Back to: LAW, RISK, & TRANSACTIONS
Personally Identifiable Information Definition
Personally Identifiable Information, as the name suggests, is the information which can identify a person, whether used solely or with other related information. It may consist of direct identifiers, such as passport data, which can uniquely identify an individual. It may also contain quasi-identifiers, such as race, date of birth, location, etc., used to recognize a person successfully.
A Little More on What is Personally Identifiable Information
With the emergence of new technologies, the way of operating businesses has changed. The government makes legislation affecting digital instruments, e.g. mobiles, internet, social media and e-commerce. The amount of personal data of all kinds has exploded. Businesses gather, analyze and process big data and share with other firms.
Companies use this information to better understand how to interact with customers effectively. However, due to big data, the number of data breaches has also gone up. Businesses are increasingly targeted with cyber attacks. Consumers are increasingly concerned with data security, and regulatory bodies strive to make new laws for the data protection of consumers.
PII (Personally Identifiable Information) may contain sensitive information and nonsensitive, too. What is meant by sensitive information is the stats, for example, complete name, SSN (Social Security Number), mailing address, driving license bank details or credit card information, passport information and financial data. Still, there is much more that comes under the head of PII. Generally, businesses share their clients’ information using anonymization methods for encrypting and making it obscure. So, others get it in the form of Non Personally Identifiable Information. An insurance co. provides its clients’ data to a marketing co. masks the sensitive Personally Identifiable Information and only convey information relevant to the required goal of the marketing co.
Then, there is non-sensitive PII or indirect Personally Identifiable Information. There are many sources that can allow access to this type of information easily, for example, the internet, corporate directories and phone books. Race, Zip code, date of birth and gender, all these are quasi-identifiers. So, non-sensitive information can be shared with people. We cannot use this information alone to estimate the identity of a person. Non-sensitive data is not delicate, but still, it is linkable. In simple words, linkable non-sensitive information is the information that can disclose the identity of a person, if used with other personal linkable data. Re-identification and de-anonymization methods are likely to be successful if we piece various quasi-identifiers sets together. We can use it to distinguish an individual from the other.
Several countries have adopted data protection laws so that they can provide guidelines to the companies how to collect, save and share clients personal data. Some of the fundamental laws say that some sensitive data is not necessary to be collected unless in extreme cases. Companies should delete data if it is no longer required for the stated purpose. Likewise, they should not share personal data with the sources which do not ensure its protection.
Cybercriminals breach Information systems so that they can get access to the PII (Personally Identifiable Information). Then, they sell this information in the underlying digital markets to the buyers who are willing to pay for it. For instance, the Internal Revenue Service (IRS) has to suffer an information breach in 2015, which led to the theft of Personally Identifiable Information (PII) of nearly 100000 taxpayers. With the help of quasi-information that was stolen from many sources, the perpetrators succeeded in accessing the web app of IRS. They simply answered questions related to personal verification of the taxpayers only and accessed the app.
PII Around the World
PII definition varies from country to country. In the US, the government presented the definition of Personally Identifiable Information (PII) in 2007 as anything that someone can trace or distinguish the identity of an individual, e.g. name, Social Security Number, biometric information, either solely or with the other identifiers, e.g. birthplace, date of birth, etc.
In the European Union, quasi-identifiers are also included as a part of the definition. These information sets depend on the GDPR (General Data Protection Regulation) with effect from May 2018.
References for Personally Identifiable Information
Academic Research on Personally Identifiable Information (PII)
The PII problem: Privacy and a new concept of personally identifiable information, Schwartz, P. M., & Solove, D. J. (2011). NYUL rev., 86, 1814. In the regulation of data privacy, PII (Personally Identifiable Information) is a major concept. If there is no involvement of PII, then there is no privacy harm. In several cases, we can link non-PII (non Personally Identifiable Information) to persons. Thus, de-identified information can be re-identified. The authors suggest that we cannot leave the concept of PII. They introduce with PII 2.0 that explains the malleability of PII. They use an example to illustrate the concept. They reveal how the existing techniques hinder the effective regulation of marketing and how their theory can solve the related issues.
Sp 800-122. guide to protecting the confidentiality of personally identifiable information (pii), This article helps federal agencies in maintaining the confidential Personally Identifiable Information (PII), The authors explain how important data privacy is for every individual as well as the company. There should be no unlawful access, misuse or disclosure of data. This paper suggests practical tips for recognizing PII and protection level. The authors recommend developing response plans for PII incidents. They encourage companies to follow the recommendations.
Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”) Equals the “Value” of Financial Assets, Soma, J. T., Courson, J. Z., & Cadkin, J. (2009). Richmond Journal of Law & Technology, 15(4), 11. Corporate America is highly depending on the electronic PII (Personally Identifiable Information). Nowadays, it is like a commodity which the organizations trade in or sell and buy. When technological progress increases the record of PII is made daily in an efficient and cost-effective manner. PII that companies get at minor cost is of quantifiable value. It is sharply approaching a level that is comparable to the conventional financial assets value.
Personally identifiable information: Identifying unprotected pii using file-indexing search tools and quantitative analysis, Matthews, B. W., & Esterline, A. (2010, March). In IEEE SoutheastCon 2010 (SoutheastCon), Proceedings of the (pp. 360-362). IEEE. This paper makes a detailed analysis of a project that contains a survey of workers in federal agencies. This survey is about how much knowledge the employees have of security policies in their workplaces and regarding Personally Identifiable Information (PII) saves in their system.
Non-technical keys to keeping your personally identifiable information PII risk mitigation project on track, Layng, K. (2009, October). In Proceedings of the 37th annual ACM SIGUCCS fall conference: communication and collaboration (pp. 223-228). ACM. To prevent costly remediation values linked with the exposure of PII (Personally Identifiable Information), we can run system scan proactively to assist in finding and deleting sensitive information. We can also encrypt system disks to make the information obscure on the drive except for those who have access to the system. This paper evaluates non-technical variables when eliminating the risks linked to sensitive information. In future, further investigations will be added related to accountability and project momentum.
Faculty Engagement to Reduce PII (Personally Identifiable Information) Risk, Borgman, C. L., & Kay, D. G. (2017). In this paper, the authors provide information on the faculty engagement in mitigating the risk associated with Personally Identifiable Information, also known as PII.
A case history in architectural acoustics: Security, acoustics, the protection of personally identifiable information (PII), and accessibility for the disabled, Ellis, D. A. (2014). The Journal of the Acoustical Society of America, 136(4), 2182-2182. This research is based on the case history of the architectural acoustic (remedy for hearing loss). The author states how the PII (Personally Identifiable Information) can be protected and security can be ensured to the disabled persons of hearing loss. Also, how their information can be made accessible to the relevant department only.
Identifying Unethical Personally Identifiable Information (PII) Privacy Violations Committed by IS/IT Practitioners: A Comparison to Computing Moral Exemplars, Rosenbaum, M. H. (2015). In some cases, practitioners of information systems have been found committing privacy breach to PII (Personally Identifiable Information). However, calculating exemplars, because of their known dispositional Hallmark characteristics and considering ethical abstractions tend to make less PII privacy violations. This paper checks whether these practitioners do not want to make such violations. The authors make 2 related surveys. The outcomes are promising but alarming as well. The investigations are made on both practitioners, the ones who are trustworthy for the organisation and those who are new or less reliable.
… mechanisms that record and examine activity in information systems that contain or use student, teacher, and Personally Identifiable Information (PII) data. The WDE …, Policy, A. C. Policy, 4000, 004. This paper throws light on the A.C Policy which aims to implement procedural mechanisms, software and hardware. These mechanisms record and in the information systems that consist of or use PII (Personally Identifiable Information), student and teachers data, evaluate activity. Their suggested technique will recognize critical systems which need event auditing abilities.
Myths and fallacies of personally identifiable information, Narayanan, A., & Shmatikov, V. (2010). Communications of the ACM, 53(6), 24-26. Introducing efficient privacy protection techniques is no doubt a critical challenge for privacy and security research because the variety and amount of information gathered about persons move up exponentially.
On the leakage of personally identifiable information via online social networks, Krishnamurthy, B., & Wills, C. E. (2009, August). In Proceedings of the 2nd ACM workshop on Online social networks (pp. 7-12). ACM. The OSNs (Online Social Networks) have become popular and it has increased the display of a large amount of personal data over the internet. This paper explains that 3rd parties can link Personally Identifiable Information (PII). It leaks through OSNs, with user activities within the websites of OSN and on other sites as well. The authors call it leakage in economic terms. They have shared many ways due to which this type of leakage happens and also tell how to tackle it.