Word of the Day: PII
Multiple choice: PII is
(a) The ratio of the circumference of a circle to its diameter. “Mom, Mr. Jensen made the whole class memorize the first 7 digits of PII.”
(b) The city that was destroyed when Vesuvius erupted in 79 AD. “Naples is beautiful, Sophia, but visiting the ruins of PII takes me back to the times of the Pax Romana.”
(c) An acronym for Pineapple-Induced Indigestion. “Oh, dear, Elmer, I’m afraid my pineapple upside-down cake gave you PII.”
(d) The Old English spelling of “pie” before the Norman Conquest forced changes in the language of the upper classes. “Have another piece of pii, Harold, before you leave for Hastings.”
(e) A private insurance investigator. “Hey, Biff, want to watch a Magnum PII rerun with me?”
If you selected (a) through (e), you’re just guessing. The correct answer is “(f) an acronym for Personally Identifiable Information.”
There is no universal definition of PII, but all include the concept that PII refers to information that can be used to distinguish or trace an individual’s identity. Sometimes, a single data item is sufficient to identify an individual. Fingerprints and other biometric information (e.g., retina scan, voice signature, and facial geometry) are often used in authentication schemes because they are distinct enough for this purpose. Even if a single data item, such as date of birth, is not sufficient to identify an individual, it is usually considered PII because it can be combined with other information, such as name and education records, to uniquely identify an individual.
We live in a society in which an individual’s right to privacy is closely related with protection of his PII. Some jurisdictions regulate the collection and use of PII. Specific industry organizations also have rules for the use of PII. Often these regulations specify penalties for faulty handling of PII.
Here are just a few examples:
- The Driver’s Privacy Protection Act of 1994 is a United States law that puts limits on disclosures of personal information in records maintained by state departments of motor vehicles.
- One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is to protect a patient’s Protected Health Information, which is one type of PII.
- The Payment Card Industry Data Security Standard, while not including its own definition of PII, requires credit card information, one specific type of PII, to be protected in storage, transit and use.
- The state of California’s Credit/Debit Card Number Truncation law (California Civil Code section 1747.09) requires that no more than the last five digits of a credit card or debit card number may be printed on the customer copy of electronically printed receipts.
The United States Department of Homeland Security (DHS) makes a further important distinction: PII vs. Sensitive PII. The DHS Handbook for Safeguarding Sensitive Personally Identifiable Information defines Sensitive PII as
…Personally Identifiable Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
An individual’s name, email, home address, and phone number are PII. His Social Security Number, Alien Registration Number, driver’s license or state ID number, passport number, financial account numbers, and biometric identifiers are considered Sensitive PII. A complication is that the categorization is context-dependent: DHS says that some PII can become sensitive PII when combined with other information, such as citizenship status, religious affiliation, criminal record, or the last four digits of the Social Security Number.
The concept of different levels of PII is also reflected in the United States Code definition of highly restricted personal information—“an individual’s photograph or image, social security number, medical or disability information.” The concept may appear with other names, such as confidentiality impact level, but it always denotes data that is in some way more potentially damaging than other PII because of the ramifications to the individual if it is released to unauthorized recipients.
This confidentiality level distinction is understood in the corporate world; respondents to the Kaspersky Labs IT Security Risks Survey 2014 ranked protection of highly sensitive data several percentage points higher than general data protection and preventing data breaches.
What can you do to ensure that your customers can trust you with their PII and sensitive PII? Here are a few suggestions:
- Involve your chief privacy officer, legal counsel, and other senior management when addressing issues related to PII.
- Since there are no hard and fast rules about what constitutes PII and sensitive PII, start by developing guidelines for your business, incorporating the applicable laws and regulations.
- Identify all PII residing in your environment, giving special attention to identifying sensitive PII; if in doubt, err on the side of inclusion.
- Review the results for consistency across all business areas.
- Develop policies and procedures that minimize the use, collection, and retention of PII to what is strictly necessary to accomplish your business purpose and mission.
- Apply the appropriate safeguards for your PII based on its sensitivity.
- Develop an incident response plan to handle breaches involving PII; if you are subject to penalties for data breaches, incorporate any applicable timelines and requirements into your plan.
Some of the suggestions above are based on NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). It can be a valuable resource as you take the next steps in your company’s handling of PII.