Product Guides

What is Personal Identifiable Information (PII)? Security Overview

September 27, 2022
Inkit Team

Did you know a total of $4.27 million is lost yearly due to malicious attacks (not to mention the penalties caused by these breaches!). 

In order to stay a step ahead of the criminals, you need to ensure that the Personal Identifiable Information (PII) of your customers is in safe hands and you’re on par or even ahead in terms of technology to counter the hackers. 

However, before you hunt for suitable security software, you first need to understand what PII is and how you can protect it in your company from a cybersecurity standpoint.

In this post, we’ll be explaining what PII is in detail, outlining the 5 major steps to keep it safe, and the different compliance regulations that govern it. 

Here’s what we’ll cover:

  • What Is PII (Personal Identifiable Information) And Why Is It Important? (Examples)
  • What Counts As PII? 3 Main Types You Need To Know About
  • How To Protect Your Personal Identifiable Information: 5 Top Best Practices
  • Who Is Responsible For PII Compliance And What Happens In Case of Violation? 3 Compliance Standards To Consider

What Is PII (Personal Identifiable Information) And Why Is It Important? (Examples)

PII or Personal Identifiable Information is the information collected and used by companies, either on its own or in combination with other data, to identify, contact, or locate a person for their business purposes. 

What does PII include?

Examples of PII may include:

  • Social security numbers.
  • Passport numbers.
  • Driver’s license numbers.
  • Financial information.
  • Contact information.
  • And more.

PII and privacy law

PII is an integral part of the privacy laws of many countries and territories. Including the United States, European Union, Australia, New Zealand, Canada, and more.

Let’s take a look at some definitions and examples in detail.

PII in the United States

According to the National Institute of Standards and Technology (NIST)’s Guide to Protecting the Confidentiality of Personally Identifiable Information, ‘personally identifiable’ is defined as:

Any information, for instance, name, social security number, or biometric data, that could be used to identify or locate a person’s identity.

PII in the European Union

According to directive 95/46/EC, ‘personal data’ is as follows:

Any information that includes a person’s physical, physiological, mental, economic, cultural, or social factors, which could be used to identify them (specifically ID number).

PII in Australia

Australia’s definition of ‘personal information’ in the Privacy Act 1988 is broader than in other countries. It includes not just the information but opinion as well, which could make a person’s identity apparent or ascertainable. 

PII in New Zealand

According to the Privacy Act of New Zealand, ‘personal information’ includes the following:

  • Names.
  • Contact details.
  • Financial health records.
  • Purchase records.

PII in Canada

According to the Personal Information Protection and Electronic Documents Act (PIPEDA), ‘personal information’ is any data, which alone or in combination with other information, can identify a person. 

What Counts As PII? 3 Main Types You Need To Know About

There are three important personal information types, which are the main targets of hackers: 

  • Card and cardholder data. 
  • General PII. 
  • And protected health information (PHI).

Below, we’ll cover what you need to know about each type of PII.

infographic on the personal identifiable factors

Card and cardholder data

As the name indicates, it’s the information associated with a credit or debit card. This includes: 

  • Cardholder’s name.
  • Card numbers.
  • Security codes.
  • Expiration dates. 
  • Account numbers.
  • And more.

General PII

PII could be non-sensitive or sensitive

Sensitive data requires security measures to prevent it from reaching criminals as it might lead to numerous crimes, for instance, identity theft. Examples of sensitive PII include:

  • Passports.
  • Social security numbers.
  • Birth certificates.
  • And more.

Non-sensitive PII information is data that can be stored and transmitted without any security measures in place, such as work phone numbers.

Protected health information (PHI)

Personal health information (PHI) is personal information that includes lab test results, radiology results, diagnosis, and other sensitive health data of a person alongside their name, birth date, and social security number.

This is typical for the healthcare industry. For more information on that, see our guide on healthcare document management best practices.

In addition to the aforementioned PII, there are ‘quasi-identifiers’ and ‘pseudo-identifiers’, which are information that coupled with other data could lead to identifying a person. 

Now that you have an idea of what PII is and the different types, let’s take a look at some best practices to protect your sensitive information.

