What is personally identifiable information (PII)?

Protecting confidential personal information about your business, customers, and team members is a must for preventing identity theft.

Here is an overview of what personally identifiable information (PII) is, how it could harm your business in the wrong hands, and steps you can take to keep it secure.

PII includes any type of data that can be used to identify or imitate a specific person. It plays a key role in identity theft because it includes many of the types of information needed to pose as someone else. As a result, taking steps to keep this information private can help keep you and your business safe from those who may want to convince someone they are you. They might do this to gain access to your resources or harm you or your business.

Protected health information (PHI) is any type of confidential personal medical data.

This data is not technically considered PII but functions similarly and must be adequately protected.

Although guidelines for protecting PII and PHI look similar, PII is not subject to Health Insurance Portability and Accountability Act (HIPAA)-specific requirements.

Protecting PII helps safeguard your team members, customers, and business as a whole from a wide range of potential threats. Everyone your business works with expects you to do everything you can to prevent data breaches or other security lapses that may harm their integrity, assets, or personal safety. Not doing so can put these parties at risk, compromise your business’s security, and have legal consequences.

Severe PII security lapses can result in your business paying significant damages and attorney fees to the business or individuals harmed, especially if your company didn’t have or properly follow protocols that should have prevented the error.

The most extreme cases may also result in termination or criminal charges that target you individually. For these reasons, being as diligent as possible about keeping PII secure is always in your best interest.

There are many types of PII that may be used against you or your company if they fall into the wrong hands.

The specific types that are most relevant to you often depend on the nature of your organization. PII is generally limited to details that can harm your business.

PII is also limited to types of data that can reasonably identify someone. Types that could describe multiple people are generally not PII.

Here are some common types of PII:

• Your social security number, driver’s license number, passport number, taxpayer identification number, credit card number, bank account number, or other identification number that is used to identify you

• Your personal address, phone number, email address, or other non-business contact information

• Your handwriting, fingerprints, or biometric data

• Your IP address (if you are the only person that typically uses a particular device)

• Information about your personal property, such as a title number, vehicle identification number (VIN), or serial number that proves a vehicle or other high-value item belongs to you

Most types of PII are intended to be known to or used by you alone. Examples include numbers assigned to you that are next to impossible to guess or handwriting nuances that most people couldn’t accurately copy.

As a result, identity thieves who obtain unauthorized access to this information can reasonably convince a bank, credit card company, or similar organization that they are you—especially if they have several pieces of information to back them up. Your address, for example, is reasonably easy to obtain, but being able to provide both your address and your bank account number can make it relatively easy to access your bank account.

You should make it as difficult as possible for identity thieves to find the information they need to convince someone they are you.

In a work setting, you and your team should always be careful to protect important documents with a lock or password, shred any papers that contain PII, pay attention to where you enter any type of PII online, and avoid sharing confidential data with anyone without a legitimate reason to know it.

Identity thieves may access your PII in several ways, so it’s best to stay informed about evolving tactics.

Here are five of the most common ways your PII may be obtained and used against you:

Phishing

Clicking on unsafe links in emails and other communications can leak several types of PII to identity thieves.

Phishing scammers often pose as your bank, credit card company, healthcare provider, PayPal, or another seemingly reputable sender and ask you to enter account details or “verify” other personal information.

Other types of phishing scams may automatically install malware or other unsafe files on your computer as soon as you click on a link. This may then be used to search for sensitive information about you on your device.

To prevent phishing scams, always verify who is really contacting you. For example, if you receive a suspicious email from your bank, contact the bank via a separate email (not by replying to the email you received) or another channel.

Remember that legitimate senders won’t typically ask you for personal information. Instead, they would expect you to go to their website and log in as you normally would to make a valid confirmation or solve a legitimate problem.

Smishing

Smishing works similarly to phishing, but it’s primarily conducted through text messages. This type of attack attempts to obtain PII via suspicious links.

Always be diligent about where text messages are coming from. Don’t provide any information that could jeopardize you, your business, or anyone your business interacts with without verifying who the sender is and whether they should be asking you for private information.

Social engineering

Social engineering involves manipulating a team member into revealing sensitive information. The scammer will hold seemingly non-invasive conversations with someone to feel out how they can convince them to reveal the information they want.

The attacker focuses early conversations on getting the target to trust them without addressing anything sensitive or confidential. Then, as trust develops, they move closer to the specific types of information they want. The end goal of social engineering is to get the target to reveal PII on their own without the target having to search for the information.

It can be difficult to avoid falling for social engineering if you don’t know you are being manipulated, but always take a moment to think about who is asking you for personal information, whether they are supposed to have it, and whether they are who they say they are. This awareness can help prevent you from accidentally revealing information and stopping any potential social engineering attacks before they get too far.

Unsecure internet activity

Your company probably conducts a lot of business online. This means you are vulnerable to having your PII accessed on websites that don’t meet proper security guidelines or through other cyber attacks.

Make sure your company’s website is protected with adequate cyber security measures and ensure that other websites are secure before entering sensitive information.

Document or mail theft

Your business might store a wide range of important documents in your office or online. It might also receive many in the mail. Not securing this information properly can make accessing your PII much easier for people who may use it to harm you. This means you should take steps to protect your sensitive mail and other documents.

Your mailbox and paper file storage areas should be locked, and your email account and digital file storage should be protected with strong passwords to prevent unauthorized access.

Some common types of PII include the following:

• Credit card or bank account numbers

• Passport, driver’s license, or social security numbers

• Personal contact information

• Biometric data 

PII is generally limited to types of data that

• Are unique to you

• Can be used to identify you

• Can negatively impact you if someone that wants to impersonate you accesses them

While you may not necessarily want it to be public, your salary is not a piece of information that can be used to impersonate you or otherwise harm you. As a result, it’s not generally considered PII.

Laws and regulations for PII vary by location and business type, meaning it’s important to learn about and follow the specific policies that apply to you.