What is personally identifiable information (PII)?
is any data that can be used to identify a specific person—things like social security numbers, home addresses, passport numbers, and biometric data. Because PII is exactly what an identity thief needs to pose as someone else, protecting it is essential for you, your customers, and your team.
Here’s an overview of what counts as PII, how it can harm your business in the wrong hands, and the steps you can take to keep it secure.
What is personally identifiable information?
PII includes any type of data that can be used to identify or imitate a specific person. It plays a key role in identity theft because it covers much of the information needed to pose as someone else—to gain access to their resources or harm them or their business. Keeping this information private helps protect you and your business from anyone trying to convince others they’re you.
[Embed: 6TueKHksjkxyaEqMFm9BCQ]
PII vs. protected health information
is any type of confidential personal medical data.
This data isn’t technically considered PII but functions similarly and must be adequately protected.
Although guidelines for protecting look similar, PII isn’t subject to -specific requirements.
Why does PII need to be secured?
Protecting PII safeguards your team members, customers, and business from a wide range of threats. Everyone your business works with expects you to prevent data breaches and security lapses that could harm their integrity, assets, or personal safety. Falling short puts those parties at risk, compromises your business’s security, and can carry legal consequences.
Severe PII security lapses can mean paying significant damages and attorney fees to the businesses or individuals harmed—especially if your company didn’t have, or didn’t follow, protocols that should have prevented the error.
The most extreme cases may result in termination or criminal charges against you individually. Privacy laws like the GDPR in Europe and state laws such as the CCPA in the US also impose obligations on how organizations handle personal information, with penalties for mishandling it. Being diligent about keeping PII secure is always in your best interest.
What pieces of information are considered PII?
Many types of PII can be used against you or your company if they fall into the wrong hands. Which types matter most often depends on the nature of your organization.
PII is limited to data that can reasonably identify someone—details that could describe multiple people generally aren’t PII.
Here are some common types:
- Your social security number, driver’s license number, passport number, taxpayer identification number, credit card number, bank account number, or other identification number used to identify you
- Your personal address, phone number, email address, or other non-business contact information
- Your handwriting, fingerprints, or biometric data
- Your IP address (if you’re the only person who typically uses a particular device)
- Information about your personal property, such as a title number, vehicle identification number (VIN), or serial number that proves a vehicle or other high-value item belongs to you
How is PII used in identity theft?
Most types of PII are meant to be known to or used by you alone—numbers assigned to you that are next to impossible to guess, or handwriting nuances most people couldn’t accurately copy.
Identity thieves who get unauthorized access to this information can convince a bank, credit card company, or similar organization that they’re you—especially with several pieces of information to back them up. Your address alone is fairly easy to obtain, but your address plus your bank account number can make accessing your bank account relatively easy.
How to keep your PII safe
Make it as difficult as possible for identity thieves to find the information they need to impersonate you.
In a work setting, protect important documents with a lock or password, shred papers that contain PII, pay attention to where you enter any PII online, and avoid sharing confidential data with anyone who doesn’t have a legitimate reason to know it.
How do identity thieves steal your information?
Identity thieves access PII in several ways, and their tactics keep evolving. Here are five of the most common:
Phishing
Clicking unsafe links in emails and other communications can leak several types of PII to identity thieves.
Phishing scammers often pose as your bank, credit card company, healthcare provider, payment platform, or another seemingly reputable sender and ask you to enter account details or “verify” other personal information.
Other phishing scams install malware or other unsafe files on your computer as soon as you click a link, which can then search your device for sensitive information.
To prevent phishing scams, always verify who’s really contacting you. If you receive a suspicious email from your bank, contact the bank via a separate email (not by replying to the one you received) or another channel.
Remember that legitimate senders won’t typically ask you for personal information. They’d expect you to go to their website and log in as you normally would to confirm something or solve a legitimate problem.
Smishing
Smishing works like phishing but arrives primarily through text messages, attempting to obtain PII via suspicious links.
Be diligent about where text messages come from. Don’t provide any information that could jeopardize you, your business, or anyone your business interacts with until you’ve verified who the sender is and whether they should be asking for private information.
Social engineering
Social engineering involves manipulating a team member into revealing sensitive information. The scammer holds seemingly non-invasive conversations to feel out how they can get the target to reveal what they want.
Early conversations focus on building trust without touching anything sensitive or confidential. As trust develops, the attacker moves closer to the specific information they’re after. The end goal is to get the target to reveal PII on their own, without the attacker having to search for it.
It’s hard to avoid social engineering if you don’t know you’re being manipulated. Take a moment to think about who’s asking for personal information, whether they’re supposed to have it, and whether they’re who they say they are. That awareness can stop a social engineering attack before it goes too far.
Unsecure internet activity
Your company probably conducts a lot of business online, which makes your PII vulnerable on websites that don’t meet proper security guidelines—and to other cyber attacks.
Protect your company’s website with adequate cybersecurity measures, and confirm other websites are secure before entering sensitive information.
Document or mail theft
Your business likely stores a wide range of important documents in your office or online, and receives many in the mail. Leaving this information unsecured makes your PII much easier to access for people who’d use it to harm you.
Lock your mailbox and paper file storage areas, and protect your email account and digital file storage with strong passwords to prevent unauthorized access.
Should you be using a customer intelligence platform?
Do you want to discover previous research faster?
Do you share your research findings with others?
Do you analyze patient research?