Webinar: Join us, Tues 5/24. Nightfall & Hanzo experts will discuss how machine learning can enhance data governance, data security, and the efficiency of legal investigations. Register now ⟶
What is PII? Guide To Personally Identifiable Information
“PII” stands for personally identifiable information. Hackers often target personally identifiable information for a variety of reasons: to steal a customer’s identity, take over an account, launch a phishing attack, or damage an organization. As a result, there is a multitude of regulations concerning PII protection.
Before your company approaches meeting these regulations, it’s important to have a firm understanding of the data you will be protecting. In this guide, we’ll go through what is, what is not, and the different definitions of personally identifiable information in the healthcare and security sectors.
What is considered PII?
There are many definitions of PII, depending on the industry in which you are working. Health and cybersecurity have their own variations of the definition of PII. The definition of PII in cybersecurity is provided by NIST as, “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
This definition, clearly, is quite broad. And, it gets even more complicated when you consider that personally-identifiable information is typically classified as “non-sensitive” or “sensitive”. Non-sensitive PII is information that is accessible from public sources like phonebooks, the Internet, and corporate directories. Non-sensitive, also known as indirect PII, can include the following data:
- Date of birth
- Place of birth
Sensitive PII includes information such as:
- Full name
- Social Security Number (SSN)
- Passport numbers
- Credit card number
- Financial information like taxpayer ID numbers or routing numbers
The line between sensitive and non-sensitive PII within regulations isn’t always clear. Some sources list ZIP code under non-sensitive PII, but the California State Supreme Court ruled in 2011 that a person’s ZIP code is PII. The Massachusetts Supreme Court made a similar ruling in 2013.
Regardless of whether data is non-sensitive or sensitive, your company must keep personal, linkable information secure from bad actors.
PII in healthcare
PII in healthcare is referred to as Protected Health Information (PHI). Unlike PII, which is governed by a network of regulations all over the world, PHI was established under the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.
Simply put, PII differs from PHI in that it is used outside a healthcare context.
It’s also worth recognizing that HIPAA also establishes a third acronym, individually identifiable health information (IIHI). IIHI includes not only a person’s medical information but also their demographics. IIHI is protected under privacy laws.
HIPAA also offers a clear definition of what is PHI using 18 identifiers:
- Names (of patients, relatives, or employers)
- Social security numbers
- Device identifiers and serial numbers
- All geographic subdivisions smaller than a State
- Medical record numbers
- Web Universal Resource Locators (URLs)
- All elements of dates (except year) including birth date, admission date, discharge date, date of death; and all ages over 89
- Health plan beneficiary numbers
- Internet Protocol (IP) address numbers
- Telephone numbers
- Account numbers
- Biometric identifiers, including finger and voiceprints
- Fax numbers
- Certificate/license numbers
- Full face photographic images and any comparable images
- Electronic mail addresses
- Vehicle identifiers and serial numbers, including license plate numbers
- Any other unique identifying number, characteristic, or code
Likewise, HIPAA requires organizations to safeguard the confidentiality, integrity, and availability of PHI.
What is not considered PII?
Non-PII is information that can’t be used to identify someone. Non-sensitive information used in isolation, for instance, is not considered PII.
“Info such as business phone numbers and race, religion, gender, workplace, and job titles are typically not considered PII,” wrote one expert. “But they should still be treated as sensitive, linkable info because they could identify an individual when combined with other data.”
Often, how you store and use a customer’s information determines whether it needs PII protections. If you store someone’s date of birth, full name, and address in the same customer record as their business phone number, that information would all be considered PII.
There is a web of different standards and regulations mandating the protection of personally identifiable information. Some of these regulations include penalties if your business fails to adequately safeguard PII and PHI. Learn about PII compliance in our guide, “What Is PII Compliance? Requirements, Checklist & Best Practices.”
Plus, protecting PII is central to building trust with your clients and customers. Find out more about PII compliance in our 2021 security guide. And, to get started with Nightfall, schedule a demo at the link below.
Subscribe to our newsletter
Receive our latest content and updates
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.
Schedule a Demo
Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at email@example.com.