Personal Identifiable Information (PII) is a label used to describe data that directly or indirectly identifies a specific individual.
Examples of PII include names, addresses, biometrics and alphanumeric account numbers.
- Name -- includes full names, maiden names, mother‘s maiden names, nicknames and aliases.
- Address -- includes street addresses, email addresses, IP addresses and MAC addresses.
- Biometrics -- includes photographs, x-rays and other types of bio-based data such as fingerprints.
- Alphanumeric account numbers -- includes telephone numbers, driver‘s license numbers, taxpayer IDs, patient IDs, vehicle registration numbers and credit card numbers.
In many parts of the world, personally identifiable data has to be collected, stored and destroyed in accordance with compliance rules and regulations. Because non-PII can easily become PII if additional information is made publicly available, this type of data should be periodically reviewed to determine whether its IT risk management level has changed.
Risk impact levels (low, medium, high) for PII are subjective and based on the potential harm that inappropriate access, use or disclosure of the personally identifiable information would cause. The likelihood of risk is greatly reduced if an organization minimizes the amount of PII it collects, stores and shares.
PII breaches can be dangerous to both individuals and businesses. Individuals whose PII is compromised raise the risk of identity theft. Businesses that allow their customers’ PII to be compromised raise the risk of losing the public’s trust and facing legal repercussions. Because PII is protected by privacy regulations, decisions about what PII to collect or share should be made in consultation with an organization’s Chief Privacy Officer (CPO), Data Protection Officer (DPO) and legal team.
In many parts of the world, businesses are responsible for ensuring that their customer’s PII is protected by reasonable safeguards. Risks to exposure can be contained and minimized by proactively creating an incident response plan for PII breaches. The plan should address how and to whom breaches will be reported, as well as when and how individuals whose PII has been compromised will be notified.
Legal mandates regarding PII can be complex and often change incrementally over time. This is why it's important for an organization to review and update their incident response plans on a regular basis. Minimally, a plan for protecting PII should ensure the following:
- PII will only used by or disclosed to authorized entities.
- PII will be destroyed at the appropriate time in compliance with regional record retention requirements.
- Information security controls for protecting PII will be reviewed on a regular schedule.
- PII in digital formats will be encrypted or obfuscated in some other manner to protect it from cybersecurity threats.
