What Is PII
Personally Identifiable Information (PII), technically speaking, is “information that can be used to identify, contact, or locate a single person, or to identify an individual in context” (Wikipedia). Simply put, it is PII “when it can be reasonably linked to a particular person, computer, or device” (FTC). PII does not have to stand alone. It can be used on its own or with other information. PII can also be sensitive or not. Non-sensitive PII is information that is public record and found easily in a phone book, directory, or other public source. Sensitive PII is unique to the individual. This might include account numbers, social security number, or driver’s license number.
How Does PII Get Into The Wrong Hands?
There are several ways that personal information can be given to an unauthorized individual. Of course, we hear of data breaches all the time in the news. However, this is not the only way that PII gets into the hand of criminals. Here are a few of the most common ways PII is unknowingly shared.
Sent to Wrong Person
People willingly send PII through the mail, via fax, or in email all the time. However, sending this information to the wrong fax number, physical address, or email address can be disastrous.
It is easy to double-check a fax number or physical address prior to sending documents. However, people do not often double-check an email address when replying to a seemingly safe email. It is relatively easy to disguise a “to” and “from” email address. If you don’t check to whom you’re sending before you hit send, you could send your personal information right to a thief.
There are times when things are misdirected that are no fault of the sender. Sometimes, shipped documents simply never arrive at their destination. Should this happen, there really is not anything you can do to retrieve the documents. Consider using secure email instead of shipping documents when possible.
Posted in a Public Place – this could be a website.
There are times when organizations need to post information to a public website. However, many people don’t realize what type of information constitutes PII. This leads to PII postings all over the web.
Stolen – either stolen laptop or computer -or- compromised computer system.
Be mindful of where you leave your laptop unattended. Our personal computers and other devices are riddled with personal information. Leaving these things unattended in a public place leaves your personal data up for grabs – quite literally.
One other thing to keep in mind when using devices in public spaces is that public Wi-Fi is not secure Wi-Fi. Criminals lurk in places with free internet waiting for someone to slip up and hand over information without even knowing it.
Likewise, if a hacker gains access to your network either at home or at the office, they have access to all of the unencrypted data therein.
Improper Storage or Disposal – this can be either electronic or paper.
It is commonplace to shred documents containing PII that you receive in the mail. However, where you store paper documents and how you dispose of electronic documents can make all the difference in keeping you and your customers safe.
Physical documents containing PII should be stored accordingly, depending on the severity of the information on the documents.
If storing electronic data, PII should be encrypted at rest – this includes information submitted from a form on your website. When it’s time to get rid of these electronic documents, they must be permanently deleted. When it’s time to get rid of equipment that stored sensitive data, it must be destroyed before it is disposed of.
Security Is Cheaper Than A Breach
PII can be tricky to identify, as “it requires a case-by-case assessment of the specific risk that an individual can be identified” (GSA). Just because information no currently PII, it has the potential to become PII when other information becomes available! What constitutes PII is constantly changing. Use a little common sense when dealing with any personal information, yours or on behalf of someone else. When in doubt, err on the side of caution.