Have you ever stopped to think about how much personal information you hand over online and offline each day? From making purchases to accessing healthcare services to signing up for apps, we regularly provide companies and organizations with very sensitive details that identify us as unique individuals. This data, known as personally identifiable information (PII), can easily be abused or exposed if proper precautions aren’t taken to safeguard it.
In this age of data breaches affecting billions of customers worldwide, it’s crucial that consumers understand exactly what PII is, how it is collected and used, and the steps they must take to better protect their privacy and identity. As an experienced cybersecurity professional, I’ll provide an in-depth look at PII, including:
- What constitutes PII and common examples
- How organizations gather and leverage your PII
- The immense risks involved when PII is compromised
- Laws and regulations surrounding PII
- Steps individuals can take to safeguard their information
- Best practices for companies collecting sensitive data
Let’s get started exploring everything you need to know about personally identifiable information and how securing yours needs to become a top priority.
Defining Personally Identifiable Information
Personally identifiable information (PII) refers to any data that could potentially be used to identify a specific individual. This includes information that can distinguish you from other people and trace back to you directly or indirectly.
Some examples of common PII that we regularly provide, whether knowingly or unknowingly, include:
Biographical Information
- Full legal name
- Alias or nickname
- Home address
- Email address
- Phone number
- Age or birthdate
- Place of birth
National Identifiers
- Social Security Number
- Passport number
- Driver’s license number
- Tax ID numbers
- Professional license numbers
Online Identifiers
- IP address
- Device IDs like mobile IMEI number
- Browser cookies containing unique identifiers
- Accounts linked to emails or usernames
Financial Details
- Credit/debit card number
- Bank account and routing number
- Loan or mortgage account numbers
- Insurance policy number
- Digital wallet details
Medical Information
- Health insurance account number
- Medical record number
- Prescriptions and procedures
- Doctor names and visits
Biometric Data
- Fingerprints
- Facial recognition patterns like those used for Apple Face ID
- Retina scans
- Voice recognition profiles
- DNA sequences
Employment Information
- Salary and pay history
- Performance reviews
- Resumes and CVs containing PII
As you can see, PII encompasses a wide variety of sensitive personal details that we freely give out in order to obtain products, services, and healthcare. This information unequivocally identifies us as individuals.
Some personal data may seem fairly innocuous on its own but could become PII if combined with additional identifying details. For example, while a birthdate alone isn’t considered protected PII, coupling it with a full name and address would allow identification of a specific person.
How Organizations Collect Personally Identifiable Information
Companies and government entities gather massive amounts of PII through various means, both online and in the physical world. Some common ways that your personal data gets collected include:
- Account or membership registration requiring names, contact info, usernames, and other identifiers.
- Submitting payment information like credit card numbers when making purchases online or instore.
- Providing addresses and phone numbers when filling out contest/sweepstake entries, surveys, petitions, etc.
- Signing up for mobile apps which can access device identifiers, location history, photos, contacts list and more.
- Enrolling in loyalty programs and submitting personal details in exchange for discounts.
- Providing information to healthcare providers to obtain medical treatment and file insurance claims.
- Submitting PII like SSNs when applying for loans, insurance, or government services.
- Web browsing activity tracked via cookies, pixels, browser fingerprinting, and IP address logging.
- Public records containing property records, court documents, voter registration, and other data.
- Third party data brokers who buy and sell bulk consumer personal information.
- Background checks performed by employers which can access credit reports, driving records, criminal history and more.
- Government tax records, census data, birth certificates, passports and immigration documents.
- Social media activity where users frequently share PII publicly or with inadequate privacy controls.
As you can see, both government and the private sector gather extremely detailed profiles on individuals through what largely amounts to surveillance. While notions of privacy erode further each year, consumers must educate themselves on how this data gets collected and leveraged.
How Companies Leverage Your Personally Identifiable Information
Organizations collect PII for a wide variety of purposes, though in most cases the intent is to generate revenue in some capacity either directly or indirectly. Here are some of the most common ways companies and institutions utilize your personal information:
- To establish identity – Validating identities is crucial for financial institutions, government agencies, and any organization requiring secure access. KYC (know your customer) regulations in banking require detailed PII and proof of identification.
