Understanding personally identifiable information: what is PII and how to protect it online

There were over 3 million cases of fraud and identity theft last year. Improper use of your personally identifiable information (PII) is the leading cause of these types of cybercrimes. This article explains more about PII and will teach you how to protect yourself.

What is PII? 

PII stands for personally identifiable information and refers to an individual’s private data that could be used to discover their identity. 

PII can be sensitive and non-sensitive. Someone’s social security number, passport, or driver’s license are unique identifiers and prime examples of sensitive personally identifiable information. 

Non-sensitive personal information can become a risk when that data is pieced together to identify a person indirectly. For instance, gender, birthday, ethnicity, or medical information may disclose a person’s identity when combined with other information. 

A company may store PII in many ways, but it is most often accessed by cybercriminals when it is available online.

What qualifies as PII? 

Experts often disagree as to which personal identifiers should be considered PII and which degree of sensitivity should be attributed to such elements. The general rule is to evaluate each bit of personal information from the perspective of personal damage it might cause if it were lost or compromised. 

Here are some common examples of personally identifiable information:

• *Name: Full name, maiden name, mother’s maiden name, etc.
• *Date of birth
• Personal identification numbers issued by the government: Social Security number (SSN), passport number, driver’s license number, I.D. card, taxpayer identification number, Medicare, or Medicaid.
• Other personal identification numbers:  Financial account numbers, credit, and debit card numbers, etc.
• *Contact information: Address, phone numbers, and email addresses.
• Personal characteristics: Biometric information including photos (face and other identifying characteristics), retina scan, fingerprints, handwriting, voice, and facial geometry.
• *Electronic and digital account information: Internet account numbers and passwords.
• School and employee personnel records and I.D. numbers: Any educational records or identification numbers.

*Of note: Identity Theft Resource Center, a distinguished expert in the field of identity protection does not consider names, phone numbers, passwords, or email addresses to be part of PII.

The above list does not show all of the possible PII examples, but it gives you an idea of the types of data that must be protected.

PII sensitivity range

Indeed, PII scope can be confusing, which is why people often ask for the PII meaning or the PII definition. When wondering what is considered personally identifiable information, the answer is the same. It is any stand-alone or combined personal data specific to an individual, which may compromise their identity if it falls into the wrong hands. The important thing to keep in mind here is that PII can become more or less sensitive when combined with other details. For example, name, date of birth, and bank account number become damaging when they are put together.

What is not considered PII?

There is a lot of information about us online that seems personal but is not necessarily sensitive PII. These details are sometimes called non-PII or non-sensitive information.

Some examples of non-sensitive information include: 

• *Name
• Place of birth
• *Birthday
• I.P. addresses
• Aggregated statistics on the use of services and products
• Cookies

How could a name or birthday be considered non-sensitive information? Because many people share the same name or birthday. By themselves, a name or a birthday is not specific to a person. However, when connected as part of a cache of information about someone, they do become sensitive PII.

We’ve made this infographic to display the personal information spectrum with a specific goal in mind – raise awareness about the risks involved in a simple act of sharing your personal information.

Which PII data is at risk?

The short answer is that it is all at risk. Credit card and social security information can be sold on the dark web also known as the online black market.

What we consider less sensitive data like names, birthdays, contacts, details, employment, and criminal records are on display on social media and people-search sites. Cybercriminals can find these bits and pieces of your PII and combine them to then steal your identity and funds.

How does PII get stolen?

Here are just a few ways that PII can be compromised:

• A lost or stolen wallet containing IDs, credit cards, and/or social security number falls into the wrong hands.
• Data breaches through website hacks or insider information theft.
• Social engineering criminals convince victims to reveal sensitive information or lure them into clicking malicious links that install malware that steals their PII.
• Data transmissions via public or unsecured home Wi-Fi networks enable hackers to steal passwords for banking and shopping accounts.
• Email phishing and phone scams are used to divulge sensitive information.
• Credit card skimming devices steal card numbers and pins.
• Unencrypted websites with weak security allow cybercriminals to intercept your personal information when you use them. 