How To Protect Your Personal Identifiable Information: 5 Top Best Practices

The PII that a company holds is a gold mine for attackers as they can use it for a plethora of high-paying crimes, for instance, identity theft, social engineering attacks, and in a few cases, even blackmail

If you intend to stare clear of any such incident at your company, then you should be following some of the best practices and steps to keep your sensitive information safe.

The Federal Trade Commission recommends doing the following to keep your PII safe:

  1. Take stock and record what personal information you have on your files and computers.
  2. Scale down and keep only what you need for your business.
  3. Lock and protect the information you keep.
  4. Properly dispose of non-essential PII you no longer need.
  5. Plan ahead and establish a response plan for cyber attacks and security incidents.

Now, let’s take a look at each step in detail to make sure you get the most out of your personal identifiable information and keep confidential data safe.

1. Take stock and keep an organized record of your personal identifiable information

Since PII is highly confidential and susceptible to cyberattacks, it’s essential to keep it organized and record all the minor details regarding its storage. 

For instance, all the computers, data storage devices, physical and digital copies, digital copying equipment, and other hardware and software that are used to store, secure, and monitor the PII. 

Consult with all the relevant departments within your company and outside service providers that are in contact with or responsible for storing and securing the PII.

Out-of-the-box PDF generation
The easiest way to automatically generate and manage paperless documents at scale.
By submitting this form, I confirm that I have read and understood Inkit's Privacy Policy.
Oops! Something went wrong while submitting the form.

The five major things to keep in check for an organized PII record to ensure it doesn’t land in the wrong hands include:

  • Who’s sending PII to your company?
  • How does your company receive PII, i.e., what are the hardware and software sources and who handles them?
  • The types of PII that you collect at each entry point
  • Where is the PII stored?
  • Who can access the PII, i.e., hardware, software, and personnel?

Different types of PII pose different risks. For instance, a database of medical history has a different security threat as compared to that of social security numbers and credit card info (Blacklist taught us that even medical histories are susceptible to being used in criminal activities, so it isn’t just about privacy!). 

Keeping this in view, you should devise different strategies to keep the collected PII for its various kinds.  

2. Scale down and keep only the PII you need 

The next step is to look into your database and figure out which PII is needed and which isn’t relevant anymore

Often companies store data for long periods of time even though they don’t need it anymore. This isn’t just risky but it also eats up your data storage and imposes extra costs due to mismanagement.

Therefore, go back into your database and figure out which PII is needed and which isn’t. This isn’t just limited to keeping records, it’s also about storing the relevant data. 

The FTC suggests the following steps for scaling down PII:

  • Only use social security numbers for essential and lawful purposes, for instance, for recording and reporting employees' taxes. 
  • Your company’s mobile app should only access data that it needs to function properly. 
  • Dispose of your customers’ credit card details as soon as you are done with their business purposes.
  • Implement the principle of least privilege (PoLP).

The principle of least privilege (PoLP) is an information security concept in which only those sections of information are accessible for someone that are absolutely essential to perform their job function. This means they have the minimum level of access or permission possible. 

3. Lock and protect the sensitive information you keep, secured with an effective PII security plan

An effective PII security plan comprises four key elements

  • Physical security. 
  • Electronic security. 
  • Employees’ security training.
  • And secure contractors and service providers. 

Here’s how each works.

Physical Security

You can ensure the security of physical data, which is paper documents and hard drives, in the following ways:

  • Store all paper documents and drives containing PII in a locked room or file cabinet with PoLP. 
  • Keep all the physical PII in locked areas at all times unless required while working. 
  • Ensure that your employees lock sensitive files, thumb drives, and computers at the end of the day.
  • Have an access control system in place at your workplace and offsite storage facilities.
  • Encrypt shipped sensitive information and keep its record.
  • Secure devices that collect sensitive data, for instance, PIN pads.

Electronic Security

Following are a few ways in which you can ensure the electronic security of PII collected and stored in your company:

  • Have a general network security system in place.
  • Set up an authentication system to access the data. This could be different based n the level of sensitivity of PII.
  • Restrict the use of laptops, and if essential, restrict the employees from storing PII on them. 
  • Use firewalls for protection against cyberattacks.
  • Limit wireless and remote access to your computer network.
  • Secure digital copiers.
  • Keep a breach detection system in place.