- Facilitating transactions – Payment processors require your financial information like credit card numbers to authorize and settle purchases you make online and at point-of-sale systems.
- Targeted advertising – Detailed consumer profiles allow marketers to deliver customized ads across channels. Common data points used include browsing history, purchase history, location, app usage and more.
- Personalization – PII like your name, interests, and purchase history allows brands to provide curated recommendations and offers designed to improve engagement.
- Analytics – Aggregate data on site visitors allows companies to analyze traffic patterns and user behavior to enhance experiences. Common metrics tracked include devices used, pages visited, viewing time and conversion actions.
- Service or benefit eligibility – Healthcare services, government benefits programs, insurance providers and employers all commonly require extensive PII to determine if applicants meet requirements.
- Fraud prevention – Identifying information like addresses, SSNs and dates of birth allow companies to spot fraudulent activities and deny invalid transactions.
- Legal compliance – Regulations like tax reporting requirements and know your customer (KYC) identity rules often compel companies to collect PII.
- Sale or transfer of data – PII databases are commonly sold, rented or shared with third party partners, data brokers, advertisers, credit bureaus, and other entities, often without consumer knowledge or consent.
While these uses provide some consumer benefit, individuals have very little visibility into or control over how their PII circulates behind the scenes. And unfortunately, this data proliferation makes consumers extremely vulnerable in the event of a breach.
Exposed PII and the Risks Consumers Face
With hundreds of millions of consumer records containing PII getting leaked in major data breaches annually, the risks posed to individuals are immense and escalating rapidly. Once your personal information is exposed or stolen, criminals and illicit businesses can exploit your identity and financially benefit at your expense through:
- Identity theft – Fraudsters open new credit cards and other accounts in your name racking up huge debts that damage your credit and ability to obtain loans or mortgages. Victims spend endless hours disputing fraudulent accounts and charges.
- Medical identity theft – Criminals obtain healthcare services and prescription drugs using stolen Medicare ID numbers and insurance member information leaving victims to foot huge medical bills.
- Criminal impersonation – Stolen PII has been used to register website domains for phishing schemes, money laundering and other cybercrime campaigns. Victims’ reputation and criminal records can be impacted.
- SIM swapping – Once identity thieves port your mobile number to their device, they can then access your financial accounts, emails, and text messages to reset account passwords. Funds can quickly be drained from bank accounts.
- Social engineering scams – Detailed personal dossiers allow criminals to build convincing phishing messages and elicit further sensitive info from victims such as passwords.
- Financial fraud – Everything from taking over bank accounts to making unauthorized purchases of retail products and gift cards on your existing credit lines becomes possible once PII has been compromised.
- Public shaming – Hackers who leak or expose PII records of high-profile individuals or celebrities often do so hoping to cause reputational damage or embarrassment.
And those are just some of the many ways cyber thieves capitalize on exposed personal information to facilitating identity-based fraud and other crimes. According to the Identity Theft Resource Center, over 251 million U.S. residents have suffered identity compromise since 2005.
So clearly, keeping your PII secure needs to become a top priority in this era of rampant data harvesting. Next I’ll explore the laws and regulations designed to protect consumers.
Laws and Regulations Governing PII
In the United States, various federal and state laws help safeguard private data and impose requirements on companies that have experienced qualifying data breaches. Here’s a high-level look at some of the key regulations pertaining to PII:
- HIPAA – Governs protected health information (PHI) privacy at covered healthcare entities and business associates. HIPAA violations can incur fines.
- GLBA – Requires financial institutions to clearly explain data collection practices and protect sensitive customer information.
- CCPA/CPRA – Provides California residents with rights to access data collected on them, opt-out of sales/sharing, and request deletion. Fines for violations.
- COPPA – Imposes parental consent requirements for collecting data on children under 13 years old. Violations carry fines from the FTC.
- FCRA – Governs credit reporting agencies and gives individuals rights to dispute errors on their credit reports which contain highly sensitive PII.
- State breach laws – Most states have statutes requiring notification within 30-90 days when a data breach exposes residents’ private information such as names and social security numbers.
In addition to US regulations, comprehensive data protection laws like GDPR in the EU provide residents with extensive rights over their private data and levy much larger fines against organizations that fail to comply.
