Protecting Personally Identifiable Information (PII)

Today, personally identifiable information (PII) is everywhere on the internet. It’s inserted on websites whenever you signup to join a mailing list, create a social media or email account, or place an order online. Generally, the more complex the transaction is, the more personally identifiable information you’re asked to place online. 

That’s all fine and good. But what happens to your personal data after you click “sign up,” “get started,” or “submit order”? In the U.S. this type of sensitive information has a precise name – PII – but regulations protecting PII are less clear. 

What Is the Best Example of Personally Identifiable Information? 

The most common types of PII are a person’s full name, social security number, and date of birth. These pieces of information may not seem sensitive, but used together by the wrong person, they are enough to do serious damage.   

One hot topic these days is the malicious use of PII found on COVID-19 vaccination cards. As it became trendy to share the good news of getting inoculated on social media, hackers started stealing that information to commit fraud. And yet the only real PII shown on the card is the person’s first and last name, and DOB. 

On the corporate level, breached PII opens the organization and individual to risks including stolen identity, unauthorized access to financial accounts, fraudulent credit card activity, and having information shared or sold on the dark web. 

Personally Identifiable Information – Examples 

Personally identifiable information can comprise one or more of any of the following things:   Names,
  Addresses,
  Phone numbers,
  Credit card numbers,
  Social Security numbers,
  Birth dates,
  Answers to personally selected security questions,
  Account numbers,
   ID and photo ID cards,
  Bank account information,
  Email addresses,
  Social media usernames,
  Personal photographs labeled with tags.

What Is the Difference Between PII and PHI? 

PII is more general, while PHI is more specific. PHI stands for protected health information. According to the Department of Health and Human Services, it is a type of personally identifiable information that includes information about a person’s past, present, or future health status, payment for healthcare, or medical treatment. 

What Information does HIPAA Not Protect? 

HIPAA Privacy and Security Rules only apply to PHI, therefore HIPAA regulations do not protect personally identifiable information in the more general definition. According to the HIPAA Journal, PHI only related to patient information, health insurance customers, or members of health plans. It does not include regular PII that might be found in educational records or employment contracts, without the addition of health information. 

What Regulations Protect PII? – Compliance Requirements 

There is no single federal law governing the protection of PII. Unlike the transmission and storage of PHI, which is strictly regulated by HIPAA, PII is subject to a mix of industry-specific regulations, as well as various state and national laws. Including those listed below: 

• FTC Act – Enforces Privacy and Data Security on the federal level related to unfair, deceptive, or fraudulent trade practices that involve the collection, use, processing and disclosure of personally identifiable data.  
• Gramm-Leach-Bliley Act (GLBA) – Is a national law governing the use and handling of PII by financial institutions. 
• FISMA – is a federal law that requires federal agencies to develop, document, and implement an information security and protection program. 
• Californian Consumer Privacy Act (CCPA) – Protects the right of consumers in California to know about the personal information that businesses collect about them, opt out of data disclosure to third parties, and delete their personal information.  
• Massachusetts Data Protection Act  – Requires businesses in the Commonwealth to develop, implement, and maintain a comprehensive information security program. 

Regulations, application to data, and compliance requirements can be complex and unclear in the environment. In fact, in recent years, there has been increasing pressure for adopting a nation-wide data privacy law similar to GDPR enforced in the EU. 

How Can Personally Identifiable Information Be Protected? 

It’s important to remember that personally identifiable information stored online is a target for hackers. Today’s hackers are knowledgeable and sophisticated. 

From a liability perspective, protecting personally identifiable information is not only the responsibility of regulatory bodies or the organizations that handle it. Instead, it involves ‘shared responsibility’ between regulators, organizations, and individuals.  

The National Institute of Standards and Technology (NIST) provides a solid framework for protecting PII. The Guide to Protecting the Confidentiality of Personally Identifiable Information published within NIST SP 800-122 in 2010 lays out a risk-based strategy to safeguarding data. It goes a step further than FISMA, recommending security controls and response plan items in case there is a breach of PII.  

Top PII Security Controls 

Understanding that any company that collects personally identifiable information about customers, clients, and/or website visitors and stores it online must work to keep it secure. This is true whether the data is stored on a company server or with a third-party service provider in the cloud.  

Protecting personally identifiable information means keeping on top of the most current security threats and adjusting your stored data’s security settings as necessary. With new security threats popping up daily, this is really a full-time job. Your organization should develop a comprehensive framework and implement regular reviews to prevent data loss and data breaches. Here are some of the top 20 best practices to protect PII: 

Keeping data secure can cost a company a lot of money, and use a significant amount of company resources. Even if you prefer to keep this job in-house despite the strain, it pays to consult with an external personal data security specialist. An assessor can provide training on the best way to manage current security threats in your industry and environment and identify new ones as they arise.  

Data Protection Starts Now 

It is important to protect the personally identifiable information your company collects and handles, whether it is on your company’s own server or in the cloud. Keeping this data secure is important to the continuing operation and legal protection of your company.  

I.S. Partners, LLC is a professional auditing firm ready to assist your company in evaluating measures aimed at protecting personally identifiable information. With penetration testing, vulnerability scans, plus a wide range of compliance assessments, our team will make sure your company stays on top of new and emerging security threats. Contact our office to get started. 

About The Author

Ian Terry

Ian Terry, PCI-DSS QSA, CISSP, CCSP, HCISPP, ISO/IEC 27001 LA, CSM, SSCP, and HE:PSHO, is a highly respected thought leader and subject matter expert in the field of cybersecurity.

As the Director of Cybersecurity Services for AWA, Ian leverages his extensive knowledge and experience to provide valuable insights and guidance to clients across various industries.

Ian has performed numerous risk assessments and audits related to NIST, HIPAA, HITRUST, FISMA, PCI, and CMSR. He is also an expert in third-party risk management having built a SaaS security platform for streamlining third-party risk assessments. Ian's cybersecurity writings have been published in Hackernoon, Security Boulevard and CISO Mag.

He holds a B.S. in Cybersecurity from a national center of academic excellence in cybersecurity as recognized by the NSA and DHS and has CSM, HCISPP, and SSCP certifications.