Understanding Personally Identifiable Information: What Is PII and How To Protect It Online

Today’s world requires you to share your PII, but doing so may present a security threat. Learn what laws apply and how to protect yourself from becoming a victim.
Personally Identifiable Information (PII)

There were over 3 million cases of fraud and identity theft last year. Improper use of your personally identifiable information (PII) is the leading cause of these types of cybercrimes. This article explains more about PII and will teach you how to protect yourself.

A Quick Overview Of What We'll Cover

What Is PII? 

PII stands for personally identifiable information and refers to an individual’s private data that could be used to discover their identity. 

PII can be sensitive and non-sensitive. Someone’s social security number, passport, or driver’s license are unique identifiers and prime examples of sensitive personally identifiable information. 

Non-sensitive personal information can become a risk when that data is pieced together to identify a person indirectly. For instance, gender, birthday, ethnicity, or location may disclose a person’s identity when combined with other information. 

A company may store PII in many ways, but it is most often accessed by cybercriminals when it is available online.

What Qualifies As PII? 

Experts sometimes disagree as to which personal identifiers should be considered PII and which degree of sensitivity should be attributed to such elements. The general rule is to evaluate each bit of personal information from the perspective of personal damage it might cause if it were lost or compromised. 

Here are some common examples of personally identifiable information:

    • *Name: Full name, maiden name, mother’s maiden name, etc.

    • *Date of birth

    • Personal identification numbers issued by the government: Social security number (SSN), passport number, driver’s license number, I.D. card, taxpayer identification number, Medicare, or Medicaid.

    • Other personal identification numbers:  Financial account numbers, credit, and debit card numbers, etc.

    • *Contact information: Address, phone numbers, and email addresses.

    • Personal characteristics: Biometric information including photos (face and other identifying characteristics), retina scan, fingerprints, handwriting, voice, and facial geometry.

    • *Electronic and digital account information: Internet account numbers and passwords.

    • School and employee personnel records and I.D. numbers: Any educational records or identification numbers.

*Of note: Identity Theft Resource Center, a distinguished expert in the field of identity protection does not consider names, phone numbers, passwords, or email addresses to be part of PII.

The above list does not show all of the possible PII examples, but it gives you an idea of the types of data that must be protected.

PII Sensitivity Range

As you can see, PII scope can be confusing, which is why people often ask for the PII meaning or the PII definition. When wondering what is considered personally identifiable information, the answer is the same. It is any stand-alone or combined personal data specific to an individual, which may compromise their identity if it falls into the wrong hands. The important thing to keep in mind here is that PII can become more or less sensitive when combined with other details. For example, name, date of birth, and bank account number become damaging when they are put together.

PII Sensitivity Scale

NON-SENSITIVE PII
Name, birthday, email, address, and phone
SENSITIVE WHEN COMBINED WITH OTHER DATA
Citizenship and immigration status
Religion, ethnicity, and gender
Anonymous medical information
Employment and criminal records
Mother’s maiden name
SENSITIVE BY ITSELF
Account username without password
Password without usename
Biometric data
Social security number
Driver’s license and state ID numbers
Passport and alien registration number

Always be hesitant about sharing your personal information and verify that you are dealing with a trusted entity before filling out any forms online, contests you might see at the grocery store, or offers that you receive in the mail.

What Is Not Considered PII?

There is a lot of information about us online that seems personal but is not necessarily sensitive PII. These details are sometimes called non-PII or non-sensitive information.

Some examples of non-sensitive information include: 

  • *Name
  • Place of birth
  • *Birthday
  • *Ethnic and religious affiliation
  • Sexual orientation
  • I.P. addresses
  • Aggregated statistics on the use of services and products
  • Cookies

How could a name or birthday be considered non-sensitive information? Because many people share the same name or birthday. By themselves, a name or a birthday is not specific to a person. However, when connected as part of a cache of information about someone, they do become sensitive PII.

Be cautious of sharing any information that a cybercriminal could later combine with other information they find somewhere else to harm you.

Which PII Data Is At Risk?


The short answer is that it is all at risk. Credit card and social security information can be sold on the dark web also known as the online black market.

What we consider less sensitive data like names, birthdays, contacts, details, employment, and criminal records are on display on social media and people-search sites. Cybercriminals can find these bits and pieces of your PII and combine them to then steal your identity and funds.

  1. Be wary of sharing your social security number on forms, such as for employment, doctor’s offices, and other locations that request it. It is not usually necessary at all of the places that ask for it. Before giving it to them, ask them how they will keep it safe.

  2. Remove your personal information from the web by opting out of people-search sites. Trust OneRep to monitor the web and keep you permanently opted-out. You can also use our DIY removal guides to remove yourself manually.

  3. Don’t overshare personal details on social media.

How Does PII Get Stolen?


Here are just a few ways that PII can be compromised:

  • A lost or stolen wallet containing IDs, credit cards, and/or social security number falls into the wrong hands.

  • Data breaches through website hacks or insider information theft.

  • Social engineering criminals convince victims to reveal sensitive information or lure them into clicking malicious links that install malware that steals their PII.

  • Data transmissions via public or unsecured home Wi-Fi networks enable hackers to steal passwords for banking and shopping accounts.

  • Email and phone scams are used to divulge sensitive information.

  • Credit card skimming devices steal card numbers and pins.