But ultimately, companies collecting your information have little incentive beyond penalties to properly secure it. Consumers themselves need to take responsibility for exercising caution and safeguarding their PII wherever possible.
Best Practices for Individuals to Protect PII
Fortunately, there are steps you can take as a consumer to minimize misuse of your private data and reduce susceptibility to devastating identity theft:
- Enable multi-factor authentication (MFA) on accounts containing sensitive information whenever available. MFA requires an additional one-time passcode for login.
- Use randomized strong passwords and change them every 90 days for maximum account security. Consider a password manager app to simplify the process.
- Limit use of public Wi-Fi which makes it easier for hackers to intercept your private data and communications when connecting to websites.
- Review privacy policies closely before providing PII to any website or app. Opt-out of data sharing and marketing wherever possible.
- Disable location services in apps that don’t require it. Location history data reveals your daily habits and haunts.
- Watch out for social engineering like phishing emails attempting to trick you into entering login credentials on fake sites. Also avoid phone calls claiming to be banks, IRS etc. requesting personal information for "verification."
- Enable credit freezes and fraud alerts on your credit files to block criminals from opening new accounts in your name. Monitor credit reports frequently for any suspicious activity.
- Search email addresses and phone numbers on data breach notification sites like HaveIBeenPwned.com. Be wary of breached accounts being sold on the dark web.
- Limit sharing of PII on social media which often lacks adequate default privacy restrictions. Cybercriminals readily gather info shared publicly online.
- Consider using a VPN when accessing public Wi-Fi hotspots to encrypt traffic. Many VPN services also block ads and trackers that harvest your browsing data.
Staying vigilant about protecting your PII online and minimizing unnecessary disclosures can greatly reduce risks of serious identity theft and fraud damages. But preventing exposure of private consumer data also requires responsible practices from the companies collecting and storing it.
Best Practices for Organizations Handling PII
While individuals must take steps to safeguard their data, the onus is also on companies collecting PII to ensure they are protecting consumer privacy and securing information properly. Here are some vital best practices:
- Conduct regular external risk assessments to identify and resolve vulnerabilities in data security programs, systems and software.
- Encrypt all sensitive PII end-to-end during transmission and at rest to make data unreadable if compromised. Avoid retaining sensitive data longer than required.
- Impose strong access controls with multi-factor authentication required for all employee accounts that allow access to consumer PII. Limit data access only to staff requiring it for job duties.
- De-identify or anonymize collected PII whenever possible to minimize risks. This could involve using randomly generated numbers rather than real account numbers.
- Hire a Chief Privacy Officer accountable for overseeing consumer data protection, compliance and security initiatives. Conduct regular staff training on handling PII.
- Disclose in concise privacy policies what PII is being collected, retention periods and how data will be used. Provide convenient opt-outs for data sales or secondary uses like marketing.
- Obtain explicit opt-in consent from consumers before collecting and processing sensitive information like financial details, religious affiliation, health records, etc.
- Have a data breach incident response plan in place to promptly contain leaks and notify authorities and impacted consumers. This demonstrates accountability around PII stewardship.
Maintaining robust security and respect for consumer privacy must be ingrained in the culture of any organization handling mass amounts of sensitive PII. With major breaches still occurring regularly, clearly there is much room for improvement.
Conclusion: Hand Over Your PII Cautiously
In summary, personally identifiable information encompasses a wide array of sensitive details like government ID numbers, financial account numbers, biometrics, medical history and more. This data can unequivocally identify us a individuals.
PII has become ubiquitous digital currency freely provided to obtain products, services and healthcare. But consumers generally lack visibility into how their PII gets stored, shared and monetized behind the scenes or adequate control over these practices.
And when PII databases inevitably get breached or exposed, whether intentionally or through unforced errors, consumers pay the steep price through identity theft and cybercrime damages.
While regulations help protect PII to some degree, individuals must exercise caution and employ best practices to minimize needless data exposure. Simultaneously, companies have an obligation to collect, retain and safeguard only essential PII using stringent security controls.
Ongoing diligence by both consumers and corporations remains vital as technology evolves and cybercriminal efforts to exploit PII persist. Hand over personal data cautiously, as once it enters cyberspace, it may be impossible to ever fully revoke access or undo damages from misuse.