Personally Identifiable Information (PII) in information security is the data that could identify an individual directly or indirectly.
PII has several different types of formal definitions varying by country and territory. However, the core meaning of the term remains unchanged.
The most common way to define a PII (as per the National Institute of Standards and Technology [NIST] of the United States) is – “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
Similarly, per privacy and personal information protection acts, the formal definition gets tweaked. You can look at related data privacy abbreviations to explore more about them.
Importance of PII in Cyber Security
Cyber Security refers to protecting and defending against cyber attacks. And for the most part, it involves information security, where the primary focus is to protect the data stored in systems and organizations.
So, knowing what PII is eventually helps to understand what data is being stored, what needs to be secured, how it can be better managed, and a couple of other things to help enhance security.
Usually, PII is sensitive. Hence, malicious attackers should not get their hands on such information. Any PII collected could affect the individual in the real world, not just the digital world.
Moreover, privacy plays a big part in an organization’s capability to handle personal data. And, Personally Identifiable Information involved is crucial to reflect an organization’s privacy game. So, in one way or another, it is essential to protect the information in the world of cybersecurity.
What Exactly Consists in a PII?
While we have defined PII, how can you understand that a piece of data can expose an individual’s identity? 🤔
To get an answer to that, you will need to knowwhat kind of data may get classified as PII and the different types of PII.
Fret not; we shall address both as you read on.
The examples include anything that helps verify the identity of a person. Not every service or organization collects PII – so the mentioned examples are not what you give anyone on the internet.
For instance, a payment processor might have collected some information classified under PII, and an email service might have stored something else.
💡 The information could be your first name, last name, date of birth, bank account number, home address, social security number, medical info, facial photo, mobile number, email, vehicle number, fingerprints, and more.
This is true for almost everywhere in the world, with slight differences as to what is considered (or not) as PII.
Types of PII
PII can be of two different types, direct and indirect identifiers.
Direct identifiers refer to information unique to an individual, like thegovernment ID number, license number, phone number, bank account number, etc.
Anyone can identify you based on just one direct identifier, which is why it is considered a type of PII.
And indirect identifiers (or quasi-identifiers) refer to the single data that cannot help identify you. For instance, if you randomly share your place of birth, one cannot locate you or know any other personal details regarding you.
A bunch of indirect identifiers put together can help identify you. Or maybe not? It depends…
More About PII Types and Classification
Personally Identifiable Information can be classified as – sensitive and non-sensitive.
Sensitive PII: The information usually not shared in a public platform and requires consent to be shared/stored is considered sensitive information.
Things like your full name, identification card number, license number, credit card information, medical, phone number, and financial data.
Non-sensitive PII: Information that can be extracted without an individual’s consent from public records or the Internet.
Things like date of birth, gender, religion, and more.
Moreover, you can also categorize PII as linked and linkable information.
And all the other things included with sensitive PII.
Similarly, linkable information is considered something that could be pieced together to help identify the individual.
For instance, name, zip code, gender, and workplace.
What if PII is Unprotected? 🔓
Considering that you know PII is vital for cybersecurity, one cannot help but wonder, what if it is unprotected?
The personal information that could identify an individual is accessed without your consent by an attacker. You never know; many cyber-attacks occur every day as you read this. So, it is not something you can rule out.
Cyber attackers can use PII to extract more information, monitor your online activities, or trap you with identity theft. And these are all a matter of concern.
It is about your privacy and digital security. Just like you want to keep your browsing activity or search data private, PII (sensitive or non-sensitive) should be confidential.
If not, one can quickly get your identity involved in fraud or fool you into giving a ransom or any illegal activities. The possibilities of attackers using the information to extract data, money, and assets from you are endless.
Hence, protecting PII with the best cybersecurity measures.
How To Protect PII?
Organizations and services we interact with are responsible for protecting the PII we share with them.
Starting from our phone number to our payment information and address, everything must be private and kept secure to fend off any unauthorized access.
Here are some of the things that organizations must do to protect PII:
Inform customers about the data being stored.
Secure the data with encryption so the information is not compromised even if there is a breach.
Numerous other things and subtle practices lead to better information security and data handling in an organization. However, these basic practices must be fulfilled to provide the best protection for PII.
Also, you can choose not to share some data that classifies as PII when necessary. This should enhance your privacy much more.
PII is Crucial, But Not Every Personal Data Is
Of course, we are dealing with “personal” data here.
However, what categorizes as “personal” could have some deviations depending on your country’s privacy act/law. While almost every data is treated as more sensitive than a decade back, some countries have different classifications.
For instance, we share our full name everywhere, even though it is a type of PII. We cannot blame any organization/service if an attacker uses our name elsewhere. So, you may not need to stress out on some information we share daily.
Furthermore, one should check their country’s privacy regulations and data protection laws to know what is considered sensitive and how to enhance your privacy better.
Ultimately, we are responsible for protecting PII, directly or indirectly. And, if we can stay vigilant about our data, organizations can take better care of the PII collected from us.