Employees’ Security Training

Implement employees security training on the following principles:

  • Do their background checks. 
  • Make them sign a confidentiality agreement
  • Keep records of employees with access to PII
  • Train employees on PII security, data breaches, and how to tackle them. 

Secure Contractors And Service Providers

Before you outsource your work, ensure that you secure the contractors and service providers who’ll be in contact with the PII. Here’s how:

  • Thoroughly analyze the service provider’s data security practices and standards.
  • Make contracts regarding PII.
  • Insist that in case of any security breach in your list of PII, they’ll let you on complete details.

4. Properly dispose of the Non-essential PII

Once you’re done with the PII of a customer, dispose of it properly as it might be trash for you, but it’s gold for criminals. 

Here’s how you can do it with surety that it doesn’t land in the wrong hands:

  • Devise and implement an information disposal system for all forms of records (physical, electronic, and with external service providers).
  • Shred, burn, or pulverize paper records.
  • Wipe your old computers and other devices with wipe utility programs.
  • Ensure that your employees follow the PII disposal procedure regardless of where they are.
  • Follow FTC’s Disposal Rule if you deal with consumer credit reports.

5. Plan Ahead and create a response plan for cyber attacks

Regardless of how cautious you are, there are chances that your company’s PII might still get compromised as cyberattack procedures are becoming advanced day by day. 

Have a contingency plan in place in case of any such incident:

  • Devise and implement a response plan to handle and counter security attacks.
  • Disconnect a computer from the network immediately in case of a cyberattack.
  • Investigate security breaches.
  • Create a plan on who to notify in case of a security incident by consulting your attorney. 

Now, one last thing, let’s take a look at compliance for PII.

Who Is Responsible For PII Compliance And What Happens In Case of Violation? 3 Compliance Standards To Consider

Your responsibility in terms of PII compliance depends on three factors: the organization type, what state is the organisation based in, and in which country it conducts business. 

Following are the main PII laws or compliance standards:

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), also termed the Financial Service Modernisation Act was enacted in 1999, and requires financial institutions, such as loan providers, insurance companies, and investment firms, to explain their information-sharing practices to their customers

Furthermore, under GLBA, it’s their responsibility to protect the sensitive data shared with them. 

In case of any violation of GLBA, the financial institution will be subject to a civil penalty of up to $100,000. Similarly, on personal levels, i.e., violation officers and directors, the civil penalty is up to $10,000. 

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a privacy and security law by the European Union imposed on all organizations, throughout the world, targeting or collecting data related to the people in the EU. 

In case of a violation of GDPR, the organization will be subject to a fine of up to €20 million or 4% of the annual global turnover, whichever is higher. 

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) governs the secure data handling, storage, and processing of customer card data. 

In case of a violation of PCI DSS, your organization may be subjected to the following penalties:

  • Fines range between $5,000 to $10,000 per month.
  • The penalty increases as the non-compliance period extend.
  • After 7 months, a fine of $100,000 per month is imposed.

Where To Go From Here

Hope that by now you have become somewhat accustomed to Personal Identifiable Information (PII), what it is, and how it works.

Practically speaking, when safeguarding your customer personal identifiable information, you should also be using the best cyber security practices, such as:

  • AES 256 End-to-End encryption.
  • Role-based access controls.
  • Sensitive document expiry & self-deletion.
  • 2FA support.
  • Full audit and document log.
  • Live document alerts.
  • Secure API integration.
  • Direct & automatic storage
  • And more.

For this, you need the right document management system. One that can help with all things document generation and secure storage, automation of delivery, and upgrade your document management operations.

Inkit is a document generation system with a built-in security platform, purpose-built to deal with problems faced by sectors that need assurance in document automation and security, such as:

  • Government & defense.
  • Financial & insurance.
  • Healthcare. 
  • Utilities.
  • Transport & logistics.
  • Admin support services.
  • Information & telecommunication.
  • And more.

Learn how Inkit helps in detail here!

Out-of-the-box PDF generation
The easiest way to automatically generate and manage paperless documents at scale.
By submitting this form, I confirm that I have read and understood Inkit's Privacy Policy.
Oops! Something went wrong while submitting the form.