  • Unencrypted websites with weak security allow cybercriminals to intercept your personal information when you use them. 

What Are The Dangerous Consequences Of PII Theft?

When criminals have your PII, they can:

PII theft leads to devastating consequences as criminals target a victim’s life. By the time someone realizes what has happened, they may have lost money, have damaged credit, or even be subject to arrest if a criminal committed a crime using their identity. Child identity theft may go unnoticed for years while creating a mess that needs to be fixed later.

If cybercriminals create a synthetic identity using real PII, such as a social security number combined with fake identifying information, the resulting damage can have severe long-term consequences for the victim causing credit, insurance, tax, and other issues that are difficult to resolve. 

How Do I Protect My PII?

In addition to the security tips we’ve already shared in the above sections, here is a checklist with specific recommendations to follow to keep your PII safe:

  1. Do not keep your social security card in your wallet.

  2. Shred or otherwise securely dispose of any printed PII, such as unwanted mailings.

  3. Avoid storing PII on electronic devices and permanently delete any record of PII you no longer need on a device.

  4. Create and use strong passwords on all digital devices and keep them locked when not in use. Even if you do not store PII on these devices, you may use them for transactions that contain your private data.

  5. Use multi-factor authentication.

  6. Don’t use public Wi-Fi or let strangers connect to your primary Wi-Fi network.

  7. Use VPN and antivirus protection.

  8. Don’t click on links in emails or messages from unfamiliar senders.

  9. Use trusted third-party payment services, encrypted sites, and other secure methods for entry of any PII.

  10. Proactively freeze your credit reports to prevent cybercriminals from getting credit with your identity.

  11. Monitor your accounts for known data breaches. Plenty of services are available to help

Applicable Laws and Regulatory Institutions

There are various personally identifiable information laws and agencies that protect people’s sensitive PII. The following are some widely-known protection laws that regulate PII handling in the U.S. It’s important to note however that protections are not limited to these rules, acts, and laws. 

COPPA

The Children’s Online Privacy Protection Rule (COPPA) details the requirements that online services targeted to children must follow when collecting PII. In some cases, parents of children under 13 may be given choices of what information they want to share with a website. Violation of these regulations may result in large fines and criminal penalties.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects private patient information from being disclosed without permission. Individually identifiable health information is protected under HIPAA in a nationwide and standardized way. HIPAA also allows for the flow of non-sensitive health data that may be used for public health and well-being.

Personally identifiable information HIPAA rules are well detailed in this law and make the protections clear to patients and guardians.

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects student educational records. It also provides provisions for parents and students to request data and give permission to release files.

FERPA personally identifiable information protection applies to all schools that receive funds from the U.S. Department of Education. It may not apply to some private schools, colleges, or universities.

Privacy Act of 1974

The Privacy Act of 1974  established information collection practices that govern the use, maintenance, and dissemination of PII held by the U.S. Federal Government. Additionally, it provides a means where citizens can access and request the change of their records.  

Some of the agencies that regulate PII handling include:

PII FAQ

What is a PII violation? 

The most prevalent PII violation is identity theft. But any case where your personally identifiable information is used or shared without your consent is a violation. 

Who owns PII?

Companies collect PII about consumers, and they are responsible for keeping that data safe. While the information their systems contain may be about consumers, the business owns those records. In some cases, you may be entitled to view these records by request. It is your responsibility to make good choices that safeguard your PII and make wise decisions about how you share it. 

Who is responsible for protecting PII? 

Companies and individuals share responsibility for protecting PII. Many companies have personally identifiable information training to be sure their employees understand how to protect sensitive PII. 

What must you do when emailing personally identifiable information?

PII should never be emailed using unsecured email. Use encrypted secure email systems that can not be easily intercepted by hackers who could steal any personally identifiable information. 

What is the best example of protected health information? 

Protected Health Information (PHI) includes PII that could identify a patient and any medical information about that person. A person’s disease history is protected from unauthorized disclosure. PHI is legally protected by the Health Insurance Portability and Accountability Act (HIPAA) and can carry penalties of up to $50,000 per violation with a maximum of $1.5 million a year.

Is a VIN considered PII?

Yes, a Vehicle Identification Number (VIN) is considered PII as it is specific to a vehicle.

Is place of birth PII?

Some experts do not consider your place of birth non-sensitive information. When added to your name and bank account number, it can become sensitive. 

Is last four of SSN considered PII?

Yes, the last four digits of your Social Security number are sensitive PII. This truncated SSN is highly sensitive both stand alone and in combination with other bits of PII. 

Is personally identifiable information the same in each state?

There are both federal and state laws that define and regulate PII. Personally identifiable information law may vary across states. But federal laws, acts, and organizations protect PII disclosure across the country. Additionally, different industries have regulatory organizations that mandate PII handling. 

PII’s meaning is consistently understood in all states, as any data that directly identifies an individual

To Wrap It Up

PII violations can be devastating to your life. That’s why it’s so important to safeguard your information and take precautions to protect both your data and your identity. 

Remember, even information not considered PII can be pieced together by cybercriminals resulting in fraud and identity theft. To avoid this, we strongly encourage you to use OneRep’s free 5-day trial to delete your personal information from people-search sites that expose your PII and other personal data.

Maria Shishkova

Digital Marketer & Privacy Expert at OneRep | LinkedIn