In today’s time, who can undermine the power of the right information? Be it information of breaking news, alarm of a possible natural calamity, warning to avoid traffic on the street, whereabouts about your loved ones, when to invest in which share, and the list can go on and on about the importance of information and the feasibility with which it is available today.
The right information about the right thing at the right time is everything. People even pay huge sums of money to acquire it. And then there is a flipside to this.
The right information about the right thing at the right time in the wrong hands is a big cause for panic. In the internet era, where you sign up for various websites every day, your information is possibly all over, but what kind of information is out there is critical. To understand the sensitivity of the various information, the concept of Personally Identifiable Information (PII) exists.
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is data that can possibly be used to identify an individual, independent, or along with another set of information. PII is a vast spectrum of data about you. Information as harmless as your first name, for example, if your name is Chandler, then you probably aren’t the only one with this name. It could also be information like your social security number, now this is unique to you and cannot be disclosed at any cost (unless necessary).
As PII in itself is a broad term, and the repercussion of revealing the first name to revealing someone’s social security number is poles apart, there are different types of PII.
Sensitive and non-sensitive Personally Identifiable Information
Both the types of PII do convey some amount of information about you one way or another. But, due to the uniqueness and direct relationship of a sensitive PII to you, the way it has to be handled differs.
Sensitive PII has to be encrypted during all movements and in storage. A stolen sensitive PII can lead to identity theft, blackmailing, asset theft, and so much more. Essentially, when this data is taken, the hacker has a mask pretending to be you and thus can do almost everything that you are authorized to do.
Some of the sensitive PII are social security number, bank account number, biometric information, health records, other government-provided IDs like Driver’s license, the State ID information, and the likes of such documents or data. You get the idea.
Non-sensitive data is not necessarily unique to you, but with combined information from other data, it could possibly point in your direction. These are not required to be encrypted in transit.
Some of the non-sensitive data are your first name, last name, social media profile, business designation, and so forth.
Non-PII and the harmless combinations
Non-PII refers to information that is not directly related to you or about you. The data such as cookies, device type, IP address, time, age range, zip code, and so on.
Data such as IP addresses can be debated as PII or non-PII. But for the simple reason that the IP address is not assigned to you, but more so assigned to the location in the case of dynamic IP and assigned to devices like routers in the case of static IP, they are considered to be non-PII. IP address points to the location and device and not directly to you.
There is further segregation of this data. The information that can directly be related to you is linked information, like your home address, email address, social security number. And the information including the ones we called non-PII like your country, first name, job position is linkable information. The latter set of information holds hardly any value to a bad actor unless it is combined with additional data.
For example, what can someone do with the name of your town? Now, what if they obtain information about the town, device type, and last name.. now, you are in trouble. All these qualify as non-PII but put together? They are as good as any other information for someone with an evil intention.
Stolen data? It is your fault too
Recently the facebook scandal gave way to a lot of discussion about PII. Here, 50 million users’ data was collected without their consent by the company Cambridge Analytica.
A primary place to look for your information in today’s time is social media. Have you posted a cute picture with your little dog or kitten and available for everyone to see? Even outside your circle of connections? Then you have voluntarily given away the answer to the security question, “what is the name of your pet?”
This scenario is a simple example of how, in today’s time, you must be conscious of what information you decide to put out there.
European Union’s (EU’s), General Data Protection Regulation (GDPR), is a regulation that came out with stringent policies on how their citizen data must be used. This created a wave of concern among organizations as it defines a broad spectrum of data as PII and a violation could leave you with a fine of 4% of your revenue. It also requires organizations to report a breach within a 72-hour window. You can read at length on how to be GDPR compliant in our blog, a year since GDPR, are you compliant yet?.
What organizations can do to protect PII?
- Encrypt sensitive PII at all costs. This is not a fact to be taken lightly.
- Ensure your customers know what they are consenting to when they sign up with you.
- On an organizational level, your employee data also must be protected well. Identity Management solutions provide stringent governance and compliance policies, which ensures that who-has-access-to-what is always known.
- The data used in AdTech and MarTech applications must be protected exclusively.
- Hashing of your user’s passwords is imperative to protect them.
For organizations, there are several regulations to ensure they remain compliant, and there are severe repercussions when they cannot follow through. On an individual level, it is your responsibility on how you handle your data, passwords, or anything that can direct back to you.