What are the dangerous consequences of PII theft?

When criminals have your PII, they can:

• Engage in all kinds of bank scams to steal funds, cash checks, and open new credit cards in your name, etc.
• Steal your tax return or government benefits.
• Apply for loans in your name.
• Log in to your personal accounts (bank, medical, email, social media, etc.) to make fraudulent purchases or scam others.
• Open new phone and utility accounts.
• Change your billing addresses for services and then run up charges.
• Obtain a new driver’s license or official IDs in your name to assume your identity and then use your identity when questioned by police.
• Buy drugs or submit fraudulent bills for medical coverage you did not receive.

PII theft leads to devastating consequences as criminals target a victim’s life. By the time someone realizes what has happened, they may have lost money, have damaged credit, or even be subject to arrest if a criminal committed a crime using their identity. Child identity theft may go unnoticed for years while creating a mess that needs to be fixed later.

If cybercriminals create a synthetic identity using real PII, such as a social security number combined with fake identifying information, the resulting damage can have severe long-term consequences for the victim causing credit, insurance, tax, and other issues that are difficult to resolve. 

How do I protect my PII?

In addition to the security tips we’ve already shared in the above sections, here is a checklist with specific recommendations to follow to keep your PII safe:

1. Do not keep your social security card in your wallet.
2. Shred or otherwise securely dispose of any printed PII, such as unwanted mailings.
3. Avoid storing PII on electronic devices and permanently delete any record of PII you no longer need on a device.
4. Create and use strong passwords on all digital devices and keep them locked when not in use. Even if you do not store PII on these devices, you may use them for transactions that contain your private data.
5. Use antivirus protection and two-step verification.
6. Don’t use public Wi-Fi or let strangers connect to your primary Wi-Fi network.
7. Use VPN to protect your data and online privacy. Plus, a VPN allows you to find out which country has the best Netflix. It’s a win-win!
8. Don’t click on links in emails or messages from unfamiliar senders.
9. Use trusted third-party payment services, encrypted sites, and other secure methods for entry of any PII.
10. Proactively freeze your credit reports to prevent cybercriminals from getting credit with your identity.
11. Monitor your accounts for known data breaches. Plenty of services are available to help.

Applicable laws and regulatory institutions

There are various personally identifiable information laws and agencies that protect people’s sensitive PII. The following are some widely-known protection laws that regulate PII handling in the U.S. It’s important to note however that protections are not limited to these rules, acts, and laws. 

COPPA

The Children’s Online Privacy Protection Rule (COPPA) details the requirements that online services targeted to children must follow when collecting PII. In some cases, parents of children under 13 may be given choices of what information they want to share with a website. Violation of these regulations may result in large fines and criminal penalties.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects private patient information from being disclosed without permission. Individually identifiable health information is protected under HIPAA in a nationwide and standardized way. HIPAA also allows for the flow of non-sensitive health data that may be used for public health and well-being.

Personally identifiable information HIPAA rules are well detailed in this law and make the protections clear to patients and guardians.

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects student educational records. It also provides provisions for parents and students to request data and give permission to release files.

FERPA personally identifiable information protection applies to all schools that receive funds from the U.S. Department of Education. It may not apply to some private schools, colleges, or universities.

Privacy Act of 1974

The Privacy Act of 1974  established information collection practices that govern the use, maintenance, and dissemination of PII held by the U.S. Federal Government. Additionally, it provides a means where citizens can access and request the change of their records.  

Some of the agencies that regulate PII handling include:

• The Network Advertising Initiative (NAI)
• The Department of Consumer Protection (part of the Federal Trade Commission)
• Consumer Affairs
• The Federal Communications Commission (FCC)
• The National Institute of Standards and Technology (NIST)

To wrap it up

PII violations can be devastating to your life. That’s why it’s so important to safeguard your information and take precautions to protect both your data and your identity. 

Remember, even information not considered PII can be pieced together by cybercriminals resulting in fraud and identity theft. To avoid this, we strongly encourage you to use Onerep’s free 5-day trial to delete your personal information from people-search sites that expose your PII and other personal data.