April 22, 2015 // By Michael Lester
What is Personally Identifiable Information (PII) and why should you care?
This seems like an easy question, but like most things that involve U.S. law, the answer is never as easy as it should be.
The problem is that the United States follows what is called a “Sectoral Approach” to information privacy. In a Sectoral Approach, there is no, single, overarching set of laws that pertain to information privacy. Instead, privacy laws are different for each sector of industry. For example, private healthcare information is covered by HIPAA and HITECH. Educational records are covered by FERPA. Information on children under 13 years of age is covered by COPPA. Personal information collected by financial institutions is primarily covered by the Gram-Leach-Bliley Act (GLBA). To make matters worse, some federal acts supersede state laws and others do not.
Back to our original question then, what is PII?
One of the most general and encompassing definitions of PII, and a definition that is used by various other documents, is found in a 2006 memorandum from the Office of Management and Budget and defines PII as “any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual”.[i]
One of the key phrases to note here is “…maintained by an agency…”, thus this definition does not apply to many private corporations that maintain personal data.
Another often cited definition comes from California’s breach notification law SB1386 which uses the term “personal information” and defines it as:
…an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.[ii]
If we examine information as it applies to both of these definitions, we find that information can be personal, but not personally identifiable. Other laws and regulations use different terms and also refer to information as “sensitive”, “protected”, and “non-public”.
Your name, for example, is personal, publicly available, not protected, not sensitive, (and counterintuitively) probably not PII since by itself could not be used to identify you and you alone. Your name combined with another piece of information, your address for example, is PII, not protected, publicly available, and not sensitive. It can be published in a phone book for general consumption. Your name combined with your social security number is PII, personal, protected, and sensitive since it can be used not only to identify you but to allow access to other protected information and services. Note that your social security number without your name is private, but not PII since it lacks any context with which to identify you, and is therefore not protected, but it is sensitive and becomes PII and protected if combined with your name. Likewise, your name and credit card number are not personal information unless combined with an access code.
Confused? You should be. U.S. laws are a patchwork of interconnected and interrelated regulations that are complex and confusing. It is virtually impossible for a layperson to identify what is and is not PII in a given instance.
So, back to our original question “What is PII, really?”
Unfortunately, the answer is a resounding and definite “It depends!”
What IS clear, is that any company that collects, processes, or stores personal information (including information about web traffic) should consult with a privacy professional to ensure that they are complying with applicable privacy and security regulations. In addition to the ethical reasons for protecting personal information, more and more companies are being fined for exposing personal information and the fines are getting larger. (In April of 2015 ATT was fined $25 Million for not adequately protecting the information of some of its subscribers.[iii])
In my next article I’ll discuss some things that every company can easily do to protect personal information and minimize their exposure to breach or compromise.
If you’d like to contact Magenic directly, email us or give us a call at 877-493-9369.