII) is sensitive data that can identify an individual. Examples of PII include an individual's name, address, phone number, email address, social security number, passport number, driver's license number, and other similar PII information. The consequences of a data breach or leak of PII can be severe in terms of adverse effects on the affected individuals and the organizations that store their data. For this reason, businesses must take precautions when handling sensitive information about their customers or employees.
So, what is PII exactly? The acronym PII stands for Personally Identifiable Information. In other words, any information that could identify an individual. Note that this is not only a person's name; it could also include their address, telephone number, or even their IP address (although some do not consider these as sensitive as a name).
PII is used in the context of computer systems to identify people in a digital environment. PII also covers the context of privacy and includes any information that can identify a person.
What Does Personally Identifiable Information Include?
What is PII data, then? Many types of PII fall under the category of PII data. The most common PII types are:
- Name - Including the first name and last name of an individual.
- Address - Including the home address, mailing address, or other address where a person can be found.
- Telephone numbers - Including a home phone, cell phone, office number, or other phone numbers associated with the person.
- Email addresses - Including the email address the person uses regularly.
- Social security number - This is a nine-digit number used to identify an individual for their work history.
- Passport number - This is a nine-digit number used to identify a person for international travel.
- Driver’s license number - This number identifies a person's ability to operate a vehicle.
In some situations, the date of birth might qualify as personal information if paired with another identifier, such as a name or address. Other examples include username and password combinations, medical record numbers, school ID numbers, bank account numbers, credit card account information, and biometric data, such as fingerprints or retina scans.
Data Breaches Involving PII
There are many examples of data breaches compromising PII. In the last few years, we’ve seen massive data breaches from companies such as Yahoo, Equifax, and Verizon.
In 2016, Verizon acquired the assets of Yahoo and discovered that hackers had breached Yahoo's systems in 2013, stealing information associated with over 500 million accounts, including names, email addresses, telephone numbers, dates of birth, hashed passwords, and even unencrypted security questions and answers.
In 2017, credit reporting firm Equifax reported a data breach that affected over 145 million customers. The breach included PII such as names, addresses, SSNs, and even some driver’s license numbers.
In the same year, telecommunications giants Verizon and AT&T reported breaches that affected over 14 million customers.
The Importance of Protecting PII
The importance of protecting Personally Identifiable Information is undeniable. In the event of a data breach, the PII can lead to identity theft or fraud. It could also allow thieves to gain physical access to a person's home or workplace.
With the right PII, criminals can open new credit accounts in someone else’s name or access money in those individuals’ bank accounts.
If a business is found to be negligent in terms of protecting PII, it can incur significant fines. In addition to fines, a company that suffers a data breach can suffer from negative publicity.
Customers and clients may lose trust in the company and choose to do business with another firm. Employees may also become less likely to stay with the company and be more likely to leave to work for a competitor.
What Can Be Done to Protect Your PII?
There are many options businesses have when it comes to PII protection. As a business owner, you want to ensure access points are safe for employees and customers, your networks are secure, and each device allows individual access only.
Implement Strong Access Controls
Access controls are the gatekeepers of data. In other words, they are the systems and processes that determine who has permission to access which data. Access controls typically fall into two categories:
- Authentication - Authentication is confirming that someone is who they say they are. It often involves checking a person's username and password to ensure that the information is correct. Multi-Factor Authentication is critical to any access control system because it prevents unauthorized users from accessing data.
- Authorization - Authorization is determining what a person is allowed to do. It often includes determining a person's role and what systems they are allowed to access. An authorization system will prevent someone with a general role from accessing highly-specific data.
Implement Strong Network Controls
Network controls protect a company's IT infrastructure from both external and internal threats. External threats include hackers, spammers, and other cybercriminals attempting to infiltrate the network.
Employees who are either maliciously or inadvertently causing harm to the network are the most common cause of internal threats. Businesses need a firewall configured to allow only authorized traffic to enter the network to protect against external threats. Wireless networks should also be encrypted to prevent eavesdropping and other forms of interception.
Implement Strong Device Controls
There are several ways to protect data on individual devices such as laptops and smartphones. One way is to implement controls that prevent someone from connecting an unauthorized device to the network.
Another way is to encrypt all data on the device so no one can read it without the proper decryption key. Using multi-factor authentication also helps to ensure that the person using the device is the person who should be using it.
Become Proactive About Protecting PII
Once you understand the PII meaning, it is easy to see just how far someone could go with little bits of information about you. The goal is always to protect yourself, including any data that is unique to you. Businesses and consumers alike need to step up how they keep data safe. One of the most effective methods of keeping your PII safe is with identity protection services. That way, if any of your PII information gets out, you know and can take steps to keep it safe.