The Skysnag Blog
Identifying and safeguarding personally identifiable information
PII stands for personally identifiable information. This is information that can be used to identify an individual, such as their name, address, or Social Security number. Any information that can be used to determine one individual from another can be considered PII.
PII can be defined in different ways, but it typically refers to information that could be used to determine an individual, either on its own or in combination with other information.
The Department of Energy defines PII as any information collected or maintained by the department about an individual that could be used to distinguish or trace their identity. This information can include a person’s name, Social Security number, date and place of birth, biometric data, and other personal information that is linked or linkable to a specific individual. The U.S. General Services Administration notes that PII can become more sensitive when it is combined with other publicly available information.
PII can include anything from a person’s name and address to their biometric data, medical history, or financial transactions. To be considered PII, the data must be able to be used to distinguish or trace an individual’s identity. The definition of PII may vary from jurisdiction to jurisdiction but typically includes any information that can be used to identify an individual.
Non Sensitive & Sensitive PII Information
PII can be sensitive or non-sensitive.
Sensitive PII is information that can be utilized to identify an individual and that could potentially be used to harm them if it fell into the wrong hands. This includes information like Social Security numbers, financial information, and medical records.
Non-sensitive PII is information that can be used to identify an individual, but that is not likely to be used to harm them if it falls into the wrong hands. This includes information like names and addresses.
PII can be collected in a combination of methods, including through online forms, surveys, and social media. It is vital to protect PII and only collect the essential information. When collecting PII, organizations should have a plan in place for how the information will be used, stored, and protected.
Personally identifiable information Examples
The following are some examples of information that can be considered PII:
- Social Security number
- Date of birth
- Driver’s license number
- Financial information
- Medical records
- Email address
- I.P. address
PII DATA BREACHES
Several merchants, financial institutions, health organizations, and federal agencies, such as the Department of Homeland Security (DHS), have undergone data breaches that put individuals’ PII at risk, leaving them potentially vulnerable to identity theft.
PII can be used to commit identity theft in several ways. Thieves may use it to open new accounts, apply for loans, or make purchases in your name. They may also use it to commit fraud or other crimes.
Identity thieves are always looking for new ways to gain access to people’s personal information. The information they are after will change depending on what they are trying to do with it. For example, they may need different information to open a bank account then they would file a fraudulent insurance claim.
In some cases, all they need is an email address. In others, they may need a name, address, date of birth, Social Security number, or other information. Some accounts can even be opened over the phone or on the internet.
Additionally, physical files such as bills, receipts, birth certificates, Social Security cards, or lease information can be stolen if an individual’s home is broken into. Thieves can sell this information for a profit. Or they may use it themselves without the victim’s knowledge. For example, they may not use the victim’s credit card, but they may open new, separate accounts using the victim’s information.
PII Laws & Regulations
PII is regulated by a number of laws and regulations, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act.
The Privacy Act of 1974 is a federal law that establishes rules for the collection, use, and disclosure of PII by federal agencies. The act requires that federal agencies give individuals notice of their right to access and correct their PII and establish penalties for PII misuse.
The Freedom of Information Act (FOIA) is a federal law that gives individuals the right to access certain government records. The act requires that federal agencies make their records available to the public unless the records are protected from disclosure by one of the act’s exemptions.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student educational records. The act requires that schools give parents and students the opportunity to inspect and correct their educational records and limits the disclosure of educational records without consent.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of health information. The act requires that covered entities take reasonable steps to safeguard the confidentiality of protected health information and limits the disclosure of protected health information without consent.
The GDPR replaces the 1995 Data Protection Directive (95/46/E.C.), which was introduced to protect the rights of Europeans with respect to their personal data. It sets out the rules for the collection and processing of personally identifiable information (PII) by individuals, companies, or other organizations operating in the E.U.
The regulation applies to any company that processes the personal data of individuals in the E.U., regardless of whether the company is based inside or outside the E.U. This includes companies based in the U.S. that process the data of E.U. citizens, even if those citizens are not physically present in the E.U. The GDPR requires companies to get explicit permission from individuals before collecting, using, or sharing their personal data. Companies are required to provide individuals with information about their rights under the GDPR and ensure that individuals can easily exercise those rights.
The GDPR imposes significant fines for companies that violate its provisions, including up to 4% of a company’s global annual revenue or €20 million (whichever is greater), whichever is greater. The regulation also gives individuals the right to file a complaint with the supervisory authority if they believe their rights have been violated.
The best practices for safeguarding PII
- Encrypting all PII data in transit and at rest
- Storing PII data in a secure database
- Restricting access to PII data to only those who need it
- Ensuring that all PII data is accurate and up to date
- Destroying PII data when it is no longer needed
PII PHI PCI What is the difference?
Personally identifiable information
PII ultimately impacts all organizations, of all sizes and types. PII is any information that can be used to identify a person, such as your name, address, date of birth, social security number, and so on. Once you have a set of PII, not only can you sell it on the dark web, but you can also use it to carry out other attacks. These attacks show how cybercriminals can use stolen PII to carry out additional attacks on organizations. The Office of Personnel Management and Anthem breaches are examples of this, where millions of pieces of PII were taken and then used to attack other organizations like the IRS.
Protected Health Information
PHI is one of the most sought-after pieces of data that a cybercriminal has in their sights. It comprises a multitude of information. PHI is defined by the Health Insurance Portability and Accountability Act (HIPAA) and is made up of any data that can be used to associate a person’s identity with their health care. A full list of the 18 identifiers that make up PHI can be seen here.
PHI is a valuable asset and is sold on the dark web for more money than any other data set, according to Ponemon Institute. In terms of the protection of PHI, HIPAA and the related Health Information Technology for Economic and Clinical Health Act (HITECH) offer guidelines for the protection of PHI. Within HIPAA are the ‘privacy rule’ and the subsets, ‘security rule’, ‘enforcement rule’, and ‘breach notification rule’ which all deal with various aspects of the protection of PHI.
Payment Card Industry Data Security Standard
PCI-DSS is a set of security standards created to protect cardholder data. Any organization that processes, stores, or transmits cardholder data must comply with these standards. PCI compliance includes taking responsibility for ensuring that financial data is protected at all stages, including when it is accepted, transferred, stored, and processed.
Skysnag’s automated software safeguards your domain’s reputation and keeps your business away from compromised business emails, password theft, and potentially significant financial losses. Unlock insights, bypass email authentication configuration issues including SPF and DKIM; and protect your domain from spoofing with strict DMARC enforcement, all autonomously with Skysnag. Get started with Skysnag and sign up using this link for a free trial today.
Enforce DMARC, SPF and DKIM in days - not months
Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.